SG UTM
Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.
-
Name field for Firewall Rules
Being able to assign a firewall rule a name that can be tracked through the life of the rule is a great tool to help manage your firewall. If the name also shows up in the logs especially live log it is incredibly useful
You don't need to try and track a rule by a number that keeps changing as rules are added or deleted, simply track the rule name.
This feature is available in other UTM and firewall products. From someone who's used the feature for many year it is definitely something I miss in the UTM
37 votesCompleted ·AdminJan Weber (Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This feature is completed as part of XG Firewall that has been released on November 9th 2015.
-
Network Security: Block Malicious/Botnet/Bad IP's using Blacklist "Service"
It would be nice if we could automatically block all traffic to/from IPs identified as malicious by lists such as DSHield or Project Honey Pot.
88 votes -
Framework: Location (GeoIP) Blocking
Implement a mechanism to allow definitions based on GeoIP/location, which can be worked with and referenced.. Allows for blacklisting in Mail by country, and blocking of certain types of traffic in the packetfilter. Eg, it might be used to automatically drop/block all traffic from "China". Understood there are accuracy drawbacks in this, but several customers claim this wouldn't matter much.
74 votesThis feature is included as part of ASG Version 8 which will be Generally Available at the end of June.
Watch http://up2date.astaro.com for the official announcement.
-
IPS: Per-Rule IPS Exceptions
Extended the exceptions functionality to allow for specific rules as part of an exception.
This will allow for much more granular IPS exceptions in being able to specify a rule be disable/excepted only for a certain traffic flow, like for rule 2122 from Internet to Webserver, without disabling the rule globally or by exempting the resource from IPS fully.
37 votesCompleted ·AdminJan Weber (Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This feature is completed as part of XG Firewall that has been released on November 9th 2015.
While not exactly implemented as requested here, the concept of granular IPS policies per rule, solves the underlying goal of this feature.
-
Network Security: Exceptions for Country Blocking
I think country blocking should have exception rules tied to it, where profiles could be created and exceptions could be made to bypass it.
For example, if you had a virtual machine you wanted to allow all traffic too, and countries being blocked, you could create an exception rule like anything else currently.
32 votesThis feature has been released as part of UTM 9.1. Enjoy!
-
Add the old sort order of packet filter rules
In V8 we can change the sort order of packet filter rules. Most customers ask me to have the possibility to see the rules with the old view.
10 votesHi…this is actually a bug and we will fix it during an upcoming up2date. As such Im going to mark it as completed so the points are refunded, since bugs dont need feature request votes to get fixed. Thanks for the feedback everyon!
-
Network Security: Services Support for Country Blocking
the country blocking is a very good idea.
we get a lot of intrusion from china to our terminalserver. the best extension would be if we could limit it to services looks like RDP, VNC75 votesCompleted ·AdminJan Weber (Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This feature is available with the XG Firewall launched in November 2015.
-
Networking: Sticky Sessions for Server Load Balancing
Currently ASG V7/V8 distribute traffic to the real servers depending on the source address. For instance, if there is one sending system existing only then the traffic is forwarded to one real server only although many real servers are enabled to use. A bit more than manual failover is possible by this solution. Setup might appear sometimes, especially when the source address is translated using NAT by the remote provider. I suggest to distribute traffic by connection (e.g. host and source port).
7 votesThis feature was introduced in UTM 9. You can set the sticky/persistence:
Click the Edit button of a load balancing rule.
Click the Scheduler (Wrench) button on the header of the Real servers box.
Choose the persistence time; Persistence has a default timeout of one hour. You can also disable interface persistence for this balancing rule. -
Add multiselect to Packet Filter and NAT for bulk on/off or deletion
I have around 100 Packet Filter rules and the refresh after turning a rule on or off (two refreshes if a search has been done) slows me down. I'd like a multiselect where I could turn on/off or delete a bunch of rules at the same time.
1 voteGreat news for you, this is possible in 8.100 release, which adds precisely what you have requested here. :) Enjoy!
-
IPS alert filter
As we all know, there are some less-than-friendly neighbors on the internet. When one of them persistent generates IPS alerts, a prudent Admin will take appropriate action (perhaps adding a packet filter rule to block all traffic from that source), but since the IPS see traffic before the packet filter, the IPS notifications will continue to arrive. This constant flood of notifications makes the task of identifying new or more critical alerts more difficult.
Currently the only way to stop these alerts is to disable notifications from that rule, but that is too broad since there may be new offenders…
4 votesYou will find a “limit notifications” option in the Notifications section which combines multiple alerts into a single entry seen “x” times. This should solve the problem for you.
-
User-Based Packet Filtering
Would be nice to have the way to authenticate the users (defined locally or in backend) against the Astaro, and use the user+ip information to build specific packet filter rules. As authentication method the User Portal could be an option. The best would be to have a SSO client to install locally on the user pc. Some of the other vendors already use some similar features.
9 votesThis feature has been implemented in ASG 8.200.
Check out what else we improved in this release here: http://www.astaro.com/blog/up2date/ASG8200 -
7 votes
This was fixed with Up2Date 7.504
-
Authentication: Lockout/Ban IP for Failed Login
While already possible for WebAdmin Login. It should be extended at least to
- Logins for SMTP authentications
- Logins for VPN SSL authentications
- Logins for SSH authentications
Consider my case: yesterday I have received thousands of failed login attempts in 2hours from a user that tried to access to SMTP proxy in order to send spam. Every time the user tried to login, my ASG made a query to the Domain Controller (so both ASG and DC was under brute force attack).
I think that the actual absence of ban ip address is a unacceptable lack of security.
23 votesThis feature has been released as part of UTM 9.1. It is available under Authentication Servers—>Advanced. Enjoy!
-
3 votes
Hi Rocket, The DNAT/SNAT rules already have a comment, and it is displayed in [] brackets during the rule title ;) I’ll close this as such.
-
Packet Filter: Temporary Rules
A packet filter definition with an expiry time (1h, 2h, 4h, 1day, configurable end-time/date) so you can give access to a service for an external party, and have the rule automatically being disabled when the time setting expires. If possible it would be nice to have the rule deleted with some 'auto-vanish' flag.
An extra marking or color would be best to let you see it is a 'Temporary Rule'8 votesThis request can indeed be already addressed using a “use once” packet filter rule. The current implementation should solve much of your needs here.
-
IPS: Continuous Traffic Flow During Up2Date
enable administrators to separately schedule installation times of updated SEUs (Snort Enhancement Updates - new/updated rules) at custom times. Download would still be automatic only installation would be performed at scheduled time.
Snort disrupts traffic flow while updating rules. This is not acceptable for many customers.
2 votesThis feature is included as part of ASG Version 8 which will be Generally Available at the end of June.
Watch http://up2date.astaro.com for the official announcement.
-
Add Intrusion Prevention Rule ID to Email Alert
When you get an email from the Intrusion Prevention Alert system it does not show clearly the "Rule Number", so that you can make a Manual rule modification.
see example
Intrusion Prevention AlertAn intrusion has been detected. The packet has not been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.Details about the intrusion alert:
Message........: DOS DNS root query traffic amplification attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=15259
Time...........: 2010:02:09-09:52:23
Packet dropped.: no
Priority.......: 3…3 votesWe will have a look at making this more clear. The rule ID is actually included there as part of the link for “more information” along with displaying the rule id on the resulting page once you click on the link. (in this case it is rule number 15259) Thanks for the feedback, I’ll close it to refund your points.
-
Networking: Data Leak Prevention System (DLP)
A system that will identify, monitor, and protect data through deep content inspection. This will be a must have system to detect and prevent the unauthorized use and transmission of confidential information.
98 votesThis feature was released in UTM 9.2. We’ve added DLP features into our Email protection suite that allow for some very powerful filtering of syntax’s and structured data. (PCI/PII etc..) enjoy!
-
7 votes
-
Server Load Balancing: Prevent offline servers from getting balanced to
ASG should prevent incoming requests being sent to downed servers. Often it's desirable to temporarily remove a server from a load balancing pool - for example, for planned maintenance. It would be very easy to do this with a toggle which lets you enable/disable a server from the pool. Otherwise, you have to remove that server from the pool - which isn't always possible since you have to define 2+ servers for each rule! (will add that as another suggestion)
6 votesUsing the new server load balancing mechanism in V8, ’offline" servers will not be balanced to, so you can remove one or do maintenance anytime you like.
- Don't see your idea?