Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. More flexible data protection rules

    The current email data protection rule for UK addresses is configured to reject files with 100 postcodes/addresses, can this figure be made configurable

    1 vote
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • In what way can I go back to the last Version after a firmware update? ?

      Good Software has it:
      Posibility to go back to the last Version after a firmware update.
      Thank You

      1 vote
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Operating System  ·  Flag idea as inappropriate…  ·  Admin →
      • Static IP-Configuration for Access-Points

        For better IP-Management it would nice to have the option to configure the Access-Points with static IPs and the ability to restart them remotely.

        1 vote
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • utm public IP feature when having two or more subnets

          Customer want to do like this:

          subnet A e.g. 192.168.1.x is going out using the public IP a.b.c.1
          subnet B e.g. 192.168.2.x is going out using the public IP x.y.z.2

          1 vote
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
          • Additional fields in syslog messages - allow correlation with other logs

            For "reverseproxy" syslog messages, please include enough details to uniquely match the UTM's logs with other device logs (upstream firewalls, netflow, real webserver logs, etc).

            The current log doesn't include the local IP and port used by the UTM to make the request of the real web server and it doesn't record the source port used by the true client. This makes it hard to differentiate multiple requests coming from a single NAT IP address

            The resulting log would look like this:

            srcip='1.2.3.4' # existing
            srcport # add this to record the source port used by true client
            localip='9.8.7.6' #…

            2 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              1 comment  ·  Logging  ·  Flag idea as inappropriate…  ·  Admin →
            • Give control over Spooled/Waiting emails

              We recently had this situation where due to bad deployment in one of the production website in our environment there were about 300,000 emails stuck in Spooled queue. Now we knew out of these 300,000 about 299,000 emails were junk and we didn't want them but as probably the SMTP spooling works on FIFO mechanism we could not receive those remaining 1000 important emails until those 299,000 junk mails were processed. Sophos was running on 100% CPU all the time trying to process the emails but rate was pretty slow (about 80 emails per minute) so we had to wait…

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • Block TeamViewer

                Block TeamViewer with Sophos

                1 vote
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                • Add Dropcam traffic to Application Control

                  Dropcam is a WIFI camera by a company called Nest. Nest creates the Nest thermostat, and the Nest Protect smoke alarms.
                  Here is a link to what Dropcam is: https://www.dropcam.com/

                  Sophos UTM shows Dropcam traffic as "OpenVPN" using TCP 443
                  It would be helpful if we could see this traffic as Dropcam traffic

                  3 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
                  • Advanced Mail

                    The mail manager need the functions of the barracuda spam firewall:

                    Every mail (blocked/reject/spam) goes in to the mail log space (partition on hdd). when i go in to the mail manager under smtp log, i open the blocked or rejected mails to check the content. and are they good or desired i must be able to deliver and whitlist them.

                    Advanced Mail Manager
                    - Every mail archived in the mail manager hdd space for xx days
                    - Able to open all mails to check th econtent
                    - Able to deliver and whitlist them

                    3 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • S/MIME certificate batch import

                      It would be nice to have an option to import S/MIME certificates with a batch job and not one by one. We have many thousands of certificates and it is very time-consuming to import them one after another.

                      4 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • WAF Reverse Proxy with authentication: forward session cookie to backend http server

                        When using the WAF (Web Server Protection) with authentication, a session cookie named BACKENDHOSTNAME_COOKIE is exchanged between Browser and UTM on each http request. For our application which is launched via Webstart from the web application and communicates via http we need to forward that session cookie to the external client process.

                        Therefor the session cookie should be made optionally forwardably from the UTM to the backend http server.

                        1 vote
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • Refresh button for DYNDNS to force update

                          There needs to be a way to force an update and refresh of the IP to the DNS vendor. There currently is no way to do this. Turning it off and back on does not do this. If for any reason the IP gets set from another location it will not update with the correct IP because the service does not see that the IP on the firewall has changed.

                          11 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            1 comment  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
                          • Add a "bytes out" field in http.log.

                            A "bytes out" field in the http.log would help identify hosts that are sending a lot of data out of our company. This is important to know, regardless whether the data flow is intentional (e.g. malicious user) or unintentional (e.g. compromised host.)

                            3 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • I would like to suggest a feature which will enable me to manually clear a "Advanced Threat Protection" alert.

                              I would like to suggest a feature which will enable me to manually clear a "Advanced Threat Protection" alert. In case of an alert I now have to wait 72 hours before the alarm will be cleared by itself.

                              1 vote
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  UTM Endpoint Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • Automatic Firewall rules should apply to internal connections (DNAT)

                                When creating a DNAT rule to publish some service (located in DMZ) it is already reachable from external if Automatic Firewall rules is checked.
                                The automatic rule reads "Any to DMZ machine" in WebAdmin but doesn't do that, because --ctorigdst <External IP> is used in rule generation.
                                So it necessary to create another manual rule "Any to DMZ machine" to publish this service to the internal network.

                                Please add an option (checkbox) to modify rule generation to leave out --ctorigdst or --ctorigsrc (which means firewall rule: "Source to Destination using Service" without other limitations).

                                1 vote
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
                                • Selectors in Masquerading Rules should be sorted alphabetically

                                  When creating a Masquerading Rule there are 2 selectors "Interface:" and "Use address:". Their content looks mixed - I suppose it's currently the order the interfaces or addresses are created or the internal structure.

                                  Especially the "Use address:" selector could be very long and the entries may look very similar.

                                  Please sort both of them alphabetically.

                                  1 vote
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Add a new option "type" for network definitions - AD computers

                                    Add a new option "type" for network definitions that allows for AD computers within an AD security group (much like the AD users/groups dynamic memberships). This would allow much more flexibilities on how to apply "hosts", such as when creating a Web Filter Profile, instead of adding "internal network" or a specific host/hosts, we would be able to add to "allowed networks" an Active Directory group that would consist of computers that I added into that group via Active Directory. This is specifically important, since this would allow Web Filter Profiles to differentiate between domain machines and guest machines on…

                                    1 vote
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Networking: Additional Dynamic DNS Provider support: DnsMadeEasy

                                      Sophos UTM is an enterprise firewall solution, with respect for all home users out there, in the few cases where DynDNS needs to be run at a company location an enterprise class DynDNS provider is needed.

                                      I would really appriciate dynamic DNS support for the provider "DNS Made Easy" (dnsmadeeasy.com).

                                      Brgds,

                                      Anders
                                      Sophos UTM Certified Architect

                                      3 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Order of content filtering

                                        It would be nice if the content filter first checks the URL for availability, so if a user enters a wrong URL he gets a notification.

                                        1 vote
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • User-level access control policy on Endpoint Protection

                                          I would like to be able to allow flash drive access to certain users on all computers but not all users on the computers in Endpoint Protection, and there is currently no AD sync for Endpoint Protection.

                                          Reference Case # 4857461

                                          6 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  UTM Endpoint Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Don't see your idea?

                                          Feedback and Knowledge Base