Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can vote and comment on it.

If it doesn't exist, you can post your idea so others can vote on it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  1. Network Security: Per-User IP/Service Tracking

    It would be nice to see what each IP is doing in your network. Tracking the services each uses. Mainly for tracking hacking.

    9 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • Networking: Wildcard Hostnames for DNS Group Definitions

      being able to specify a 'root' domain name, or pattern, as a network definition, that could then be used in a traffic selector for bandwidth shaping, would help greatly. content delivery networks use hundreds of hostnames, but usually stick with one 'root', example: 'something.nflximg.com' or 'something.llnwd.net' by specifying something like "*.llnwd.net' as the source, we could then limit the traffic as desired.

      57 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        Under Review  ·  10 comments  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
      • Network Security: Support for ARP Handler Inspection (arpon)

        arpon should be added to UTM. You would need to add the ability to process the arpon.log file intelligently and escalate to the administrator accordingly.

        http://arpon.sourceforge.net/

        arpon would be useful in situations where users add unauthorized equipment to the network, or ARP poisoning/spoofing is taking place.

        34 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • Reporting: Historic change reporting

          While ASG already tracks every change made, it would be nice to have this information delivered as a summary report.
          Possibility to
          * generate reporting about system configuration changes done by different admins (i.e. creation of new groups, modification of rules, etc.)

          3 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
          • Authentication: Delete UTM user-object when deleted from backend server

            When we remove a user from our LDAP Directory (namely eDirectory or ActiveDirectory) the User in UTM is untouched. It would be nice if the UTM could know about this and purge its matching user-object as well. (Or display us a report of users who are no longer seen on the backend server so we could trigger a delete periodically).

            59 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              6 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
            • Reporting: Display Service Port/Details via Popup in Reports

              Hi while looking at some Usage on an Astaro Box.
              I was Looking at
              Logging & Reporting
              Network Usage
              Bandwidth Usage
              Top Services

              When you Hover over the "Service" a Popup comes up telling you the same thing as what is written as the "Service".
              It would be really handy if the Popup said the port Number instead of the service again.

              ie Service "SCIENTIA-SSDB" now off the top of my head I don't remember what port that is yet I have traffic on it, So I now need to do a google search to find out what port it…

              3 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                2 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
              • WebSecurity: Local Override of Site Classification

                It would be nice to have my "own" categorization of a web site.
                This is useful for when I disagree with the URL filter and want to have it the way I see it instead.
                Also, it is particularly useful for the occasional un-categorized site! It's often easier to simply categorize it myself vs. waiting for it to be accommodated by the engine.

                9 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • Licensing: Free Home-Use License on ASG Appliances

                  Currently it is not possible to use a hardware appliance with a home use license, meaning it is necessary to wipe the device's hard drive and reinstall from the software appliance ISO. I've never been sure of the reason for this restriction - used Astaro hardware is available from sources such as eBay and so is a viable option for home use. It would be great to be able to make full use of the additional hardware appliance features (LCD display on 220s and up, graphic of appliance port activity on dashboard) when running as a home user.

                  356 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    10 comments  ·  AstaroOS  ·  Flag idea as inappropriate…  ·  Admin →
                  • Network Security: Per-Rule IPS Logging

                    The ability to turn on detailed traffic logging for certain rules is a standard, and very useful feature of many IPS/IDS systems. This way the administrator can see the traffic (preferably in standard pcap format) that made a rule fire and decide if it is a false positive or a genuine attack. It is also a feature in snort, so it should not be very difficult to implement. The pcap files should be attached to the alert emails.

                    5 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • VPN: Use "additional IP's" for Tunnels

                      We have multiple IP's from the provider, and have one as the main Interface IP along with 4 others as "additional" IP's. We cannot make a VPN tunnel using the additional IP's, as only the physical interface is supported. Would be great to be able to terminate against one of the others.

                      21 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        4 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
                      • AstaroOS: 3rd Party Plugin API

                        Looking for the ability to create and upload custom plugins. For example listen for events such a new DHCP lease and then create a new routing or packet filtering rule. Would like to see this in a scripting language that can be sand-boxed such as Groovy.

                        3 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          1 comment  ·  AstaroOS  ·  Flag idea as inappropriate…  ·  Admin →
                        • Networking: Separate DHCP server for IPv6

                          I want DHCPv6 to be managed by Active Directory. This would create a situation much like many organisations today - the firewall is managed by group A (network / firewall group) and DHCP is managed by the group B (Wintel / Active Directory team).

                          Would it be possible to use RA's to provide v4 addresses to O/S's that do not (currently) support DHCPv6 yet still have those machines that *do* support DHCPv6 work? Would it be possible to have them both running at the same time, using stateless autoconfiguration as a failback in case the guest does not support DHCPv6

                          2 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
                          • Add support for Server Name Indication to the HTTPS Proxy

                            Server Name Indication (SNI) can be used to host multiple SSL sites on a single IP/Port. See http://en.wikipedia.org/wiki/Server_Name_Indication for details.
                            All the recent browsers support this feature, it would be great if the HTTPS Proxy would, too.

                            21 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              2 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • Web Security: Transparent auth mode with basic user auth.

                              Basic user authentication works great.
                              The session ends by closing the IE session (i think by removing the cookie).

                              Using transparent with auth. you have to wait x minutes (depends on your setting) to close the session. In the meantime anyone using the device can use the session by reopening an IE task (cookie is on the ASG Device).

                              It is a security feature primary for private devices without any possiblity to place proxy settings in the IE.

                              Closing IE => closing the session => reauthentification (user login)

                              8 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • Remote Access: SHA-2 algorithms for SSL-VPN authentication

                                There should be more options under "Remote Access > SSL > Advanced > Authentication algorithm" than "MD5" and "SHA1" as the OpenVPN backend also supports SHA2 algorithms like SHA-224, SHA-256, SHA-384, SHA-512...and they appear to be there, just not available in WebAdmin?

                                loginuser@vpn:/home/login > /var/chroot-openvpn/sbin/openvpn --show-digests
                                You can specify a message digest as parameter to
                                the --auth option.
                                MD2 128 bit digest size
                                MD5 128 bit digest size
                                RSA-MD2 128 bit digest size
                                RSA-MD5 128 bit digest size
                                SHA 160 bit digest size
                                RSA-SHA 160 bit digest size
                                SHA1 160 bit digest size
                                RSA-SHA1 160 bit digest size
                                DSA-SHA 160…

                                27 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
                                • Extended change log

                                  The changelog in the main management tab is limited in it's length - and is also cluttered up by logins without changes and failed logins.

                                  It would be a good thing to have a complete list of changes throughout the overall history of the ASG (on perhaps another place like "Support"->"Advanced" ) for a complete review of all changes.

                                  12 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Management  ·  Flag idea as inappropriate…  ·  Admin →
                                  • ASG Hardware: Rear USB Ports

                                    Hi,
                                    with ASG220 rev4 the USB ports on the backside of the ASG got lost.

                                    This is not very useful, because know I have to put UPS and KVM cable to the front.

                                    Please have 2 USB Ports on the backside again.

                                    5 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Appliance Hardware  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Networking: IPv6 DHCP Interfaces

                                      One of my ISPs has begun offering IPv6 addresses through DHCP to capable connected systems. This currently doesn't work with UTM as the Cable Modem (DHCP) interface type only supports IPv4 addressing.

                                      It would be nice if a DHCP type interface could be configured which could pull an IPv6 address.

                                      81 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        9 comments  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Bypass Web Proxy Authentication to Default Profile

                                        Allow users to cancel Authentication when trying to visit a website. Currently there is a login form (transparent http proxy with Active directory Authentication) but no cancel button. This will force all users to authenticate, but what if the site is not blocked by default profile proxy profile. I know checking all profiles to see if the site is bloced prior to authentication may be too much, but what about checking the url against the most restrictive (default template filter with base categories) then requiring authentication if the site requires a higher profile under a different proxy filter? I was…

                                        9 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          2 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • RED: Power over ethernet support

                                          A powerswitch via ethernet would help to reset a red.

                                          3 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Remote Ethernet Device (RED)  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Don't see your idea?

                                          Feedback and Knowledge Base