Being able to assign a firewall rule a name that can be tracked through the life of the rule is a great tool to help manage your firewall. If the name also shows up in the logs especially live log it is incredibly useful

You don't need to try and track a rule by a number that keeps changing as rules are added or deleted, simply track the rule name.

This feature is available in other UTM and firewall products. From someone who's used the feature for many year it is definitely something I miss in the UTM

It would be nice if we could automatically block all traffic to/from IPs identified as malicious by lists such as DSHield or Project Honey Pot.

Extended the exceptions functionality to allow for specific rules as part of an exception.

This will allow for much more granular IPS exceptions in being able to specify a rule be disable/excepted only for a certain traffic flow, like for rule 2122 from Internet to Webserver, without disabling the rule globally or by exempting the resource from IPS fully.

I think country blocking should have exception rules tied to it, where profiles could be created and exceptions could be made to bypass it.

For example, if you had a virtual machine you wanted to allow all traffic too, and countries being blocked, you could create an exception rule like anything else currently.

In V8 we can change the sort order of packet filter rules. Most customers ask me to have the possibility to see the rules with the old view.

the country blocking is a very good idea.
we get a lot of intrusion from china to our terminalserver. the best extension would be if we could limit it to services looks like RDP, VNC

Currently ASG V7/V8 distribute traffic to the real servers depending on the source address. For instance, if there is one sending system existing only then the traffic is forwarded to one real server only although many real servers are enabled to use. A bit more than manual failover is possible by this solution. Setup might appear sometimes, especially when the source address is translated using NAT by the remote provider. I suggest to distribute traffic by connection (e.g. host and source port).

I have around 100 Packet Filter rules and the refresh after turning a rule on or off (two refreshes if a search has been done) slows me down. I'd like a multiselect where I could turn on/off or delete a bunch of rules at the same time.

Would be nice to have the way to authenticate the users (defined locally or in backend) against the Astaro, and use the user+ip information to build specific packet filter rules. As authentication method the User Portal could be an option. The best would be to have a SSO client to install locally on the user pc. Some of the other vendors already use some similar features.

http://www.snortid.com/snortid.asp?QueryId=15522 be used instead of
http://www.snort.org/search/sid/15522?r=1

While already possible for WebAdmin Login. It should be extended at least to

• Logins for SMTP authentications


• Logins for VPN SSL authentications


• Logins for SSH authentications

Consider my case: yesterday I have received thousands of failed login attempts in 2hours from a user that tried to access to SMTP proxy in order to send spam. Every time the user tried to login, my ASG made a query to the Domain Controller (so both ASG and DC was under brute force attack).

I think that the actual absence of ban ip address is a unacceptable lack of security.

A packet filter definition with an expiry time (1h, 2h, 4h, 1day, configurable end-time/date) so you can give access to a service for an external party, and have the rule automatically being disabled when the time setting expires. If possible it would be nice to have the rule deleted with some 'auto-vanish' flag.
An extra marking or color would be best to let you see it is a 'Temporary Rule'

enable administrators to separately schedule installation times of updated SEUs (Snort Enhancement Updates - new/updated rules) at custom times. Download would still be automatic only installation would be performed at scheduled time.

Snort disrupts traffic flow while updating rules. This is not acceptable for many customers.

A system that will identify, monitor, and protect data through deep content inspection. This will be a must have system to detect and prevent the unauthorized use and transmission of confidential information.

ASG should prevent incoming requests being sent to downed servers. Often it's desirable to temporarily remove a server from a load balancing pool - for example, for planned maintenance. It would be very easy to do this with a toggle which lets you enable/disable a server from the pool. Otherwise, you have to remove that server from the pool - which isn't always possible since you have to define 2+ servers for each rule! (will add that as another suggestion)

Please improve the newly in 7.500 introduced IPS reporting. The actual possible reports should be more useful and informative for real life usage as they are now. In my eyes there are especially missing reports for:

• Top rules by host (host can be source OR destination)


• Top hosts by rule (host can be source OR destination)


• Top rules by destination

furthermore the reports should contain more informations as taken action (drop, alert), severity and so on. This would further ease the IPS finetuning and troubleshooting.