Problem:
There's currently an existing bug (confirmed through support up to firmware v9.602) that causes the SSL VPN daemon to disconnect any users associated with a VPN Profile that has a DNS Host object in its networks.

The UTM will check for updates on DNS hosts periodically (every 2-3 minutes) and any associated VPN Profile will perform rolling restarts on it's users.

This only causes a few seconds of delay for end users as the clients usually connect without issue but it can be very disruptive.

Suggestion:
Have VPN Profiles only reconnect/restart only if a dynamic object (DNS Host or even a static one pushed out via SUM) actually changes value. At the moment it appears to only check if an object is updated/removed rather than if the change would have affected the corresponding routing rules for the client.

Currently you can sort by name, status, or email. It's not intuitive that the ability to sort asc vs. desc is only available under the current sort method. If you're sorted by name it looks like the option to change direction is only available for name. It's not until you change to status or email that the drop down gives you the option to change the sort direction.

What I would like to add is the ability to sort by authentication method (remote, local) and date of creation (or last changed date will work). We have hundreds of VPN users and I typically add new users in bulk. If I could sort by date I could then mark the 5-10 users I just added and download their SSL VPN packages.

It would also be nice to have the ability to export a list of users (or groups). Currently if I want that list I have to change the display to all, select all, then download the VPN packages and use the user_mail_addresses.csv file that accompanies the configuration files.

My customers are using SSL-VPN.

There are certain circumstances, and they need to regenerate the Signing CA.

As you know, after regeneration VPN users must use new certificates.
In other words, users will not be able to make remote access connections with old certificates.

However, it takes time to distribute new certificates to users.
Before a new certificate reaches the user, not being able to connect to the remote access will hinder their business.

I request it.
Please allow remote access connection from clients of old certificate and client of new certificate until user gets new certificate.
Also, please be able to set it with WebAdmin.

Hello Sophos,

For many of our customers, we had configured a number of IPSEC Tunnels and enabled the notification when a Tunnel goes Up/Down. Due to Dead Peer Detection (DPD) the tunnel going down due to inactivity and coming up again, Which sends a number of Up/Down notifications which are useless for us.

1. Shouldn't Sophos be smart enough to recognize the status change is due to Dead Peer Detection and do not send a notification?

Or

2. An alternate solution to the problem is if you can introduce an alert which sends a notification only when a tunnel is down for x (2/3/5) mins.

Please introduce this feature at earliest as this would be very helpful for us to reduce the noise and not focus on the false positives.

Thank you in Advance.

One thing I would have liked in Sophos UTM is a status report for the http proxy, as I find it difficult to see what the http proxy computes when the proxy eats most of the CPU.

I would love to see a webpage with graphical presentation of all proxy requests that take longer than X ms (adjustable). For each of these requests, I wish information about:

• Who/source (hostname/IP address) that created the request
• Destination URL/Destination (Protocol, Url/IP Address) to which the request refers
• Current processing time, ie, how long has the proxy worked with the request
• Current status (downloading or scanning)

Also wish to complete the http proxy log (after completed request) with the above information for each request.