SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Network Security: Vulnerability Scanner

    Implement a means whereby from the ASG you can scan networks for vulnerabilities.

    201 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      11 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • Network Security: Firewall Rule "Hit" Counters

      Display the number of packets that match each rule in the table. So you can locate unnecessary packetfilter rules. Should be able to reset the hit counter(s) as needed, along with a tooltip to show the last time(s) of the previous few hits.

      176 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        21 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • Network Security: Automatic uPNP Support

        Adding NAT rules automatically through UPnP service would be also great for home users and probably some other small companies.

        147 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          37 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • Network Security: Create firewall rule(s) directly from Live Log

          In order to make fine tuning of our product packet filter configuration easier, we should add a way to create packet filter rules with a small wizard so that if i see any packet that i want to explicitly drop or allow i can start a mini-wizard that helps to create a matching packet filter rule by either selecting existing definition objects or offering an easy way to create new definition objects, which later than get used in the pf rule..

          112 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • Network Security: Drag'n'Drop sort of packet filter rules

            Improve the GUI to support a drag'n'drop sort of the packetfilter ruleset or also potentially other sortable list elements..

            63 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • Block IP's using Blacklist/Blocklist Service

              Support the use of Blacklists/blocklists. Note that this feature was requested at link below and apparently Sophos thought that ATP would satisfy the need, however it does not provided the requested functionality, Therefore I am re-posting this as a new suggestion.

              The old suggestion was marked as implemented by the ATP feature; however ATP is not what was wanted and generates too many false alerts. This is the prior feature request: http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1982075-network-security-block-malicious-botnet-bad-ip-s

              Plain and simple: We want support for blocklists. Such as those found here: https://www.iblocklist.com. I would also like to specify a blocklist per network. So for example…

              55 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                8 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • IPS: Creation of Custom Rules (Snort)

                the possibility to add own snort rules would be great!
                Customers can add their special rules for their special needs,
                so we could be more flexible and more secure.

                The AxG can check the own rules via a new snort instance, if everything is fine -> add it to the ruleset.

                50 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  Under Review  ·  7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • Networking: Block/Blacklist IP Globally

                  A method is needed to quickly add an IP address or range to a "Deny Access" list.

                  Currently you have to create a new network definition for each bad host and then drag and drop it on a group that is used to deny access. The number of entries in the network definition page can therefore get very large.

                  There are several possible ways of implementing this:

                  1. Have a "Deny Access" tab under Network Security that contains a group definition for denied hosts or IP ranges to which you can quickly add entries.

                  2. Add a new type of…

                  35 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    Under Review  ·  7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • Network Protection: Use Suricata for IPS

                    I think it could be worth a look at, unless Snort comes up with a multfhreaded version.
                    http://www.openinfosecfoundation.org/
                    http://suricata-ids.org/

                    33 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      6 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • Network Security: Logical "NOT" Support for Packet Filter, DNAT, etc...

                      It would easily save a lot of work if we had the possibility to make a mass-rule with "NOT" operators, like accepting all traffic for all directions EXCEPT for some host or network etc..

                      Like ACCEPT ANY ANY !Host"A"

                      31 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • 28 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • Expire date for firewall rules

                          Firewall rules should have an optional expiry date. This is useful, if a firewall rule has only been approved for a certain period of time.

                          With this feature the firewall admin no longer needs to schedule in a separate calendar the removal of a temporary rule and then perform a manual task.

                          This results in a cleaner ruleset and less effort for the firewall admin.

                          28 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • Networking: RPC Connection Tracking Helper

                            A port object that automatically unlocks the associated high ports for the RPC mapper, so you must not unlock all high ports for the RPC services.

                            27 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • Network Protection: Create firewall rules to automatically "blacklist" an "attacker."

                              I'd like to turn on 'reactive rules' to start dropping all traffic from source IPs that trip a threshold of IPS or PF rules.

                              Say someone is scanning your website for IIS vulnerabilities and trips 20 IPS rules in 1 minute (administrator defined parameters), then the UTM would create a rule at the top to block all traffic to and from the attacking source IP.

                              Bonus points for letting the rule dissolve after N hours as well as being able to turn this rule on for specific interfaces or subnets, You could link it to the geo-location system so that…

                              24 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • Network Protection: Fallback to previous IPS pattern version

                                Engine fallback to previous file in case of a determined engine error or bad update.

                                23 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • Network Protection: Bi-directional firewall rules

                                  Create bidirectional firewall rules. For example 2 Servers need to contact each other on the same ports. Now you have to create 2 Firewall rules.

                                  21 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Networking: Masquerading (NAT) Balancing Across All Public IP's

                                    Use all available public addresses on the WAN interface, even though the HTTP proxy is turned on. The reason for this feature is to keep users working, even if the primary WAN IP address is offline.

                                    21 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      5 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Definitions: Create objects based on "AS whois" record

                                      It would be nice to have the ability to define network definitions by whois AS number.
                                      eg. you could make a definition for all the Telenet public subnets by adding a Definition Telenet-subnet with a parameter AS 6848.
                                      The AS number database is rebuilt on a daily basis, and could be synced just like the spam, antivirus and content filter databases are synced or updated.

                                      20 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Expose "Corporate Policy Violation" IPS rules via the Attack Pattern groups

                                        Currently, there are many IPS rules in 9.x that do not seem to be exposed via the Attack Patterns page.

                                        Many of them have following in their descriptions:
                                        "Classification.: Potential Corporate Privacy Violation"

                                        These include rules which block SKYPE, BitTorrent, etc.

                                        ISTM that it doesn't make sense to have these hidden away, or even have them at all since we already have the Application Detection system.

                                        links:
                                        http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/43598-pua-p2p-bittorrent-utp-peer-request-2.html#post215116

                                        http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/47541-ips-bittorrent-rules-id-disable.html

                                        https://www.google.com/search?q=corporate+policy+violation+site%3Aastaro.org+ips+OR+snort

                                        Please put these (and other hidden rules) into groups on the Attack Patterns page, and/or remove ones which are redundant with the application traffic classifier.

                                        19 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Firewall Order of Operations

                                          Firewall Order of Operations

                                          Based on testing and additional information found in other request, it appears that the proxies/security services have a higher order of operation over the firewall. As such, even with firewall rules in place, the security services override those settings. With email protection, this essentially opens up SMTP on the Sophos UTM to anyone on ALL interfaces. This, thus, increases the surface attack area of the device to an unacceptable level.

                                          Changing the order of operation would allow the administrator of the device to dictate, via firewall rules, what can and can not access the Sophos UTM…

                                          18 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 8 9
                                          • Don't see your idea?

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.