Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can vote and comment on it.

If it doesn't exist, you can post your idea so others can vote on it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  1. Network Security: Vulnerability Scanner

    Implement a means whereby from the ASG you can scan networks for vulnerabilities.

    326 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      10 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • Network Security: Automatic uPNP Support

      Adding NAT rules automatically through UPnP service would be also great for home users and probably some other small companies.

      268 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        29 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • Network Security: Create firewall rule(s) directly from Live Log

        In order to make fine tuning of our product packet filter configuration easier, we should add a way to create packet filter rules with a small wizard so that if i see any packet that i want to explicitly drop or allow i can start a mini-wizard that helps to create a matching packet filter rule by either selecting existing definition objects or offering an easy way to create new definition objects, which later than get used in the pf rule..

        187 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • Network Security: Firewall Rule "Hit" Counters

          Display the number of packets that match each rule in the table. So you can locate unnecessary packetfilter rules. Should be able to reset the hit counter(s) as needed, along with a tooltip to show the last time(s) of the previous few hits.

          185 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            8 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • Network Security: Block Malicious/Botnet/Bad IP's using Blacklist "Service"

            It would be nice if we could automatically block all traffic to/from IPs identified as malicious by lists such as DSHield or Project Honey Pot.

            154 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              21 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • Network Security: Services Support for Country Blocking

              the country blocking is a very good idea.
              we get a lot of intrusion from china to our terminalserver. the best extension would be if we could limit it to services looks like RDP, VNC

              152 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                13 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • Network Security: Drag'n'Drop sort of packet filter rules

                Improve the GUI to support a drag'n'drop sort of the packetfilter ruleset or also potentially other sortable list elements..

                127 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • IPS: Creation of Custom Rules (Snort)

                  the possibility to add own snort rules would be great!
                  Customers can add their special rules for their special needs,
                  so we could be more flexible and more secure.

                  The AxG can check the own rules via a new snort instance, if everything is fine -> add it to the ruleset.

                  99 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • IPS: Per-Rule IPS Exceptions

                    Extended the exceptions functionality to allow for specific rules as part of an exception.

                    This will allow for much more granular IPS exceptions in being able to specify a rule be disable/excepted only for a certain traffic flow, like for rule 2122 from Internet to Webserver, without disabling the rule globally or by exempting the resource from IPS fully.

                    77 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      13 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • Network Security: Logical "NOT" Support for Packet Filter, DNAT, etc...

                      It would easily save a lot of work if we had the possibility to make a mass-rule with "NOT" operators, like accepting all traffic for all directions EXCEPT for some host or network etc..

                      Like ACCEPT ANY ANY !Host"A"

                      63 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • Network Protection: Use Suricata for IPS

                        I think it could be worth a look at, unless Snort comes up with a multfhreaded version.
                        http://www.openinfosecfoundation.org/
                        http://suricata-ids.org/

                        48 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • Network Protection: Bind VoIP Proxy to Interface

                          It would be useful if the VoIP proxy was able to be assigned to a particular interface. If I have an internal VoIP server, it may not be on the same address as my default gateway, so it would be useful to assign another gateway interface instead of using policy based routing.

                          45 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • Definitions: Create objects based on "AS whois" record

                            It would be nice to have the ability to define network definitions by whois AS number.
                            eg. you could make a definition for all the Telenet public subnets by adding a Definition Telenet-subnet with a parameter AS 6848.
                            The AS number database is rebuilt on a daily basis, and could be synced just like the spam, antivirus and content filter databases are synced or updated.

                            44 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • 41 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • Network Protection: Fallback to previous IPS pattern version

                                Engine fallback to previous file in case of a determined engine error or bad update.

                                41 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • Networking: Masquerading (NAT) Balancing Across All Public IP's

                                  Use all available public addresses on the WAN interface, even though the HTTP proxy is turned on. The reason for this feature is to keep users working, even if the primary WAN IP address is offline.

                                  39 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    5 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Network Protection: Create firewall rules to automatically "blacklist" an "attacker."

                                    I'd like to turn on 'reactive rules' to start dropping all traffic from source IPs that trip a threshold of IPS or PF rules.

                                    Say someone is scanning your website for IIS vulnerabilities and trips 20 IPS rules in 1 minute (administrator defined parameters), then the UTM would create a rule at the top to block all traffic to and from the attacking source IP.

                                    Bonus points for letting the rule dissolve after N hours as well as being able to turn this rule on for specific interfaces or subnets, You could link it to the geo-location system so that…

                                    36 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      6 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Network Security: Support for ARP Handler Inspection (arpon)

                                      arpon should be added to UTM. You would need to add the ability to process the arpon.log file intelligently and escalate to the administrator accordingly.

                                      http://arpon.sourceforge.net/

                                      arpon would be useful in situations where users add unauthorized equipment to the network, or ARP poisoning/spoofing is taking place.

                                      34 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Expose "Corporate Policy Violation" IPS rules via the Attack Pattern groups

                                        Currently, there are many IPS rules in 9.x that do not seem to be exposed via the Attack Patterns page.

                                        Many of them have following in their descriptions:
                                        "Classification.: Potential Corporate Privacy Violation"

                                        These include rules which block SKYPE, BitTorrent, etc.

                                        ISTM that it doesn't make sense to have these hidden away, or even have them at all since we already have the Application Detection system.

                                        links:
                                        http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/43598-pua-p2p-bittorrent-utp-peer-request-2.html#post215116

                                        http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/47541-ips-bittorrent-rules-id-disable.html

                                        https://www.google.com/search?q=corporate+policy+violation+site%3Aastaro.org+ips+OR+snort

                                        Please put these (and other hidden rules) into groups on the Attack Patterns page, and/or remove ones which are redundant with the application traffic classifier.

                                        33 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Increase Attack Patterns selections in IPS settings

                                          ISTM that the IPS rulesets keep getting larger and larger, at the expense of IPS throughput.

                                          examples:

                                          1. I would like to be able to disable 'out-of-date' rules...
                                          e.g.
                                          a. if I don't have anyone using Windows XP or 2000, I should be able to disable those rule(set)s.

                                          b. same for old browser versions

                                          The easiest interface for this might be to set a "Minimum patch level/date"; e.g. ask the user what the OLDEST patched system is on the network.
                                          Perhaps ask this for each ruleset/pattern group.

                                          I'm guessing MOST of the 1000's of rules would not be applicable if…

                                          32 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 6
                                          • Don't see your idea?

                                          Feedback and Knowledge Base