Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can vote and comment on it.

If it doesn't exist, you can post your idea so others can vote on it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  1. Implement a 'one for one connection' mode

    WAF uses no relation between connections from client to WAF and connections from WAF to server. This causes pseudo-connection based authentication mechanisms like NTML or NEGOTIATE to misbehave. This is even documented in ID16010.

    It would be nice to have a 'one for one connection' mode configurable per virtual server as Microsoft products are more and more relying on NTML or NEGOTIATE in their newer products.

    Apache has a bug entry at https://issues.apache.org/bugzilla/show_bug.cgi?id=39673 which can be used as a starting point for supporting this feature.

    3 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • No disconnect of Remote VPN Users when disabling or enabling the User Portal

      Could you please not disconnect VPN Users whenever the User portal is enabled or disabled?

      This is very annoying.

      3 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
      • 3 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • UTM 425 sync of active directory users

          At the moment it is possible to set only one time for syncing ad users or to do it manually. In large enviroments it would be nice if we can do it more times each day, for example all 4 hours.

          1 vote
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Usability/GUI  ·  Flag idea as inappropriate…  ·  Admin →
          • Outlook plug-in blacklist

            Add a option to the plug-in to add to blacklist of senders

            1 vote
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • Wan-Acceleration

              Would be buisness demanding feature ,If sophos can integrate Wan-optimization technology between Sophos UTM & RED.Combined with cost-effectievness of RED's -Sophos can be on top when it comes retail multibranch deployments

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
              • Add the ability to limit number of hours on a application or application group

                The ever increasing demand for our users to have access to you tube, social media or even gaming sites (during lunch hour, hopefully) creates an administrative burden and HR nightmare for many employers. I would suggest that having the ability to limit the number of hours spent by a user or dept on a weekly or monthly basis would be an invaluable tool. This way you can create what is deemed an acceptable number of hours based on a users organizational responsibilities and only have to monitor by exception. This would also be applicable in a home setting where a…

                1 vote
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
                • FTP SITE CHANGE

                  changing the way the FTP site works

                  Essentially as the .md file in the FTP directory is from the same FTP site, it doesn't mean or validate anything (e.g. cannot be relied upon to validate the trustworthiness of the file). Reason being if the site is spoofed (e.g. via DNS) then we cannot validate the identity of the remote server, given it is clear-text FTP (no mechanism to validate the site's identity, such as via SSL/TLS). Further, if the site has been compromised, an attacker merely has to place the MD5 hash there for the malicious ISO file they replaced.

                  20 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Logging  ·  Flag idea as inappropriate…  ·  Admin →
                  • Add Report for ChangeLog entries

                    I would like to vote for a report that can be send out once a week that displays the ChangeLog entries so that you can monitor the changes made and send them out to some business devision to become some how compliant to auditing requirements.

                    3 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Management  ·  Flag idea as inappropriate…  ·  Admin →
                    • Import/Export vouchers database

                      Currently there is no way to export/import the vouchers database from an UTM to another one, e.g. a spare one.

                      1 vote
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • TLS (SSL) Encrypting remote syslog

                        Hi please implement TLS (SSL) Encrypting for remote syslog.
                        It is an important feature to send encrypted syslog messages to the remote syslog server: http://www.rsyslog.com/doc/rsyslog_tls.html
                        A Cisco ASA, Synology NAS and Linux supports this feature. Please implement this also into your great UTM Firewall !!

                        3 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  Logging  ·  Flag idea as inappropriate…  ·  Admin →
                        • Display Current Time/Date on Up2Date Screen

                          I often find when I schedule a UTM to update its firmware, that I'm having to bounce back to the dashboard to ensure that the time/date of the UTM is correct, I never take this for granted. So my idea is to simply put the system date/time at least on the Up2Date screen, if not just at the top of the screen in general.

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Management  ·  Flag idea as inappropriate…  ·  Admin →
                          • Private PSK

                            Aerohive has what they call "private PSK" that allows a single SSID to serve many users each with their own psk. Each can be assigned different security from temporary day users with limited access to full access workers.

                            3 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • SPX Encryption > Receiver Password Portal Setup & Reset

                              A way to remove the need for Password Notifications send to User, Administator or Other. An external facing portal page that allows a notice to be sent to the receiver for them to register w/ e-mail verification to setup to access their password for the SPX attachment. Basically allowing a local service similar to Cisco RES for messages sent from your Sophos UTM. Obviously, this could be limited in that if a per-email password is used by the sender it would not be able to work. Also a password reset would only work for future e-mails as the PDF is…

                              1 vote
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • Email Encryption > Methodology similar to Cisco Registered Envelope Service

                                With a Cisco IronPort you have the ability to define Content Filters which then will trigger different levels of encryption requirements.
                                Example: Detects Value > Check for TLS Receiver > If found, Use TLS > If not TLS then use Cisco Registered Envelope Service (RES).
                                This provides you with a way to ensure the communication is encrypted and provides a third-party login/verification system for the end-user to be able to decrypt the e-mail if their server was not setup with TLS Encryption.
                                Along those ideas you can define rules that any e-mails meeting a requirement must use Cisco RES only.

                                1 vote
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • SPX Encryption > Detect "SPX password for" messages that are forwarded by users to be blocked.

                                  Current 9.200-11 does not detect if a user attempts to Forward the SPX password notification e-mail to the outside receiver. So the "Data Protection Configuration" setting of "On match, notify" is pretty worthless when you select "User" as they can simply forward the notice to the receiver.

                                  1 vote
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • AP MAC pick list

                                    Recently we added an AP to a customers Sophos UTM 120. When it came to Whitelisting MAC address (Wireless Protection> Wireless Networks> Edit the AP> Advanced) we were presented with the "Please select" in the MAC Addresses field in the AP Edit interface Advanced window.
                                    The wireless laptops were confirmed as having connected to the AP and had their respective MAC Address appear in the Wireless Protection > Wireless Clients list.
                                    With help from Zak (Sophos support) we were informed we had to manually add the MAC addresses to the Definitions & Users > Network Definitions > MAC Address Definitions…

                                    1 vote
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Make the IPS rules CVE/Mitre compatible

                                      Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

                                      http://cve.mitre.org/compatible/compatible.html

                                      1 vote
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Prevent WebAdmin on additional IP address.

                                        When an additional address is added to an external interface, the UTM can be managed through WebAdmin over port 4444 on that additional address. I would like to see a check box when adding the new addtional IP address that asks if you'd like to be able to manage over this IP or not.
                                        The additional IP is usually for a NAT, say for instance a NAT for my exchange server. It doesn't make sense to me that https://ip-of-exchange-server:4444 allows someone to manage the firewall.

                                        3 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • WPA2 Enterprise can Authenticate/Authorize Local Users

                                          I've run into a situation on several occasions where WPA2 Enterprise could also use local users/groups for authentication/authorization.

                                          3 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 81 82
                                          • Don't see your idea?

                                          Feedback and Knowledge Base