Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Zero Time HA Failover for VPN and Internet

    Zero Downtime for VPN and network WAN connection in a HA setup.

    35 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
    • HA Setup let slave takeover before master reboots

      We currently have a HA setup with 2 UTM320's.
      Whenever there has to be a reboot of the master device (either manually or due to an upgrade of the software) all RED connections break as well as all site-to-site connections.
      I know this happens, so I can schedule updates and reboots, but shouldn't it be possible that the slave first takes over everything from the master before the master goes down, effectively keeping any connections up?

      23 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        1 comment  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
      • Networking: Automatic Gratuitous ARP when HA changes

        When there is changes at HA/Clustering side there should be an option to automatically send Gratuitous ARP to a configurable router (by default can be the default route for a given network).

        We have a big issue since years about that, as we have a bunch of IPs registered into our active/active cluster (more than 350 IPs) when a change occures at HA side more than half of our IPs are no more accessible for hours if we don't do anything...

        So when we have an alert about this we need to run this sort of script:

        for f in…

        20 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          1 comment  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
        • Networking: HA/Clustering for Amazon Cloud

          The ability to operate a pair of UTM software appliances in a VPC, in different AWS availability zones, configured as HA/clustered pair.

          This feature is critical in providing a truly HA VPC solution. I have the need to operate a very highly available VPN endpoint for multiple healthcare providers and this one deficient is preventing us from moving forward with the excellent UTM software appliances.

          (Amazon has a white paper outlining how to make the default NAT instance highly available using two NAT instances and a script that detaches and reattaches the virtual interface and MAC to the standby instance.)

          18 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            Under Review  ·  2 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
          • HA: Disable/regenerate/modify Virtual MAC address

            It would be nice add a button in HA section to modify to a custom value / regenerate randomly or disable the virtual(s) mac address of the attached NIC. It permits more flexible configuration in some case and with some router/switch environment

            16 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
            • Clustering: Designate a Hot-Standby Unit (Raid-5 style)

              If one is concerned about up-time, it doesn't make sense to have a cluster where all units must be functional to handle the load.

              Clustering should allow the use of a Hot-Standby unit for the Cluster, for example running two 320's as active with a spare 320 (thus more affordable) in reserve. Allows for true N+1 setups without paying always for the +1!

              13 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                Under Review  ·  2 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
              • takeover

                Give the possibility to do a manual takeover from webadmin.
                Now it is only possible with a reboot/shutdown of the master node...

                8 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  1 comment  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                • Implement support for RSTP

                  Implement support for RSTP so third party products that does can influence the UTM HA to switch

                  7 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                  • HA-Cluster in der Amazon Cloud nur mit 3. Netzwerkarte möglich

                    Ein Endkunde hat uns gebeten, folgendes Feature-Request zu stellen:

                    Sehr geehrtes Infraforce Support Team,
                    gibt es wirklich keine andere Möglichkeit außer einem 3. Hardwareadapter? Innerhalb der Amazon AWS Umgebung bedeutet das, dass die VM statt 0,06€/Std. ganz 0,26€/Std. kosten würde. Also 0,20€/Std. nur für die HA-Funktionalität! Das ist überhaupt nicht akzeptabel. Die VM kostet dann pro Jahr statt 525,60€ ganze 2277,60€ nur um die HA Funktion nutzen zu können… Das dann mal 2… Und da sind noch nicht mal die Sophos Lizenzgebühren drin…
                    Können Sie das ggf. als Feature Request bei Sophos einreichen? Es gibt doch sicherlich eine Möglichkeit das…

                    6 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                    • Show the unlinked interfaces in HA

                      Please show in the webadmin the unlinked interfaces of the ***** instead of only "UNLINKED". Now you have to login to the ***** and find with ethtool which interfaces are actually unlinked.

                      6 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                      • create configuration options in the GUI for UPS configuration

                        -the the ability to select from a drop down the UPS type.
                        - a switch to enable the UPS service ( NUT Network UPS Tools)
                        - how many min before shutdown to begin - or and option to just leave it until the low battery warning from the UPS to initiate shutdown.

                        Thanks

                        5 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                        • HA-Management-Port

                          Would be nice to have an HA-Management-Network-Port to access passiv-Firewall by web, ssh etc.

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            2 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                          • breaking HA cluster without a shutdown the s lave.

                            if the s lave shutsdown after breaking up the cluster, I can't reach it anymore because the unit is in a datacenter. Even console access is'nt possible.
                            So do a factory reset of the s lave after breaking down the cluster and then a reboot. With console access I can configure the routing and ip's again.

                            1 vote
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              1 comment  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                            • Randomize deployment tasks

                              The update schedule has no settings to randomise the process. This means that all servers will be updating at exactly the same time This will impact the Virtual Infrastructure to the point of making it unusable. This is particularly pertinent to the lower performance areas on SATA or NearLine SAS disks. IF clients are checking every hour then I need to have at least an hour’s randomisation. This does not appear to exist and has resulted in us dismissing the product for further evaluation.

                              1 vote
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                2 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                              • Don't Keep Write Ahead Logs (WALs) in Non-clustered Installations

                                By default, the Sophos UTM (Astaro) PostreSQL configuration is configured with High Availability (HA) settings enabled irrespective of whether a HA license is installed and/or two or more devices are installed. One of these settings, wal_keep_segments, has been set to a value of 100 ever since Sophos UTM version 9.100-16 and since each Write Ahead Log (WAL) segment is 16MB, this results in a extra 1.6GB of disk space being consumed unnecessarily. The default value for wal_keep_segments is 0 and setting it to this value before starting the PostgreSQL service prevents it from keeping any new WAL segments. I have…

                                1 vote
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                                • Networking: Automactially update DYNDNS after failover

                                  We have our Astaro 425 configured to fail over to a secondary internet circuit (CenturyLink) when the primary one (Time Warner) fails. Since we have over 25 different external host IP addresses that would need new IP address assignments when failed over to the new circuit we created a CURL script to update all of our DynNet DNS records. Since the CURL utility is already included in the Astaro Linux OS a simple command could be issued as follows: "curl -k -K /home/login/cl_curl_input.txt" to change our DNS records over to our CenturyLink internet public IP addresses after the CenturyLink interface…

                                  1 vote
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Networking: Make bridge interfaces immune from HA link monitoring

                                    Even when "HA link monitoring" of Bridge interface is "OFF", if this interface carries out a link down, TakeOver will occur.

                                    1 vote
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                                    • When a virus is detected in memory, there is no information in SEC about process.

                                      When a virus is detected in memory, there is no information in SEC about process.

                                      In local log file there is something like
                                      Process "C:\Windows\SysWOW64\rundll32.exe" belongs to virus/spyware 'Troj/VundoMem-A'.
                                      where (in this case) complete command line is
                                      "C:\Windows\System32\rundll32.exe" "C:\Users\<USER>\AppData\Roaming\sfc_os2.dll",NRQOR

                                      When virus is cleaned in memory there are information about process ID:
                                      Process "C:\Windows\SysWOW64\rundll32.exe:pid:0000085c" has been cleaned

                                      With this information we located the process (had get process list before cleaning) and found complete command line.
                                      That let us to locate sfc_os2.dll file, than sophos doesn't detect as virus at that moment.

                                      I sugest two items:
                                      - Log more information about process…

                                      1 vote
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Don't see your idea?

                                      Feedback and Knowledge Base