SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Secure & Up-to-Date Password Storage for Internal Users

    Hi there,

    currently, passwords of internal users are stored as md4 hashes. According to Wikipedia, this hash function was already severely broken 10 years ago: "As of 2007, an attack can generate collisions in less than 2 MD4 hash operations" [1]. IMHO, this is a severe security issue, especially for a security device such as a firewall.

    While it's technically true that access to password hashes requires administrative access, those hashes should still be protected, even in case of compromise. This also facilitates insider attacks, and so on...

    Therefore, I strongly suggest that password storage follows well-established security principles: Use…

    14 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    • Login time the same in STAS and UTM

      I would like to suggest that login time on Client Authentication was in GMT.
      I have a SG implanted with STAS and when I will check the time is different between the two solutions.
      e. g.: My GMT-3, in STAS the user aaaaa logged in Oct 18 12:20 2017, then I will look this information on SG, I see Oct 18 15:20 2017, three hours more.

      2 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
      • Allow Maxiumum Session Time per User/Group

        The current 'Maximum Session Timeout' is only available to be applied globally - this should be allowed to be configured / applied for different authentication methods, or as part of a Group Configuration. This is to allow RADIUS users a different session to a Local User.

        11 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
        • Zone Based Captive Portal

          Kindly Provide Zone Based Captive Portal in next possible firmware upgrade,
          So that firewall will push IP Address of only that specific Zone interface automatically to the users browser.
          Currently default behavior of firewall is that it will push down only specific IP address of specific zone for all zones captive portal request which does not fulfill requirement of creating separate zone.

          2 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
          • HTML5 VPN Portal - Smartcards

            It would be good if we could pass through Local Resources such as smartcards as we enforce smartcard login requirements. This is currently preventing us from using the Sophos VPN HTML5 solution

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
            • SFM - /log/applog.log data should not have the password credentials

              For the SFM, in advanced shell, if you run: cat /log/applog.log | grep applog
              The results will show the credentials used to connect to the firewalls. Please do not log the credentials in clear text.

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
              • Synchronize Authentication on UTM coming from Cisco WLC

                Customer is asking if possible to receive accounting information from a cisco wlc to put a username to a ip address in web filtering logs

                The way it is setup is a user connects to the cisco wlc which is authenticated via a radius server .

                the wlc use a windows dhcp server to allocate ip address and also gives it the Sophos utm as its gateway via web filtering.

                1 vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                • add subnets for login restriction of user groups

                  dear corresponsent,
                  we are using Cyberoam CR300iNG firmware build of 050. Firmware version is 10.6.5.

                  I have such issue that want to restrict login for specific IP subnets.
                  for example we have several VLANS and subnets and i want to enable login of users on specific subnets like WIFI, library, lab computers etc but i want to restrict them to login to office computers.
                  in identity section of cyberoam there is groups tab, and under groups tab there Login restriction option.
                  currently there are only options of Any node, Selected nodes, Node range.
                  it seems as i can use only…

                  1 vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                  • Add RADIUS Accounting Export to External RADIUS Server

                    There is already an option in the UI to enable accounting when configuring a RADIUS server, but I was informed by support that that feature is not supported. Auth work fine on 1812, but accounting on 1813 is never sent. We need to be able to send accounting to the external RADIUS server. For reference, the ticket is RE: [#7150365] Web support query. Thanks!

                    3 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                    • network authentication

                      in Sophos when we authentication on network it connect through our default getaway and also showing SSL certificate issue could we access it through FQDN .

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                      • Add MAC Authentication for Open SSID

                        I think it would be a good idea to add MAC Authentication as an option for open SSIDs. This allows a device that is unable to configure a supplicant to authenticate via RADIUS using the devices MAC address as the username and password. With Meraki, Aruba, Aerohive and others this typically shows up as MAC Authentication, MAC-based access control, etc.

                        2 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                        • RADIUS Change of Authorization (CoA)

                          Please add support for RADIUS Change of Authorization (CoA).

                          The use case is we are attempting to perform a RADIUS Change of Authorization (CoA) for wireless clients connected to an AP managed by the XG. With Cisco, Meraki, Aruba, Aerohive and others this typically shows up as "rfc-3576" support in the UI.

                          It would allow the XG wireless controller to accept a RADIUS CoA packet (typically sent on UDP port 3799) from a RADIUS server to disconnect a client so it can receive a new RADIUS attribute from the RADIUS server.

                          2 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                          • New features

                            Possibility to grant user to more than one local or external group

                            1 vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                            • As of now it not possible to change this Open SSL certificate SHA-1 version neither from GUI nor from Backend as these settings are hard cod

                              As of now it not possible to change this Open SSL certificate SHA-1 version neither from GUI nor from Backend as these settings are hard coded on UTM architecture.

                              I request you, kindly share this requirement on our portal http://ideas.sophos.com as feature request so that our development team can take of this in future release on UTM firmwares.

                              2 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                              • PPPOE Server

                                just must add PPPOE server it's important option

                                1 vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                • PCI Compliance UTM Requires SMBv1

                                  The UTM Requires SMBv1 which is not PCI compliant, we are required to pass PCI Compliance scans yearly and need to have the UTM updated to use a more secure PCI compliant protocol.

                                  2 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Joining Sophos XG Firewall to Domain is mandatory in Domain environment network please add this feature ( I mean not integrated )

                                    Joining Sophos XG Firewall to Domain is mandatory in Domain environment network please add this feature ( I mean not integrated ) the xg firewall should be member of domain object as workstation / server

                                    1 vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Authentication data cache of AD SSO

                                      Please add option which UTM can cache user authentication data of AD SSO.

                                      3 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Allow users to reset Active Directory passwords from the UTM User Portal

                                        Raised on behalf of a Sophos customer, see support case 6426894.

                                        Customer would like the UTM's User Portal feature to function in a similar manner to the portal available on the Microsoft TMG product.
                                        when using a TMG, if a user's Active Directory account has been flagged to 'Reset password at next logon" when they try to log into the portal, the TMG portal notifies the user that they need to change their password and completes the password change with them.

                                        Using a UTM in the same scenario results in an authentication failure (expected behaviour), but the customer would like…

                                        5 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Change the Active Directory login behavior with multiple DCs

                                          With the current code handling the Active Directory authentication of users, if you add multiple domain controllers as authentication sources, any error with the user's authentication will cause the authentication to be attempted on the next DC.

                                          Unfortunately, this is also the case with failed passwords. The LDAP protocol has a built-in error message to tell the client that the failure was due to a bad password and not a server or communication issue (LDAPMessage bindResponse(3) invalidCredentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece)).

                                          This causes issues when users make mistakes on their passwords, it causes the AD…

                                          25 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 6 7
                                          • Don't see your idea?

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.