A system whereby customers can encrypt messages with the recipient having no in-place method to decrypt them, such as is currently possible with Smime/pgp setups.. Allows encryption to satisfy needs of many companies that do not havfe setup relationships with key exchanges and such, like Health Care, Government, Education etc... it should be very easy to use.43 votes
Extended the exceptions functionality to allow for specific rules as part of an exception.
This will allow for much more granular IPS exceptions in being able to specify a rule be disable/excepted only for a certain traffic flow, like for rule 2122 from Internet to Webserver, without disabling the rule globally or by exempting the resource from IPS fully.37 votesCompleted · AdminJan Weber (Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This feature is completed as part of XG Firewall that has been released on November 9th 2015.
While not exactly implemented as requested here, the concept of granular IPS policies per rule, solves the underlying goal of this feature.
Regarding uplink load balancing, I'd like to create low cost DSL farms for HTTP browsing while reserving our T1 connection for two way bandwidth intensive operations. To do this I'd need Uplink Interface Groups. In uplink load balancing, HTTP access would be assigned an uplink interface group containing three DSL uplinks. The rest of the traffic would be assigned the T1 uplink interface.24 votes
This feature has been completed and released as part of UTM 9. See http://www.astaro.com/blog/up2date/UTM9 for launch information.
Implement a mechanism whereby it is possible to install system up2date packages via a scheduled time each day, week, month, etc... or one-time operation, such as "This tuesday at 3am".. Allows administrators to keep the astaro's updated without manual operations or using ACC.31 votes
When the Master-Role changes within a Cluster PPPoE Connections will go down until the admin manually restarts the connection or until the automatic reconnect occurs.
It would be helpful if an PPPoE Interface has an Option to trigger the reconnect when Cluster-Roles change.12 votes
This was treated as a bug and was fixed in Version 8.300. I’ll close this feature as a result.
With the inclusion of AES-NI support in Version 9, it should be considered how to best utilize this acceleration to realize the massive gains possible. Currently, the client and server "talk" and decide which streams to establish and which encryption should be used.
The negotiation should be tweaked/modified to prefer AES-NI supported algorithms. This will make sure that we can re-order or optimize this so that we promote the algorithm modes that we can accelerate.1 vote
Due to updates by various projects (like LIB-OPENSSL) this is already possible and will be present in UTM9
Why is Astaro the only vendor who doesn't allow changing the LAN IP address while connected to it? This is asinine, especially during the initial setup wizard!
The feature reads as: allow changing of the IP address of the LAN IP during the setup wizard. Further, currently I cannot change the IP of an interface if i am connected over it, i have to make a new interface, connect over that, then change the IP of the interface i wanted to in the first place. This is tedious.6 votes
In order to correct a few mistaken statements, allow me to comment.
As of ASG 8.200, you can fully change the IP of the “connected” (or LAN in this example) interface via WebAdmin. It is also possible to change it during the Wizard.
As such, I’ll refund the points and mark this as complete.
Currently in the Web Application Firewall it is not possible to create a catch all domain that will manage all unknown adresses.
Let's say you work as a web host and want you're customer to access their web site under user.webhost.com ... It would be great to have a *.webhost.com that would catch all unspecified address and forward it to the web server6 votes
As Elmar mentions this was completed in 8.103 and enhanced in 8.200 with SAN support. Ensure your URL hardening lists are setup correctly, as URL hardening needs the concrete domain in the URL listings.
I want to have a reporting or notification if a AP goes inactive or if there is a Problem with them.16 votesCompleted · AdminJan Weber (Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is available with UTM 9.3, you can get a notification for APs going offline and online. Information on inactive APs is also available in the Wireless Protection Dashboard.
Allow Astaro APs to act wireless range extenders to relay or repeat the current wireless network without the need to run a network cable.44 votes
This feature has been released as part of UTM 9.1 for our AP 50 product. You can extend wireless networks across a new wireless-mesh framework that can be created from WebAdmin. Enjoy!
Split tunneling will be beneficial in many scenarios where customer requires direct internet access at branches with RED units.2 votes
As Alan mentions, this is already possible via a number of different configuration choices.
There are a lot of small and cheap devices capable for the (home) use of Astaro Security Gateway software (e.g. netbooks with 1GB RAM) but limited just with one Ethernet interface, but also offering multiple USB ports. For most (small) installations an additional USB network adapter would be sufficient - but is so far not supported...
Let's turn on USB network support in the kernel:
This feature has been released as part of UTM 9.1. We now have support for many USB Ethernet adapters. Give yours a shot today, and let us know at www.astaro.org what you see for success. Enjoy.
in order to connect to Amazon VPC you need to have a special IPsec + BGP combination to create a resilitant connection with integration dynamic routing.
Astaro should implement an easy way to quickly connect to amazon VPC without all the hassle.14 votes
This feature has been released in Version 8.300 of ASG and is now available!
We need an Outlook Anywhere connection over the Web Application Firewall to secure the Exchange 2010 Server. Currently it is not possible to forward the RPC Requests through the WAF. A NAT rule is not secure enough.483 votes
This feature has been released as part of UTM 9.1. The Web Server Protection (WAF) area has been upgraded with new features to allow the handling of the Outlook Anywhere Protocol. Enjoy!
Make it possible to add additional domain server in the single sign on configuration or allow availability group in the "Server" configuration so that if the first domain is down authentication will fail over to the second domain7 votes
For safety, instead of forcing the admin to disconnect and put a node to the side for "safekeeping" in case of a big failure when upgrading, it should be possible to set a node as "reserved" during the up2date process so that it remains separate and can instantly become active while the other unit(s) are upgraded.
This lets the admin get back online and buys some breathing room in case they need to re-image or otherwise work with their cluster to address a failure.10 votes
This feature has been completed and is ready for testing in the current Sophos UTM 9 Beta version which can be found at http://www.astaro.org/beta-versions/utm-9-public-beta/
Thx Astaro PM Team
The flow monitor I can see where the traffic goes, whether HTTP or VPN, etc. but not who caused the traffic.
It would be nice if the IP of the PC is displayed, which produces the traffic.2 votes
This is already possible by expanding via click the “client” table in flow monitor. As the feature is possible, ill mark it as complete, please check with support or www.astaro.org if you need more help on that.
For those in the networking world who support several clients, it can become tedious to recreate your definition lists for each new Astaro you receive for a client. It would be nice if you could either keep a common list saved on your myastaro account that you could downloan into the Astaro when setting it or up possibly on a usb key that you could import in. Would definitely cut down on install time for networking companies.5 votes
We have solved this problem using ACC Version 2.1, which added support for Central Objects for both Services and Network Objects. This is designed precisely to manage the type of situation you describe. You can deploy, revoke, change, and otherwise work with these objects in the ACC database and connected ASG’s, even disconnecting the ASG and preserving the published objects.
If my ASG has more than one Internet Uplink, RED should be able to reconnect to another available link if the default connection is experiencing an outage. In this manner, RED would be aware of the other Link(s) available on that ASG, and would fall-back to re-establish the tunnel as needed using the next available connection, and then migrate back to the main/preferred one when possible.
(If you previously voted for "RED Should be able to handle astaro's uplink failover", please place your votes here, as we cannot de-merge yet)7 votes
Possible with DynDNS integration, see comments for more info.
Allow to create more than eight SSIDs per Astaro Security Gateway. Even if there are only 8 SSIDs supported per Access Point, allow the more created SSIDs to be spread over the remaining attached Access Points.7 votes
This feature is now available with Sophos UTM 9.003.
- Don't see your idea?