SG UTM
Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.
-
Better Website management in Webfilter
Right now the Website list in Webfiltering has very limited management options. Importing or deleting longer lists is not possible because the page freezes. It would be great to have export and working bulk edit options.
1 vote -
Webfilter: Ignore extraneous root certificates
Many sites include a root certificate in their downloaded chain. This is either a remnant of cross-root certificate mapping or a configuration error.
All tested browsers ignore the self-signed certificate as long as the same root certificate is installed in the trusted certificate store.Unfortunately, OpenSSL, and therefore UTM, are not able to detect that the supplied root certificate is unnecessary, so the connection is blocked. Because of the significant number of sites with this configuration, it is a significant problem.
This link has an extensive discussion of the problem:
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
The discussion asserts that the RFC permits inclusion of…
1 vote -
Notification of Proxy Routing
There needs to be an alert or notification that when setting firewalls for Internet IPv4/6 as a destination that the subnet of the two networks that shouldn't talk to each other are added to their respective web proxy profile blocklist.
I have encountered many people that are not aware that the web proxy routes. Many people do not test their security configurations and this functionality (proxy routing) goes some time without being realized.
1 vote -
Attachment, link, and file emulation
Email is a huge vector for malware. Not all of it comes in as an attachment. Links in email often lead to NEW malware. NEW versions of malware are attached or embedded into Office documents. Files users download may have NEW undetected malware in them.
Palo Alto has Wildfire. FireEye has a similar service/appliance. Each service takes URLs, Office documents and unknown files and detonates them in a sandbox to determine if they are malware. Previously unseen downloaded files are uploaded to the same service. When NEW malware or malware links are discovered, an update is pushed to all subscribing…
15 votesPlanned ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We are looking at adding this kind of functionality to UTM v9.4. Watch this space…
-
Web Protection: Selectively allow range requests (AKA improve iPhone media streaming)
Mobile devices like the iPhone/iPad use HTTP range requests when accessing media content. Range requests allow a client to request a specific range of bytes from a file on the server, rather than downloading the whole file in one go.
Unfortunately downloading a file in small chunks makes it impossible to scan that file for malware. Indeed, it could provide a handy way for a malicious program or actor to circumvent gateway security measures and deliberately download malicious code.
For this reason the UTM will block range requests. The only way around this at present is to exclude the site…
1 vote -
Enable the admin to remove unused Website Tags in Web Filtering
If one defines a website tag in the UTM for a collection of URLs, then later desires to fully delete the tag (the tags remain in the configuration db even if not assigned to any URLs), there is currently not a way to do this. I contacted support and they said this would be a feature request (seems like missing basic functionality to me).
50 votes -
YouTube for Google Apps support
Google will no longer be supporting YouTube for Schools anymore. They are now moving it to Google Apps for Education's YouTube settings. In this setup, redirection for www.yotube.com, m.youtube.com, and youtubei.googleapis.com need to point to restrict.youtube.com (see https://support.google.com/youtube/answer/6214622)
5 votes -
Huawei P8 Lite Fitbit Flex Connection 2
Huawei P8 Lite Fitbit Flex Connection 2
Hello
A friend recently gave me her old bracelet Fitbit Flex 2. It is reset but we are unable to connect it to Bluetooth with my Huawei P8 Lite while we get there with other devices... Have you ever encountered this problem? Solutions?
Thank you, everyone.1 vote -
Enforce youtube safe mode
Please add safe mode for youtube like google or bing search
5 votes -
Autonomous quota consumption (no user confirmation)
The new quota feature works great, but there is a big problem using quota on mobile devices. Having a media streaming quota configured you have to open a web browser and confirm the amount of time (quota) you want to use. That works fine on desktop, but on mobile IOS devices such requests in a browser gets redirect to a installed APP (You Tube) and you never have the chance to confirm the quota you want to use - as a consequence YouTube app does not have internet connectivity.
5 votes -
Web Protection: Youtube and blocking specific categories
Coming from another vendor one of the features I like/had was that I could block categories within YouTube. We are a School District that needs to access YouTube (YouTube for Education has limited content). It would be nice to setup a policy or rule to be able to block these YouTube Categories.
Currently available categories are:
• Film
• Autos
• Music
• Animals
• Sports
• Shortmov
• Travel
• Games
• Videoblog
• People
• Comedy
• Entertainment
• News
• Howto
• Education
• Tech
• Nonprofit
• Movies
• Moviesanimeanimation
• Moviesactionadventure …163 votes -
upload bandwidth report
Customer would like a report of upload bandwidth used so that they would be able to identify any possible data leakage if they can identify users that have high upload bandwidth usage.
9 votes -
Time based rules for traffic throttling or shaping
It would be very helpful to have time-based rules for traffic throttling or shaping. For example, users at our office access Facebook and we don't want to block it - just make it less of a burden on our Internet connection.
4 votes -
Disable option for users time to use for a site
When you configure quota the user get a page for “Select how to your remaining time quota to use” I am missing the option to disable this.
I want to get only get a message when the users use al of there quota.
1 vote -
tagged websites in exceptions
in the webfilter exceptions you can configure websites "tagged as", however this doesn't work.
4 votes -
tag support parent proxy
if there already tagged websites, it would be nice to support these tagged sites also in the parent proxy.
4 votes -
Block via user agent
Customer requesting to block traffic via user agent
4 votes -
when sending error messages to users who connect to a non-existing or forbidden HTTPS-site, send the full CA chain to the user/browser
Reason: Google forces more and more websites to HTTPS by punishing HTTP-only sites with a bad search ranking. In such a case proxy SG only sends the auto generated certificate to the user, which results in an unclear and ugly certificate error message by the browser to the user. This can be prevented by creating a signing certificate in the internal PKI, where the proxy SG must send this signing certificate to the user. Creation of the signing certificate is out of your scope, but it will be an internal certificate, valid to the internal organization only. Sending this signing…
3 votes -
Proxy usage security problem + change the bad proxy design
When using - Skip transparent mode destination hosts/nets
with Allow HTTP/S traffic for listed hosts/nets checked, not only hosts which are in Allowed Networks can reach this destination hosts. So if you have a public WLAN which is not in the Allowed Networks Web Filtering, everyone in this Network can reach the destination hosts.The automatic Rule Allow HTTP/S traffic for listed hosts/nets should only allow the
Hosts in Allowed Networks to solve this security problem.If you dont want to change this behavior please remove the Allow HTTP/S traffic for listed hosts/nets_ Feature for security reasons.
General…
3 votes -
Add a "bytes out" field in http.log.
A "bytes out" field in the http.log would help identify hosts that are sending a lot of data out of our company. This is important to know, regardless whether the data flow is intentional (e.g. malicious user) or unintentional (e.g. compromised host.)
2 votes
- Don't see your idea?