I would like to allocate set bandwidth for different vlans (deparments) including voice traffic. Is it possible for us to setup a 100Mb link as follows:
VOICE traffic- 10Mb
I would like to have it set like the above but say if one vlan require more bandwidth and it is available on the link it should be able to grow. The limit should not be a maximum limit so to speak.3 votes
The SUM server often sends an email notification on behalf of a managed UTM with the subject: [INFO-913] Global resource level limit exceeded, but doesn't say what limit has been exceeded. It's necessary to logon on to the UTM and check through the logs to determine what caused the alert. It would be good if the notification from the SUM contained some additional information to save time on identifying the cause.
Sophos UTM9 - recent release
If you open the binary files in the /var/confd/var/storage/snapshots with a normal text editor you can read clearly the sso_password and the sso_user used for the joining of the appliance to the domain.
Why the config files must contain the domain password used once and no longer required?
Why it is not encrypted? Often this is a domain admin account.
Best Regards1 vote
Need a way to deploy a blocked website list from SUM without requiring standardised filter action because every site has different categories blocked etc and can't just create a new filter action that applies to everyone with a blocked list in it.1 vote
Everyone who needs to maintain hundrets of users on a UTM pleas read and vote:
To import hundrets of remote authenticated (LDAP) or local Users to UTM is a pain! The only way is to hire a dozen of students to hack the users into the system. Then you can "bulk-download" users vpnconfig via webadmin. Have anyone tried to mark more then 25 users to download the config or delete the userobjects? On my SG430 no chance. I think many of you knows of the message: "script is running for more then 30 s - it is possible we do the job if you click ten times or more on continue - but we can not promise anything ..."
Until v 9.2xx there was a hidden solution for that job. The user_maintenance-Tool - a perfect script to maintain the users for SSL-VPN Connections. This tool is programmed by an Astaro-enginer who has leaved the company after the merge into Sophos. As i clarified with the support - this script is no longer maintened and supported. (available on every utm - try it on a testsystem;)
user_maintenance-Tool - nur auf Sophos UTM 9.2xx und v9.1xx verwenden!
Aufruf: user_maintenance.plx --action [create|delete|import|export|disable|enable|sslconfig|showCAs] options....
create: erstellt neue Userobjekte und zugehoerige Zertifikate
delete: loescht die angegebenen User und alle zugehoerigen Objekte aus dem lokalen Confd unwiderruflich
export: exportiert alle zum User gehoerenden confd-Objekte in die Datei exportfile
import: importiert die auf einer ANDEREN ASG exportierten Objekten aus Datei importfile in den lokalen confd
disable: deaktiviert die angegebenen User, sodass ein Login nicht mehr moeglich ist, jedoch ohne sie zu loeschen
enable: aktiviert die angegebenen User, sodass ein Login wieder moeglich ist
sslconfig: erstellt die SSL VPN/OpenVPN Konfiguraitonsdateien
showCAs: listet die vorhandenen verification CAs auf
--noninteractive: non-interaktiver Modus (keine Benutzereingaben)
--usernamefile DATEI: die Benutzername, auf die die Aktion angewandt werden soll, stehen in Datei DATEI
--importfile DATEI: die vorher auf einer anderen ASG exportierten Daten finden sich hier zum Import (nur bei Aktion 'import')
--exportfile DATEI: die zu exportierten Daten werden hier gespeichert (nur bei Aktion 'export')
--target_CA REF_NAME: die zu importdierenden Zertifikatsdaten werden an diese Verification CA gebunden
(sorry - tool is in german - written for the needs of a german company when i'm right. @ this point sorry for my english - i know its not the best and sometimes google translate is my best friend;)
In larger enviroments it is a must have to automate the rollout and maintenance of users. There are workflows etablished for approval and deployment of the users to all nessesary systems, apply rules and rights and so on. Well known as IDM (Identymanagement). When i speak for our company: sophos utm is the only system where i have to manualy add the users ...
- a scripting api (like Sophos XG? But i dont know if it is possible with this api? As i read @ this time you can only login and logoff a user there?) with the functionality of the usermaintenance-Tool
- abillity to sync users with ldap like active directory (auto import of users)
- abillity to bulk renew certificates of users with autoenrollment to ssl-vpn clients. We have a solution developed where the vpn client requests the state of the certificate over a REST-service and if nessesary downloads the new certificate and starts the connection with the new one. this is needet because of our security policy to change certificates in defined intervals and for availability of remote access after a incident like heartbleed with the need of changing the certificates in a small timerange
- ability for scripted export of vpn-configs (within a IDM-workflow with automatic creation of separate letters for username/password/CD with vpnclient and supporttools)
- that's what comes to mind at the moment - any further ideas?
I have read some pages of features requests and: I'm not alone:
Requests for usermanagement:
Requests for vpn-config management:
I look forward to your comments and votes :)
Everyone who needs to maintain hundrets of users on a UTM pleas read and vote:
To import hundrets of remote authenticated (LDAP) or local Users to UTM is a pain! The only way is to hire a dozen of students to hack the users into the system. Then you can "bulk-download" users vpnconfig via webadmin. Have anyone tried to mark more then 25 users to download the config or delete the userobjects? On my SG430 no chance. I think many of you knows of the message: "script is running for more then 30 s - it is possible we do…6 votes
The ability to view, report and amend pre approved usb devices, and the ability to revoke if lost/ stolen
In the current console you can view usb devices that are read only or blocked.
With the current cyber security risks, it would be good to firstly report on all devices approved, and then manage or revoke if one they are lost or stolen. And two if we find firmware issues and vunrabilities.4 votes
We have been told by Sophos Support that the UTM will not present the intermediate CA (Digicert Wildcard Certificate). Please provide support so we can use our existing wildcard certificate with the user portal. There is an unsupported workaround, but it does not persist through a reboot.1 vote
List VPN sessions connected by host when managed by SUM Gateway Manager. This would save having to log into each VPN gateway to see the active sessions by IP and authenticated user per host.1 vote
Configure exceptions based on a Signing CA or based on a certificate. If USM web proxy requests an outbound HTTPS connection, and the returned certificate is signed by a specific CA cert or the cert returned matches a specific certificate, and that cert is (optionally) valid, then bypass HTTPS decryption and pass the connection on to the internal client. This would make things much easier to make exceptions for Microsoft OneDrive, where there are a ton of URLs and even some IP addresses that need to be added to the exception list in order to make it work. Id rather have to update an exception certificate every couple years than have to chase down every URL used for some of these applications or websites.
Configure exceptions based on a Signing CA or based on a certificate. If USM web proxy requests an outbound HTTPS connection, and the returned certificate is signed by a specific CA cert or the cert returned matches a specific certificate, and that cert is (optionally) valid, then bypass HTTPS decryption and pass the connection on to the internal client. This would make things much easier to make exceptions for Microsoft OneDrive, where there are a ton of URLs and even some IP addresses that need to be added to the exception list in order to make it work. Id rather…3 votes
For home users, it would be terrific to be able to use the Network Agent iOS app for iPhone / iPad authentication for family members.
This would greatly simplify the authentication process!1 vote
It would be great to actively monitor (pull) the status of Site-to-Site connections via snmp to include this in the monitoring system.
Additionally the ability to simply turn a Site-to-Site connection on/off via snmp would help a lot too.3 votes
Did the end-user password reset functionality go away at some point? I have a newly integrated UTM 9 at version 9.4. In the SPX end-user provided password template, it would be nice to have the user password feature back. Even with end user provided passwords they will surely forget eventually. I am trying to avoid getting into the password reset business. It also added to the ease of use to both my users and their recipients.
Would like to have multiple active STAS collectors reporting logins on DC directly to UTM. The current model only allows one collector to report to the UTM with other DCs using agents to feed the one collector.1 vote
Would like to be able to block all emails with senders from specific TLDs. Eg. *.win or *@*.win1 vote
Today our Sophos Red 50 cannot provide internet access to networks behind it but we can still connect through tunnel and can view networks behind. After restarting the RED it goes back to normal but the thing is we have to go on site to unplug the unit physically. As per your support, currently there is no way we can just restart the RED remotely even if connection to UTM is still up.3 votes
User/Group access to "Authentication Services" and sub section "One Time Password"
Other areas could use more granular access control3 votes
Customer wants to have a feature to limit the number of emails it sends out for a user1 vote
It would be very useful if admins could force individual users to be logged out from the web appliance. This would help in cases where the authentication timeout is very long and the user has closed the captive portal window that allows them to log out.3 votes
It would be nice to finally have the Sophos SG o XG virtual appliance available on the Azure Marketplace.
Currently the only firewall solutions on Azure are Barracuda and Fortinet...Why Sophos is not present on Azure? Are there some technical issues preventing this?3 votes
- Don't see your idea?