SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. VoIP helper & TLS

    Deutsche Telekom provides TLS-Support with their "SIP-Trunk". This can't be used with the SG's VoIP helper and telephony systems connected to the LAN.
    Please enable SSL/TLS interception for the VoIP helper.

    4 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • Allow user-defined rules to be applied before built-in rules

      There is a strong need to be able to prevent access to several protocols that have proxies implemented in ASL (e.g. SMTP).

      Currently, the fact that built-in rules are always applied before user-defined ones has the following consequences:
      - It is impossible to prevent access to one of these proxied services alone. The only option is use blackhole routing (which prevents all trafic from and to the targeted networks).
      - It is very much unclear to the user why a given rule isn't applied. Instinctively, an explicit "deny" rule should always apply before any and all "allow" rules. This rather…

      1 vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • Notify me when unauthorised devices appears in default VLAN - when DHCP is used

        Unconfigured Switch ports have the default VLAN, which is not in use - but the UTM has a DHCP to hand out IP Addresses. When this happens, this must be unauthorized - so I would like to get a notification.

        1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • Country Blocking By Top Level Domain Not IP

          Right now country blocking only blocks by IP address, so if I block .ga (Gabon), but the website is registered with a U.S. ip address, the website is allowed for end users.

          Solution: add an option to block countries by top level domain (ex. .ga for country Gabon) without having to create a rule to create a black list and try to use a expression to block based on every domain. Reference ticket #8225803 - Kerry Albert
          Channel Sales Engineer
          Kerry.albert @ sophos.com

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • Implement DNS Blacklist in the DNS Server, not the IPS subsystem.

            IPS blocks queries to resolve untrusted host names. This tells the client that the DNS server has failed, not that the query should not be resolved. Consequently, the client immediately re-attempts the query using a different path. The consequences of having no response from all DNS servers will be implementation specific and therefore unpredictable.

            Instead, we need UTM to return a non-existent domain result (NXDOMAIN), so the client stops trying to resolve the name at all. This is how Quad9 is described to work. To produce this result, the blacklist has to be moved out of IPS and into the…

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • Introduce Behavior and Reputation Based IPS Signatures

              There are Snort based IDS rule sets that provide behavior and reputation based rules which do not currently appear to be available in the UTM. Current IPS rules are insufficient to detect connections from known malicious hosts. Further, we have experienced fairly large brute force attacks against open RDP ports (business requirement) , that went undetected by the UTM IPS.

              Example Rules:
              Emerging Threats - ET CINS Active Threat Intelligence Poor Reputation series signatures
              Emerging Threats - ET SCAN Behavioral Unusually fast Terminal Server Traffic

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • IPS Log Files need the IPS Rule ID

                To create an IPS exception, the system administrator must know the rule number. But there is no way to determine a rule number, so the exception capability is useless. The GUI does not provide a rule review tool. The log files contain: reason (test), group (number), class (text), and sid (number), but not a rule number. My attempts to correlate UTM field values with the Snort product documentation have also been unsuccessful. The Snort documentation refers to SIDs, but they are fewer digits than the UTM SIDs, with no discernible matching technique. Level 1 Support was also unable to add…

                5 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • DNS visibility controls based on connection

                  Different remote access configurations have differing needs for access to internal resources. Users with limited access rights should only be provided enough DNS information to complete the connections that they need. Resolving any other address can produce several different problems: (1) For WAF and any other externally-published resources.: A remote access user, with limited access to internal systems, may still be required to access other resources through externally-published addresses, such as a WAF site. If his remote access connection only returns internal information, he will be misdirected and unable to access the resource that he is supposed to used. (2)…

                  2 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • Add a option to rotate the SSID password on certain time

                    There should be an option to choose the SSID password rotation. It should throw an email to specify users with new & old password information. A password can pick from a text file or admin can define some numbers of the password.

                    2 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • Packet filter: allow wildcard subdomains

                      Firewall packet filtering based on wildcard subdomains and reverse DNS resolution.

                      Would like to allow/deny connections, using the packet filter, based on a wildcard subdomain (think *.example.com).

                      10 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • ICMP

                        Restricting ICMP and Traceroute response to specific IP's or IP ranges.

                        Would like to see the sophos be able to restrict ICMP or trace route responses from the UTM to only specific IP address or ranges.

                        This would prevent unwanted potential hackers or BOT IP ping sweeps from detecting equipment on a network from the internet.

                        As of now the sophos ver 9 firmware UTMs only allow global "on/off" settings for ICMP and traceroute.

                        Sonicwall firewall provide the ability to restrict ICMP responses to specific IP's using a WAN-to-WAN access rule. I would like to see this option available in…

                        6 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • Standalone OTP

                          Add OTP (2-factor authentication) as a stand-alone feature, to be used with specific NAT rules, or access rules.

                          1 vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • Add time field in attacks

                            Kindly add a field as "time" for "top attacks" report in the latest version of cyberoam firewall . It will be helpful if we come to know that when the attack occured for security purposes. When we see the report of "events" , time field is there but similar facility is not available for "top attacks".

                            1 vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • Add rules for TLS SMTP and update Email Messsaging group

                              Since many mail providers want TLS for SMTP I suggest adding an TLS SMTP (Port 587) rule.
                              The rule should also be added to the Email Messaging group which is predefined!

                              5 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • DNS Hosts based on SRV Adresses

                                Hi,

                                please add SRV Records as a usable Network Entity Definition. At the moment just A and CNAME Records are suitable.

                                2 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • Segregate 'IoT' devices from 'User' devices

                                  'IoT' devices typically need far fewer protocols and often contact only a handful of services. They can (and should) be given much more restricted access to the public internet.

                                  I would like to have 'groups' or 'types' of network devices (by MAC address), which can have different restrictions applied, as a group.

                                  Ideally, add the ability to constrain the number of simultaneous connections and/or IP addresses for a given IoT device.

                                  As a convenience, leverage the IEEE OID database to assign new devices automatically to the appropriate group, e.g. detecting a new device manufactured by Nest is automatically assigned to…

                                  2 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • host blacklist

                                    I want the ability to plain and simply paste in a bunch of IPs that are routed to localhost thereby blacklisting them. Or, even better, add a service that I can just turn on that points to a maintained list of such hosts... which can be found here: https://adaway.org/hosts.txt

                                    This kind of request has been repeatedly asked for for a decade. Why is there no effort but into such a simple task?

                                    1 vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Domain Network Definition

                                      It would be very beneficial to be able to create a domain network definition to build firewall rules off of. For example, I might only want hosts which reverse to the domain of .att.net to be able to connect to a particular firewall rule. Or perhaps hosts with a .edu extension to be able to use a firewall rule. There are many uses for this (including SMTP).

                                      2 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Detect port scans using an XG and automatically block the source IP

                                        The XG firewall should be able to detect port scans when they occur and then have the ability to block the source IP.

                                        2 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • L2TP over IPsec via IPv6

                                          L2TP over IPsec is currently only working via IPv4. Please support IPv6 as well.

                                          3 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 9 10
                                          • Don't see your idea?

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.