You really need a way to restart individual Wireless Access Points without having to reboot the whole gateway. Thanks.1 vote
I want to have feature which can allow us to exempt emails with specific headers in reflexion. Like Is there a way we can whitelist emails with headers? For example, I want if an email has “X-ExclaimerHostedSignatures-MessageProcessed” in header should not treated as spam and should be always delivered to inbox.1 vote
It would be great if a new feature can be added to application control for Apple App News.1 vote
The Sandbox Activity tab is designed to show web events that triggered Sandstorm, however my customer would also like it to show SMTP information too (like it does in the Mail Manager)1 vote
Hello, the Sophos VPN client for Windows has received several updates already since UTM version 9.4 rolled out. However, in each case the program version has remained at 2.1 which makes it extremely difficult for us to script out updating the clients on our users computers. In addition, not incrementing the program version is considered very poor practice in software development.
Can you increase the product version each time you update the client (EG 2.2, 2.3, ETC) or at least add a sub-version/buildnumber (EG 2.1.100, 2.1.101)?3 votes
Everyone who needs to maintain hundrets of users on a UTM pleas read and vote:
To import hundrets of remote authenticated (LDAP) or local Users to UTM is a pain! The only way is to hire a dozen of students to hack the users into the system. Then you can "bulk-download" users vpnconfig via webadmin. Have anyone tried to mark more then 25 users to download the config or delete the userobjects? On my SG430 no chance. I think many of you knows of the message: "script is running for more then 30 s - it is possible we do the job if you click ten times or more on continue - but we can not promise anything ..."
Until v 9.2xx there was a hidden solution for that job. The user_maintenance-Tool - a perfect script to maintain the users for SSL-VPN Connections. This tool is programmed by an Astaro-enginer who has leaved the company after the merge into Sophos. As i clarified with the support - this script is no longer maintened and supported. (available on every utm - try it on a testsystem;)
user_maintenance-Tool - nur auf Sophos UTM 9.2xx und v9.1xx verwenden!
Aufruf: user_maintenance.plx --action [create|delete|import|export|disable|enable|sslconfig|showCAs] options....
create: erstellt neue Userobjekte und zugehoerige Zertifikate
delete: loescht die angegebenen User und alle zugehoerigen Objekte aus dem lokalen Confd unwiderruflich
export: exportiert alle zum User gehoerenden confd-Objekte in die Datei exportfile
import: importiert die auf einer ANDEREN ASG exportierten Objekten aus Datei importfile in den lokalen confd
disable: deaktiviert die angegebenen User, sodass ein Login nicht mehr moeglich ist, jedoch ohne sie zu loeschen
enable: aktiviert die angegebenen User, sodass ein Login wieder moeglich ist
sslconfig: erstellt die SSL VPN/OpenVPN Konfiguraitonsdateien
showCAs: listet die vorhandenen verification CAs auf
--noninteractive: non-interaktiver Modus (keine Benutzereingaben)
--usernamefile DATEI: die Benutzername, auf die die Aktion angewandt werden soll, stehen in Datei DATEI
--importfile DATEI: die vorher auf einer anderen ASG exportierten Daten finden sich hier zum Import (nur bei Aktion 'import')
--exportfile DATEI: die zu exportierten Daten werden hier gespeichert (nur bei Aktion 'export')
--target_CA REF_NAME: die zu importdierenden Zertifikatsdaten werden an diese Verification CA gebunden
(sorry - tool is in german - written for the needs of a german company when i'm right. @ this point sorry for my english - i know its not the best and sometimes google translate is my best friend;)
In larger enviroments it is a must have to automate the rollout and maintenance of users. There are workflows etablished for approval and deployment of the users to all nessesary systems, apply rules and rights and so on. Well known as IDM (Identymanagement). When i speak for our company: sophos utm is the only system where i have to manualy add the users ...
- a scripting api (like Sophos XG? But i dont know if it is possible with this api? As i read @ this time you can only login and logoff a user there?) with the functionality of the usermaintenance-Tool
- abillity to sync users with ldap like active directory (auto import of users)
- abillity to bulk renew certificates of users with autoenrollment to ssl-vpn clients. We have a solution developed where the vpn client requests the state of the certificate over a REST-service and if nessesary downloads the new certificate and starts the connection with the new one. this is needet because of our security policy to change certificates in defined intervals and for availability of remote access after a incident like heartbleed with the need of changing the certificates in a small timerange
- ability for scripted export of vpn-configs (within a IDM-workflow with automatic creation of separate letters for username/password/CD with vpnclient and supporttools)
- that's what comes to mind at the moment - any further ideas?
I have read some pages of features requests and: I'm not alone:
Requests for usermanagement:
Requests for vpn-config management:
I look forward to your comments and votes :)
Everyone who needs to maintain hundrets of users on a UTM pleas read and vote:
To import hundrets of remote authenticated (LDAP) or local Users to UTM is a pain! The only way is to hire a dozen of students to hack the users into the system. Then you can "bulk-download" users vpnconfig via webadmin. Have anyone tried to mark more then 25 users to download the config or delete the userobjects? On my SG430 no chance. I think many of you knows of the message: "script is running for more then 30 s - it is possible we do…8 votes
Iview with dynamic ip, can the Iview filter new devices on host names for UTM? It would make it more useful for smaller companies
In Canada, static ip's can add 50% to the cost of Internet service3 votes
Ability to view messages in Sandstorm: customer would like to be able to see a preview of the headers, body, subject etc.4 votes
Provide support for newest version of Outlook 2016.7 votes
We have been told by Sophos Support that the UTM will not present the intermediate CA (Digicert Wildcard Certificate). Please provide support so we can use our existing wildcard certificate with the user portal. There is an unsupported workaround, but it does not persist through a reboot.4 votes
To install Sophos Puremessage for Exchange you have to be Domain Admin. In a bigger Windows Domain with seperate groups for Exchange and Windows Adminstration, it can be very complicated to install Puremessage for Exchange, as you always need a Domain-Admin. It would be more easy if the Exchange-Admingroup can install/upgrade Sophos Puremessage.1 vote
It would be useful to install Sophos Puremessage for Exchange unattended. If you have a bigger Exchange Installation with several MBX-Server it is very annoying to upgrade.1 vote
Set Maximum queue lifetime and Bounce queue lifetime to be able to except hours or minutes instead of just days to allow an email that is deferred due to email address typo etc to be bounced back within 1 or 2 hours or a half hour instead of 1 to 5 days. The fields doesn't except decimal places. If you set the value to be entered in minutes 1 day would be 1440 minutes and 5 days would be 7200 minutes. This way if a customer wants to set the bounce queue lifetime to 1/2 day they would just set it to 720 minutes which you can't do currently. If you have a email that is time sensitive and the appliance by default holds it for 5 days due to many possible issues of sending before bouncing it back to the end user can be very bad. If the end user doesn't know that its still sitting in queue and finds out 5 days later that it wasn't sent it tends to make them mad. We currently have our Maximum Queue Lifetime set to 0 days and Bounce Queue Lifetime to 1 day from working with Technical Support. Things are much better but then you have cases where an email gets deferred due to delay on the recipient mail server which then bounces back to the end user instead of staying in Mail Queue to then be retried at a later time. So having things set to 5 days and even 1 day is to long. If an email doesn't leave the Mail Queue with in the same day you send it there is a problem.
Set Maximum queue lifetime and Bounce queue lifetime to be able to except hours or minutes instead of just days to allow an email that is deferred due to email address typo etc to be bounced back within 1 or 2 hours or a half hour instead of 1 to 5 days. The fields doesn't except decimal places. If you set the value to be entered in minutes 1 day would be 1440 minutes and 5 days would be 7200 minutes. This way if a customer wants to set the bounce queue lifetime to 1/2 day they would just set…1 vote
i'd like to know if is possible analyzer doc file attached to an email and discover if it contain macro and if has it put the message in quarantine71 votes
It would be great to actively monitor (pull) the status of Site-to-Site connections via snmp to include this in the monitoring system.
Additionally the ability to simply turn a Site-to-Site connection on/off via snmp would help a lot too.7 votes
UTM WAF helps protect older and weaker servers, but only if it can connect to them. OpenSSL does not handshake properly with Server 2003 for reasons that I cannot fully explain. Based on SSL Labs test reports, the problem is mostly unique to OpenSSL clients. However, the connection works perfectly if you prevent OpenSSL from attempting a TLS1.2 connection (e.g. openssl s_client -connect server:443 -no_tls1_2) Please provide protocol selectivity so that the WAF connection to a "Real" (internal) web server can be configured to match what that webserver can accept.2 votes
Would like to be able to block all emails with senders from specific TLDs. Eg. *.win or *@*.win7 votes
Instead of the actual crypto locker problems we block all office mime type mails and need a feature to send a quarantine report more often to users4 votes
UTM already knows how to block IPs that perform port scanning: why not to block also attackers as soon as Intrusion Prevention detect them ? (this way, also unknown attack packets are dropped imediately). I noticed detections are very often 4 or 5 types only, but I exclude exploiting tools try only 5 types. IP should be banned for a customizable timeout ... like 5 minutes to 4 hours: if the attacked ip (or firewalled ip-range) doesn't answer, they surely go elsewhere. Thank you3 votes
Second DHCP relay address was implemented in other brands yet in '90. Why it is not implemented here ?
Thank you3 votes
- Don't see your idea?