Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

Network Security: Automatic uPNP Support

Adding NAT rules automatically through UPnP service would be also great for home users and probably some other small companies.

149 votes
Sign in
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    pattontpattont shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


    Sign in
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      • Paul ChambersPaul Chambers commented  ·   ·  Flag as inappropriate

        Sorry Sophos, this feature request isn't going away. UPnP IGD Port Mapping does provide useful functionality that can be a real PITA to provide otherwise. Particularly for a non-technical user base.

        I agree, just blindly implementing UPnP IGD port mapping would weaken security significantly. I understand the reticence of Sophos to support it, never a good idea to just blindly let unauthenticated software poke holes in the firewall.

        Let me suggest an approach that I think balances the two needs, basically a variation of the suggestions already made: NAT mapping/firewall rules that are created automatically when a UPnP IGD port mapping request the first time a request is seen, but only for network nodes on a whitelist (e.g. controlled by MAC address), with a default setting for whether the rules are initially created as enabled or disabled. Ship with an empty whitelist and the default set to initially create rules as disabled.

        If Sophos Home is installed on the PC that's making the UPnP IGD Port Mapping request, the UTM could send a 'challenge' to it that pops up a notification that asks the user to confirm that they're OK with that windows app to accepting inbound connections from the internet. Similar to the user interaction that Windows Firewall presents.

        The extra interaction enabled by Sophos Home does two things: a) notifies the user of something happening that would otherwise be invisible, and b) allows the user to enable the new rule immediately by confirming the alert.

        Heck, I can even see it being a source of subscription revenue for Sophos - database updates of 'expected' source IPs and/or source ports for inbound ports enabled by UPnP IGD port-mapping. That would reduce the attack surface considerably, something an enterprise would be willing to pay for.

      • Mateusz BenderMateusz Bender commented  ·   ·  Flag as inappropriate

        Should definitely be implemented.

        Additionally, it should be configurable. For example, "only allow computers from these networks to create UPNP rules" or thing like that.

        Yes, UPNP, by definition, lowers security. However, it's also very useful for end-users.

        Finally, UPNP might also be used to help out administrators create the right firewall rules! Enable "UPNP virtual rules" (or call it however you like) which receives UPNP requests and lists them for administrator approval - that way an admin can quickly set up additional firewall rules as requested by applications.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Here we are in May 2017 and still no opt in UPnP?? I have two devices on my network - air con and intercom that simply can't be accessed externally without UPnP on the router. Ridiculous.

      • Qasim IjazQasim Ijaz commented  ·   ·  Flag as inappropriate

        Can't believe how long this feature request has been open. We need this feature now. Come on people, it's not an inherent security risk if it's opt in. Pfsense allows enabling UPNP for a single device. Having something like that will be awesome.

      • someone who has a brainsomeone who has a brain commented  ·   ·  Flag as inappropriate

        are people commenting on this ******* stupid ? can they not read? IT WOULD BE OPT IN if you dont want it DONT USE IT ****... how stupid are you. would it be better for us to just disable the entire firewall so that our devices with upnp would work? honestly some people are ******* brain dead

      • WraithWraith commented  ·   ·  Flag as inappropriate

        Restrictive UPnP with IP/Service based rules should be something you can optionally enable (just like pfSense does it). Naturally it's not something a business will EVER enable... but for a home user running UTM it's the only practical way to get multiple Xbox's working.

      • Anonymous commented  ·   ·  Flag as inappropriate

        I honestly see no reason why this can't or shouldn't be implemented on a per-IP or per-MAC basis!

        Yes general uPNP support defeats the purpose of a firewall but if i really want a specific device to be able to open ports on it's own then why not enter it's IP-Adress or MAC-Adress into a table?

        Problem solved without compromising general firewall security.

        The smaller UTM's are aimed at the SMB market so why not make it easier for SMB's to acutally use typical SMB devices and services?

        QNAP NAS Servers: myQNAPcloud requires uPNP (no workaround)
        WD Sentinel DX Series: Breaks Setup Wizard (Server 2k12 Essentials)
        MS Server 2k12 Essentials: Wizard requires uPNP for smooth setup

        All this just cost the SMB's more money and will make them think twice about adding other Sophos UTM's to their branch offices.

      • BrcBrc commented  ·   ·  Flag as inappropriate

        I hope UPNP will never be implemented as it totally defeats the purpose of a real firewall and the UTM will be blamed to much for being vulnerable while it was merely due to UPNP even if it was just opt-in. It is a little extra work but the UTM works perfect even with multiple complicated appliances at home and in most cases UIPNP is not enough exception rules for web traffic are also needed partially defeating UPNP and leading to more complaints instead of resolving. Just my two little cents nothing more.

      • Carter RowleyCarter Rowley commented  ·   ·  Flag as inappropriate

        Setting up a web cam, UPNP would be great. I like a lot of the features of UTM but sometimes miss my old PFsense system.

      • AlphavilAlphavil commented  ·   ·  Flag as inappropriate

        For home use it is a must have, all devices (NAS, TV....) have uPNP. So it would be nice but for company's I am not sure if they need that or if it is really secure

      • JoeJoe commented  ·   ·  Flag as inappropriate

        Until (if ever) ASG gains *optional* UPnP support, home users could optionally use a higher-end "home" wifi/router and install an aftermarket OS on it, such as DD-WRT. That will provide VPN and many other more professional features, but still give you popular home-oriented features like UPnP.

      • Eric R.Eric R. commented  ·   ·  Flag as inappropriate

        As Chester Wisniewski commented, I think it defeats the purpose of the firewall as well. So please don't!

        But! as 'Anonymous' said, "This would be a great feature to add. I would even be open to paying for this feature as a licensed add-on!"
        If people want to pay money to disregard their firewall, be my guest. At least if you paid you háve to know you bought insecurity, right?

      • RossRoss commented  ·   ·  Flag as inappropriate

        I think you have missed the point. These devices are increasingly being deployed at end user's homes. When a $40 Belkin special works better with their Xbox/Apple/Sony device then it's a problem. I don't want to spend my entire life putting in port forwards to make personal devices work at their home but I do wan't be able to offer them a firewall which can do IPSec/SSL VPN and control what access they get back to my work network. Not to mention traffic inspection, web filtering etc.

        I'm not saying it isn't a security risk and I'm not saying enable it by default. I am saying offer it as an option to be enabled but with some controls about it. E.g. let only certain IP's request UPnP port mappings, or only certain ports. As some have mentioned identify the requests and admin approve which would be great instead of having to trawl forums to figure out what ports an Xbox uses or the next new device a client has brought home uses.

      ← Previous 1

      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.