SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. We need a "Blacklist Group" object that we can populate with individual IP's or an IP range.

    We need a simple blacklist "group" object that we can pop in either individual IP's or an IP range. This would be used for blacklisting IPs and blocking/drop all traffic from these IPs before they hit the filter rules. Similar to how the country blocking works but with out own defined list of IPs, IP ranges and even domains (top level and subdomains).

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Network Protection: Automatic blacklisting

    Please make it possible to set rules to automatically add ip addresses to a blacklist for a specific time period if they are exceed the specified packet limits set in Anti DoS!

    E.g.:

    2000 packets/sec over limit -> 30 seconds blacklist
    5000 packets/sec over limit -> 60 seconds blacklist
    10000 packets/sec over limit -> 120 seconds blacklist

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Live View Nat Connection List

    Recently tried to debug long term TCP connections used by the NEST thermostats. The issue at heart was trying to find out whether or not there was a TCP connection established. It would be awesome to have a live display that would process in a useful way the output of /proc/net/ip_conntrack

    For example, I used this CLI to help my efforts:
    cat /proc/net/ip_conntrack | awk '{print $4" "$5" "$7" "$6" "$8}'

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow Firewall rules to be members of multiple groups

    Allow Firewall rules to be members of multiple groups so they can be associated with several rule sets.

    Or even allow them to be given tags so all rules can be listed that have a particular tag assigned.
    Sometimes it a firewall rule does not just fall under one group of rules.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Tune Nat Values

    It would be awesome to have an interface within the webAdmin tool to adjust the nat values into areas like /proc/sys/net/ipv4/netfilter

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Network Protection: Use Suricata for IPS

    I think it could be worth a look at, unless Snort comes up with a multfhreaded version.
    http://www.openinfosecfoundation.org/
    http://suricata-ids.org/

    45 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Sophos UTM - VoIP - SIP ALG checkbox to enable or disable this feature. Every xDSL-Router has this option.

    Many VoIP provider recommend for their ATA-Fax-Boxes to disable the SIP ALG function, to reduce the noise during transmitting a fax.
    In the Network Prottection / VoIP dialog of the Sophos-UTM, I would enjoy to see this option as a simple Checkbox.

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Connection Tracking Helper SFTP

    A customer want to use a sftp Connection from extern to his Company. For this he install an QNAP NAS and activate SFTP over Port 2112 (SFTP Port 22 is not avaible).

    The Problem is that when we want to connect extern the NAT and Firewall Rules is working, but SFTP Need more then the one port.

    For FTP the solution and Routing works. But SFTP didnt work, For FTP you can use the Connection track helper, but SFTP can not use with that.

    So please activate sftp to work with Connection track helper to work with the different ports.

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Networking: RPC Connection Tracking Helper

    A port object that automatically unlocks the associated high ports for the RPC mapper, so you must not unlock all high ports for the RPC services.

    37 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enable country blocking by time.

    We're trying to find more creative ways to block VPN services after hours at our school and the country blocking will definitely help, but since we have many foreign students are can't have this enabled during school hours - this country blocking would definitely help us but it doesn't have the option for schedules within the option itself or in exceptions.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. add reject-with tcp-reset function

    The "reject" action in the paket filter rules sends an ICMP - Destination Unreachable to the rejected Host. It seems that most applications ignore this ICMP. Therefore other Firewall Systems implemented the "reject-with tcp-reset" function. This way a tcp session will be ended, and hopefully the Applications will not have to wait that long until it realizes that the connection is not permitted.
    This is needed because many computers and other devices suffer from network hangs because they try to connect to forbidden hosts.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. IPS: Manual Rules Notes

    Under Manual rule modification you can add rules. It would be nice to be able to put a note next to each one to explain what it is, or why it is needed.

    It would also be nice to group Rules.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Networking: Forward Ping for Devices behind UTM

    In V8 it was possible to Ping Devices behind the UTM Device, in V9 it is Disabled and could not be Enabled with a Packet filter Rule.

    This function is useful for us and our Customer which has Devices behind the UTM in his own DMZ that should be monitored by Monitoring Systems etc.

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →

    While already possible by disabling the built-in ICMP handlers and creating your own packet filter rules for explicitly allowing such traffic, we will review the operation of this behavior and if we can refine the GUI here.

  14. Country Blocking Exceptions by source MAC addresses

    Possibility to create a Country Blocking Exceptions with a defined source MAC address. In the normal Firewall rules this is already possible.
    Thanks.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Search firewall on IP Adresses

    It would be nice to be able to search in Firewall definitions for IP Adresses, aditional to search on object names.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Open ports based upon source country

    Add the ability to open a specific port but to only allow access to it from a specific country. For example to allow access to a VPN server but only allow access to it from the UK

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add DynDNS Support for Additional Interface IP Addresses

    Will be usefull the possibility to chose to assign a specified dyndns hostname also to an Additional Address,
    not only to the ip of the local interface or the public ip address.

    This is usefull if you have more than one ISP with more than one IP (Additional Address) per ISP.

    Summary:
    -ip of local interface
    -first public IP on the default route
    -ip of the additional address (New)

    So you can update the DNS entrys for all additional addresses from ISP One to ISP Two when the failover happens (Not only
    the Primary Address on the Uplink-Interfaces Network Object,…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Autoadjust IPS rules based on Network Protection rules

    Automatically select only the applicable IPS rules and performance settings based on the network protection rules, e.g. only select HTTP Rules and HTTP performance settings if by filter only HTTP is allowed

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. import your own IOC through wide supported format (stream or file)

    Being able to import our own Yara, OpenIOC, snort, suricata format file through files and/or API.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Web Protection: Allow blocking Flash/ActiveX/Java Separately

    Especially Flash is mostly used by many internet pages, but we want to block Java, due to the security issues!

    In Version 9, you can only choose the three methods together.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.