SG UTM
Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.
-
fix the issue with IE9 and IE10 crashing when UTM Web Filtering is set to transparent and HTTPS is set to URL filtering only
Fix the issue with IE9 and IE10 crashing when UTM Web Filtering is set to transparent and HTTPS is set to URL filtering only.
1 voteHi Chance,
Thanks for sharing on our feature site. To be clear, the issue with IE crashing is caused by a fault in IE, and not in UTM9/10. Sophos cannot address the issue directly. However, we did release a patch in version 9.314 and later, which changes the timings of the delivery of error pages. This patch does not solve the problem, but it almost completely avoids the problem crashes. Please make sure you are running a current firmware version, or make sure your users are using at least IE11.
-
Web Security: File extension blocking inside archives
the need to block specific file types will have multiple customers and with the Extension-filter it works just under the circumstances that files are not inside an archive.
There is the need to block these files also in f.e. "ZIP" archives.18 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Using Sophos True File Type detection, Sophos UTM 9.3 can now inspect inside ZIP files and determine what file types exist inside the ZIP. If these files are blocked by policy, the whole ZIP will be blocked.
For more information about UTM 9.3, see the following blog post: http://blogs.sophos.com/2014/11/10/sophos-utm-advantage-9-3-is-coming-soon-find-out-whats-new-2/
-
Web Security: Show Block Page for HTTPS Sites
Hello,
actually if an HTTPS web site is blocked due to proxy settings (ie. you want to block https://www.facebook.com) the user does not shows the classic "Blocked content page" by Astaro, but he sees a generic browser error. It seems that it happens because of a security modification applied by all browser producers (IE, firefox, opera, ecc). Astaro should conform to these new changes, otherwise all users could think that the website they want to see is not reachable cause of techical issues (generated by their network admin or by remote web site admins).I think this request is…
29 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We have implemented this in Sophos UTM v9.2.
-
Web Protection: Google App domain controls via HTTP header insertion
Google supports a ways for organizations to limit which Google Apps domains users are allowed to visit. This is done by adding an HTTP header to outbound requests containing a list of allowed domains.
http://support.google.com/a/bin/answer.py?hl=en&answer=1668854#providers
10 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This feature is in version 9.2 of Sophos UTM
-
Change the format of HTTP Proxy warnings if website is not avaiable
Very often, when a user tries to access to a web site that is not avaiable, he contacts me in order to report that Astaro blocked the site. This because common users DOES NOT READ the reason of the block (ie. "No Route to Host" or "Request timed out").
It would be useful to differentiate the format of warning page.
- The actual format for content blocked (not allowed sites)
- A new format for error connection to the web sites
11 votesThis feature was introduced in ASG V8.
-
Firewall / Proxy Time metering limit
time consumption measurement period for definitions. e.g. 3 hours between 10.00 und 18.00 clock as child protection.
3 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We have just released a web time quota feature in Sophos UTM 9.3 which I think matches what you’re looking for.
If I have misunderstood the request, please resubmit a new feature request, clarifying what you are looking for and some examples as to why it is valuable.
-
Web Protection: Content filtering of HTTPS URLs by SNI
Enable the option to content filter HTTPS URLs without the full man-in-the-middle interception by doing lookups and categorization on the domains that are reported as part of the certificate exchange. While not as secure as full HTTPS interception, it would solve our problems and remove the need to do the full HTTPS roll-out procedures.
31 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This feature has been released as part of UTM 9.2.
-
Web Protection: Device-based Authentication Profiles (BYOD)
ability to discover phones and tablets trying to get on the network.
If a user is trying to get on the network, the admins would like to automate the process and reduce the interaction required by users or admins.If an employee brings their smart phone to the hospital, they get some sort of log in screen automatically, they check the box, agreeing to terms and the rest of the authentication process would be automated. Like logging on to a hotel network on a laptop.
2 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
With Sophos UTM 9.2 we introduced the ability to specify authentication methods by device type.
-
Web Protection: Coaching Mode for Warning / Educating User
Today with UTM we can only allow or block a web site based on the categorie.
now customer what is called a coaching mode where user get a warning that he is about to get access to a web site that is not relevant for his job and not compliant with the security policy
The goal of that approach his also to educate customer regarding his web browsing habits and advise him that It knows what he does
most of our competitors in web security do that
and Sophos also provide this behaviour/mode with his Sophos Web Appliance
so i…4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
The option to ‘Warn’ a user before proceeding to a site was added in version 9.2 of Sophos UTM.
-
Web Security: HTTPS / SSL Scanning Only for SafeSearch
In order for SafeSearch to work all of the time with Google, Yahoo, and Bing, we need to cover HTTPS / SSL Scanning as well. However, implementing HTTPS / SSL Scanning system wide impacts every other HTTPS / SSL service transiting through the Astaro Security Gateway. Developing rules to work around those impacts, if even possible, is coming to be a full time job.
The feature request is for the Astaro Security Gateway to implement HTTPS / SSL scanning ONLY for the SafeSearch sites. This could be accomplished through a simply check-box either on the Web Security >> Global tab…
11 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
In Sophos UTM 9.3 we have built the ability to selectively include sites in HTTPS filtering, rather than having to include all sites and then create exclusions.
This feature will allow you, for example, to select sites by category (e.g. only HTTPS scan ‘Search Engines’) or by website tag (e.g. add a list of sites to scan to the Website List and apply the same tag to them all)
For more information on this feature and the others introduced in Sophos UTM 9.3, see the following blog post: http://blogs.sophos.com/2014/11/10/sophos-utm-advantage-9-3-is-coming-soon-find-out-whats-new-2/
-
Web Security: Support YouTube Educational Features
YouTube has a "for schools" (http://www.youtube.com/schools) option that requires either a custom HTTP header to be sent with requests, or a URL rewrite (much like the safe-search options already available).
I would like to see an option to create a custom HTTP header or URL rewrite for sites other than the 3 safe-search ones that exist. I suggest adding the ability to append a string to URL's that match a regex at the proxy or filter action level (e.g. For sites that match ^https?://(www.)?youtube.com/.*, add "X-YouTube-Edu-Filter:<string>" to the HTTP header, or "?edufilter=<string>" to the end of…
23 votesThis feature has been completed and released as part of UTM 9. See http://www.astaro.com/blog/up2date/UTM9 for launch information.
-
Network Security: Split Country Blocking to Inbound/Outbound
I need to block countries inbound but need to allow for all users to outbound to anywhere. Please change the single check box per country to a double check box, one for outbound blocking and one for inbound blocking. This way I can block certain countries from trying to contact (hack) us but allow all internal users to go anywhere externally. I like the idea of country blocking for security but it is unuseable for us as internal users cannot be restricted outbound
7 votesThis feature has been released as part of UTM 9.1. Enjoy!
-
Web Security: Optimize SSL handling for AES-NI Supported Algorithms
With the inclusion of AES-NI support in Version 9, it should be considered how to best utilize this acceleration to realize the massive gains possible. Currently, the client and server "talk" and decide which streams to establish and which encryption should be used.
The negotiation should be tweaked/modified to prefer AES-NI supported algorithms. This will make sure that we can re-order or optimize this so that we promote the algorithm modes that we can accelerate.1 voteDue to updates by various projects (like LIB-OPENSSL) this is already possible and will be present in UTM9
-
Web Security: One-Click Content Filter Override
My organization does not have public workstations, so it's not necessary to enter credentials each time a website is unblocked. The users are already authenticated through Active Directory, which provides an accurate log of who is unblocking a certain site. I am requesting an option in the HTTPS/Profiles section to allow one-click unblocking.
6 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
In version 9.2 of Sophos UTM we intrduced a ‘Warn’ feature. Where users are allowed to ‘override’ a policy block, we suggest using the ‘Warn’ action rather than ‘Block’.
-
Web Protection: Work with HTML5 websites
Allow HTML5 websites.
2 votesI’ll mark this as completed since we easily allow such sites already as mentioned by Scott.
-
4 votesCompleted ·
AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Sophos UTM 9.2 now includes almost all Web Protection features previously available in the Sophos Web Appliance.
-
sso: sync group membership (active directory) without proxy restart
i need this feature.
2 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We have made a number of changes to AD integration and SSO that should resolve most of the problems around this area. Please re-create a new Feature Request with specific details if there are still areas that you feel could be improved.
-
WebSecurity: Local Override of Site Classification
It would be nice to have my "own" categorization of a web site.
This is useful for when I disagree with the URL filter and want to have it the way I see it instead.
Also, it is particularly useful for the occasional un-categorized site! It's often easier to simply categorize it myself vs. waiting for it to be accommodated by the engine.5 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This feature has now been implemented in Sophos UTM 9.2. Take a look at the ‘Websites’ tab under Web Protection > Filtering Options
-
Add support for Server Name Indication to the HTTPS Proxy
Server Name Indication (SNI) can be used to host multiple SSL sites on a single IP/Port. See http://en.wikipedia.org/wiki/ServerNameIndication for details.
All the recent browsers support this feature, it would be great if the HTTPS Proxy would, too.8 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This feature is now provided in Sophos UTM v9.2. Under Web Protection > Web Filtering > Global, select ‘URL Filtering only’ under HTTPS (SSL) Traffic to enable this without also enabling HTTP decryption. Selecting ‘Decrypt and scan’ will also use SNI data to block sites.
-
Web Security: URL Category Check in WebAdmin
include the bottom with this link into URL Categorization tab, to reach fastly the link to offer a possible categorization for uncategorized websites. It's also a very fast way to figure out how a specific website is categorized.
20 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This can now be done via the Policy Test feature that was added in Sophos UTM 9.2.
For more information about this release, see this blog post: http://blogs.sophos.com/2014/05/13/utm-up2date-9-2-released/
- Don't see your idea?