SG UTM
Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.
-
RED: Support Backup Hostname for RED Connection
Currently, REDs and ASG must find and connect through the definition of a single host-name that is fully resolvable in the public. While this can use the DynDNS feature in ASG already for "fail over", it might be more simpler to just offer another host-name field to be used in the event RED looses connection to the main host-name?
Even with multiple WAN links avaialable to an ASG, the REDs use of just a single hostname poses a problem if that particular WAN link or ISP should drop for a time (e.g. fiber cut, dead modem, etc). The downed REDs…
53 votesCompleted ·AdminJan Weber (Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Second hostname is available with RED 50 and RED 15, we will not be adding this option to RED 10.
-
RED: VLAN port configuration on RED
It would be extremely handy to be able to configure the individual ports on a RED to support different VLANs -- for instance, port 1 and 2 could have VLANs 20 and 30 tagged, with ports 3 and 4 running untagged (VLAN 1)... really handy for a branch office setup with VOIP, etc. It would also be nice to be able to configure a hybrid port as well.. .that is, one that you can configure a native VLAN on (untagged) with tagged VLAN IDs all on the same port, a la Cisco, etc.
55 votesCompleted ·AdminJan Weber (Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
RED50 ports can be tagged with VLANs.
-
REDs : Usng the 3G uplink to perform firmware updates
We have an opportunity that has about 90 remote sites and due to the cheap alternative of using 3G USB dongle for Internet access, they would like to see that the REDs device would have the ability to not just use the 3G connection as a failover link but is a primary link for all subsequent updates after initial provisioning at the HQ, Ethernet connection in those remote area is not possible.
7 votesThis feature has been implemented and released in Sophos UTM 9.1.
-
SPLIT TUNNELING
Split tunneling will be beneficial in many scenarios where customer requires direct internet access at branches with RED units.
2 votesAs Alan mentions, this is already possible via a number of different configuration choices.
-
RED: Connect to other ASG WAN Links
If my ASG has more than one Internet Uplink, RED should be able to reconnect to another available link if the default connection is experiencing an outage. In this manner, RED would be aware of the other Link(s) available on that ASG, and would fall-back to re-establish the tunnel as needed using the next available connection, and then migrate back to the main/preferred one when possible.
(If you previously voted for "RED Should be able to handle astaro's uplink failover", please place your votes here, as we cannot de-merge yet)
7 votesPossible with DynDNS integration, see comments for more info.
-
RED: MAC Address Whitelisting per-RED device
RED could gain a degree of security by having a way to specify which MAC addresses should be allowed to connect via each device. This would provide some extra layers of protection for places where physical security cannot be guaranteed easily, such as cleaning staff plugging in a laptop during the night and gaining access to the corporate network.
7 votesThis feature has been released as part of UTM 9.1. Enjoy!
-
RED: Compression Support for Tunnels
Please implement data compression ability for RED Tunnels. This would allow more effective throughput using RED devices with slow internet connections - especially with slow uplink speeds, and also saving RED Bandwidth on Internet Uplink on HQ if there's for example heavy usage of good compressible content as HTTP traffic, SMB access etc.
59 votesThis feature is available as of Sophos UTM V9.2.
-
Failover Capability if ASG is offline
RED's current fail-over internet access not much help. RED needs a fail-over internet access option for if the ASG becomes unavailable.
Proposed functionality:
If ASG becomes unavailable due to ASG side failure, Red should maintain it's config (LAN side IP, Wan IP ) and simply switch to split tunnel mode allowing internet traffic to flow out on the local internet uplink and tunnel traffic to just drop since the tunnel is down. When link to ASG is re-established it would switch back to unified routing mode. Internet uptime is critical, so we can live with RED splitting the internet bound…8 votesThis is largely solved with the Split modes support added in ASG 8.100
-
RED: WAN Link Balancing
RED devices should support more than 1 WAN interface (at least 2 WAN port) for link fail-over. Lots of organization's branches are using multiple WAN connection for emergency usage.
61 votesThis feature has been released as part of the RED 50 device which is available now worldwide and has support for multiple Internet Uplinks.
-
RED: 3G / UMTS connectivity via USB stick
Almost every country in Asia has requested 3G support for RED via the USB port to allow 3G capable USB devicies to act as a WAN fail over. This is especially needed for countries with poor infrastructure and in remote areas
44 votesThis feature has been implemented in ASG 8.200 and is available with the new RED10 rev2. appliances
Check out what else we improved in this release here: http://www.astaro.com/blog/up2date/ASG8200 -
RED: Support for Static / Fixed IP
Astaro Red should be able to handle fix IP adresses
7 votesThis is possible in 7.507, and in ASG V8. Enjoy!
-
RED: Offline Provisioning to configure RED w/o Internet Access
On some sites is a need to be capable to configure RED devices without internet access. Some companies does not allow configuration of devices via external provisioning servers, on other sites policies simply does not allow such access to internet.
Maybe something as the possibility to redirect provisioning server requests to a own internal ASG which plays the provisioning system for the RED's...
23 votesThis feature has been released as part of UTM 9.1. Enjoy!
-
1 vote
This is already possible. When you remove a red, the hardware interface is removed, but the RED interface will still be on the interfaces list (allowing for the re-assignment of another RED for example without wiping the configuration). To remove all the RED config, simply delete the interface itself and all configuration regarding it will be wiped as well.
-
RED10 Security
The initial configuration for RED10 devices has no protection against a stolen RED10 device being used to connect back to internal systems.
There needs to be an option to lock the RED10 device to an IP or hostname so that a connection won't be accepted unless it comes from the authorised location.
For static IP's locking to an IP is fine
For Dynamic IP's:
Instead of locking to an IP it could be locked to a DNS host name. When a connection attempt is made the ASG hub could perform a Reverse DNS lookup. If the returned hostname for that…
3 votesThis is solved since RED’s release via the Unlock Code Mechanism
- Don't see your idea?