SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Applications using proxy can negotiaition ceritifctes on 443

    Hello,

    Recently I had a problem with the dropbox application for desktop pc. the proxy was not logging all traffic that was passing through the proxy for this application. after speaking to support they said:
    I have tried to reproduce the reported issue in our lab and found same behavior.

    As enabling the proxy the traffic passes through port 8080 further preventing the certificate negotiation on port 443.

    As the google sign-in page traffic hopefully getting block at proxy. I tried to apply many rules to allow the traffic but unfortunately the proxy is hindering to pass into.

    I would…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. DNS info forwarding from internal DNS to UTM

    Situation: One of my host ask my internal dns about suspicious address and than dns is asking through my UTM. ( that is why UTM has no idea about client and produce false infothat my dns is trying connect to C&C). This is very common situation in every company. My suggestion is for you to consider to write special software installed on DNS (windows AD). This software communicate with UTM and give it all info about clients dns queries. Its simple program but can change a lot because UTM would then inform me who is REALLY asking dns about suspicoius…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Change Web Protection so that active connections get cut off when a time limit rule takes effect

    Refer to this post:
    https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/84096/youtube-and-google-bypass-web-filtering-profile-block-once-content-is-loaded-in-chrome-tabs/314877#314877

    The issue is if I have time limits established in a Policy to cut users off from surfing during certain times of day, if that user has an active established connection to say youtube, when the rules time limit takes effect and puts the block in place, the active connections are not cut off, the user can continue to watch youtube until they terminate their connection to youtube in this example, at this point if they try to re-establish the connection, the web protection rule stops them for creating a new connection.

    I've now got…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Web Protection: Realtime Per-User Bandwidth Monitor

    For the purpose of analyzing the current outgoing traffic usage we need a live view of the users’ HTTP connections via the Web Protection proxy along the possibility to sort it by bandwidth.

    50 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Sophos Web Appliance WPAD integration

    It would be useful to be able to load a WPAD.DAT or PROXY.PAC in Sophos Web Appliance to not using another external web server.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Sandstorm: Improved feedback for the user

    Hi, it would be nice to have a progress bar or a rough estimate in the Sandstorm checking page, also it would be nice to make it more visible to the user that a scan is taking place and the file is being scanned.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. URL Rewrite

    I'd like to be able to re-write the URL of outbound http/s requests, to add/remove something from the URL when a LAN user is browsing the Internet.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Cache Intermediate HTTPS issuer certificates

    When browsing to poorly configured web sites that don't provide a complete certificate chain, the UTM certficate validation will block the site as untrusted.

    Browsers can work around these poorly-configured servers by caching intermediate issuer certificates from well-behaved servers.

    Let site A and site B have certificates issued by intermediate issuer Z. Site A provides the full chain, site B is badly configured and does not.

    If a user browses to site B first, the browser will issue a security warning because it can't find the issuer certificate to validate the certificate chain.

    If a user browses to site A,…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Web Protection: Use Network Range objects in allowed network list for filter profiles

    Enable web filtering profile to use range objects for the allowed network list.
    Web Protection → Web Filter Profiles → Filter Profiles

    22 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Block File transfer by Skype

    Adding blocking of File transfer by Skype

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make a Chrome Extension that utilizes the same interface as Endpoint client, for browsing restrictions.

    Or at least make an API available, so we can develop browser filter for chromebooks in-house.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Web Protection: Read X-Forwarded-For header for policy

    Would like to see added the ability for the Web Protection proxy to read X-Forwarded-For from an upstream device. For example, users connecting through a load balancer would have the load balancer's information and not the original user's source information. Reading X-Forwarded-For would allow the appropriate web policy to be applied to users coming from the same IP address.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Create an option to allow NON standard ports for specific websites

    We have a lot of customers using NON standard ports for specific websites. The only (working) option is to add a service port to the Allowed Target Servives. It would be preferable to be able to add the specific exeption (portnumber) only for the specific URL, instead of an global exeption for those ports.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. make it easy to post proxy.pac files on the management server. Upload the file, server spits out a URL, and give that URL out to our users.

    In regards to Sophos Web appliance/proxy, it would be very convenient if we could generate a pac file, upload it to the Sophos management appliance server, have it spit out a URL that we can give to our users. This would simplify the process and allow us to not have to rely on another server to host our pac file.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Reset HTTPS connection instead of URL Filter block page

    As an option, please provide the ability to drop or reset an HTTPS connection to a blocked web site when "URL filtering only" option is set. Reset may be preferable to drop so as to avoid timeouts. The default behavior of responding with a block page is helpful except that it causes certificate errors for clients who do not have the UTM certificate in their trusted CA list. When not using web filtering for true MITM scanning of content, it seems excessive to deploy the UTM cert throughout one's environment, and can be especially challenging on some devices. A simpler…

    25 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Better Website management in Webfilter

    Right now the Website list in Webfiltering has very limited management options. Importing or deleting longer lists is not possible because the page freezes. It would be great to have export and working bulk edit options.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Webfilter: Ignore extraneous root certificates

    Many sites include a root certificate in their downloaded chain. This is either a remnant of cross-root certificate mapping or a configuration error.

    All tested browsers ignore the self-signed certificate as long as the same root certificate is installed in the trusted certificate store.

    Unfortunately, OpenSSL, and therefore UTM, are not able to detect that the supplied root certificate is unnecessary, so the connection is blocked. Because of the significant number of sites with this configuration, it is a significant problem.

    This link has an extensive discussion of the problem:

    https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest

    The discussion asserts that the RFC permits inclusion of…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Notification of Proxy Routing

    There needs to be an alert or notification that when setting firewalls for Internet IPv4/6 as a destination that the subnet of the two networks that shouldn't talk to each other are added to their respective web proxy profile blocklist.

    I have encountered many people that are not aware that the web proxy routes. Many people do not test their security configurations and this functionality (proxy routing) goes some time without being realized.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Attachment, link, and file emulation

    Email is a huge vector for malware. Not all of it comes in as an attachment. Links in email often lead to NEW malware. NEW versions of malware are attached or embedded into Office documents. Files users download may have NEW undetected malware in them.

    Palo Alto has Wildfire. FireEye has a similar service/appliance. Each service takes URLs, Office documents and unknown files and detonates them in a sandbox to determine if they are malware. Previously unseen downloaded files are uploaded to the same service. When NEW malware or malware links are discovered, an update is pushed to all subscribing…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Web Protection: Selectively allow range requests (AKA improve iPhone media streaming)

    Mobile devices like the iPhone/iPad use HTTP range requests when accessing media content. Range requests allow a client to request a specific range of bytes from a file on the server, rather than downloading the whole file in one go.

    Unfortunately downloading a file in small chunks makes it impossible to scan that file for malware. Indeed, it could provide a handy way for a malicious program or actor to circumvent gateway security measures and deliberately download malicious code.

    For this reason the UTM will block range requests. The only way around this at present is to exclude the site…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos ID - Old - Do not use Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.