Sophos Ideas

Do you have an idea for a Sophos product? Do you recognize a good idea when you see one? We want to hear from you!

AdminAlan Toews (Sr. Product Manager, Sophos Features & Ideas Laboratory)

My feedback

  1. 42 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      Dynamically detecting applications requires that the session be established before you can detect it. Otherwise, you're only looking at the SYN packet details, already available in policy routing. To do more, requires visibility of the process initiating the traffic stream.

      Merging all similar ideas, and moving to Synchronized Security category.

    • 1 vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        1 comment  ·  SG UTM » Usability/GUI  ·  Flag idea as inappropriate…  ·  Admin →

        Im unsure whether we'll consider this, but you can solve your specific workflow problem, by restricting the user portal allowed networks, rather than disabling it. Restrict it to something your users will never come from, such as a non-existent private IP in a non-existent local subnet, and it is effectively disabled for your needs, but does not cause you problems with how you are currently trying to use two factor auth. Alternately, you can also just disable sections of the user portal you don't want your users to have access to, such as downloading vpn clients.

      • 1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          Awaiting reply from Submitter  ·  1 comment  ·  SG UTM  ·  Flag idea as inappropriate…  ·  Admin →

          Hi Bal,

          if you can specify what webinars you are referring to, and what time you are hoping to have it available, I can try to forward your request to the respective team.

        • 1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            2 comments  ·  SG UTM » Networking  ·  Flag idea as inappropriate…  ·  Admin →

            While understandably confusing, this is possible already today. If you de-select all ICMP options in the firewall / ICMP tab, you can create firewall rules allowing or blocking ICMP exactly as granularly as you like. to make an interface respond to ICMP, simply set that interface address as the destination in an allow rule.

            We may or may not change the way this is handled in the UI, but in the mean-time, be aware that you can do this now.

          • 1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              1 comment  ·  SG UTM » HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →

              typos are from me, as "s lave" appears to be a prohibited word in our feature forum :)

            • 1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                2 comments  ·  SG UTM » Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →

                Hi flaserra,

                these seem like some reasonable changes to the default template, so I'll leave the feature request for others to vote - but for your own immediate needs, you can create new a voucher template with whatever details and features you prefer. Just copy the parameter values shown in the default downloadable template pdf, or in the online help, and use them in your own pdf.

                There isn't a parameter currently for number of allowed devices, but if you plan to keep the count fairly static, you could hard-code that device limit in your hotspot template. If you did change the device limit in future though, you would need to remember to also update the template accordingly.

              • 2 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  1 comment  ·  SG UTM » Networking  ·  Flag idea as inappropriate…  ·  Admin →

                  This is already possible by either using a group definition in the NAT rule, or using "Any" as the source network. In this case, Any is quite safe to use, so long as you are restricting any traffic you don't want to allow outbound with firewall rules. Using Any as the source network just means that any packet that is allowed to pass through the interface will be masqueraded.

                  There are some cases where adding just specific hosts or networks to the masq rule wold be useful, though, so this is still a useful idea. while not necessary, it would simplify rule management a little in these cases.

                • 6 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    1 comment  ·  SG UTM » Web Protection  ·  Flag idea as inappropriate…  ·  Admin →

                    Hi Thomas,

                    There are already ways to implement the goal you outlined, but more granular control of the existing block override feature would make some sense. Currently, it doesn't allow override of file extension blocks, but it would be useful to optionally allow only select content categories to be overridden, as well as allow file extension or MIME type blocking to be selectively overridden by some users. As such, I'll modify the feature request, rather than mark it as already possible.

                    In your specific use-case, you do have some options now. You can create a different filter assignment for admin users than for other users, which does not block executable files. In 9.200, you can supplement this by changing the action to warn, so admins are warned when downloading executable files, but can still proceed. Other users could still be blocked by their filter profiles.

                    If you're not using authentication, you can also create an exception from file extension blocking for selected workstations, by IP address. Either of these options allows you to implement the scenario you are asking.

                  • 4 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      3 comments  ·  SG UTM » Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                      Hi Aaron, what's the use case you see for for manually defining the user's token? This doesn't make much sense based on the expected workflow, but if there is a use case we aren't accommodating presently, it might make sense to change the current behavior.

                      The intended workflow for software tokens, is that the user, who must have the secret installed in their authenticatior application, can get this token via self-service from the user portal. This way, there is not typing, or copy/pasting to get the code from the UTM to the client. In this use case, the secret is automatically generated for them by the UTM. No need for generating it via external means.

                      The expected use case for manually defining a secret for a user is when compatible hardware tokens are used. In this case, generating a token would be pointless, since these tokens already have a pre-generated secret, which the UTM must know, for the token to work with the UTM.

                    • 19 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        5 comments  ·  SG UTM » Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                        Appending the pin onto the end of the password is a fairly standard entry method, but I agree there could be some better documentation around its use.

                        Keep in mind that 2fa can be enabled selectively for various users, so adding a separate pin entry field could be equally confusing for users not enabled for two factor authentication. Also, as Yes indicates, showing a separate pin field when 2fa is enabled reveals information about the security settings of the device, which is not desirable to many users. While I somewhat agree with your points, I've renamed this feature request to make the subject more descriptive, and less opinionated.

                        As for locking admins being locked out of the web interface by enabling 2fa for webadmin access, there are some strategies you can use to minimize risk. First, you can currently generate a list of one-time use pins per user, that may be used if a user loses or forgets their phone. If you are using 2fa for webadmin access, I would recommend pre-generating these tokens, and storing one or two of them securely somewhere outside the UTM.
                        Alternately, create a separate account, which uses a very long and random password, which does not have 2fa enabled for it, and may be used in emergencies. Finally, our knowledgebase does have options on resetting passwords in the event of a lockout. If you have direct console access to your UTM, it is possible to recover access.

                      • 4 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          1 comment  ·  SG UTM  ·  Flag idea as inappropriate…  ·  Admin →

                          Hi Alexander,

                          There is already a refresh button, which isn't exactly what you want, but it will clear the current view, tail the last few lines from the log, then apply your filter again. If you're looking at a couple pages of logs before you apply a filter, the refresh icon can at least help clean that up a bit.

                        • 3 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            1 comment  ·  SG UTM » Networking  ·  Flag idea as inappropriate…  ·  Admin →

                            Hi Curtis,
                            Just like firewall rules, NAT rules are also first-match. Just create a NO-NAT rule above your DNAT rule, and the selected hosts or network sourced in your no-NAT rule will not be allowed through the DNAT below it.

                          • 2 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              1 comment  ·  SG UTM » Operating System  ·  Flag idea as inappropriate…  ·  Admin →

                              To an extent, you can do this now, using the HTML5 VPN portal. It's accessible through the user portal, not through webadmin, and must be enabled and configured first, but will offer the functionality you want.

                            • 2 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                2 comments  ·  SG UTM » HA/Clustering  ·  Flag idea as inappropriate…  ·  Admin →

                                During installation UTM currently always randomizes scheduled task start times on maintenance tasks. It does this to avoid a collision of demands for shared resources, in virtual environments. Is there additional control you see as necessary?

                              • 3 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  2 comments  ·  SG UTM » Appliance Hardware  ·  Flag idea as inappropriate…  ·  Admin →

                                  What features specifically aren't working for you in IE? While not my primary browser, I use IE 9 & 10 regularly with UTM WebAdmin, and user portal, with no issues.

                                • 8 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    4 comments  ·  SG UTM » Application Control  ·  Flag idea as inappropriate…  ·  Admin →

                                    The purpose of application control presently, is to give application level visibility or to restrict restrict application traffic on ports that are otherwise allowed. if port 443 is open, and Skype tries to use port 443 to get out of the network, application control will see Skype's connection, and after a few packets, determine that skype is using that port, then stop it. App control allow rules only exist presently, so that you could allow applications for some users, that you're blocking for others.

                                    Application control can't always determine what the application is on the first packet. Firewall ports need to be open to allow some packet exchange, before application level control can identify the traffic and step in. If you create an application control rule to allow http or https traffic, it might be safe in most cases, to assume that you need to allow ports 80 and 443 traffic outbound, but what about skype? What ports should the firewall open? Skype has no fixed default port, and may randomly choose any port. I'm not sure how appcontrol could do this safely.

                                  • 37 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      7 comments  ·  SG UTM » Network Protection  ·  Flag idea as inappropriate…  ·  Admin →

                                      Suricata looks interesting, though you might not be aware that UTM's implementation of Snort is multi-threaded.

                                    • 22 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        3 comments  ·  SG UTM  ·  Flag idea as inappropriate…  ·  Admin →

                                        Hi Stefano, if you use RED UTM to UTM tunnels, instead of IPSec, you will be able to do everything you can with IPSec tunnels, as well, as pass BGP or OSPF traffic across the tunnel.

                                      • 73 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          6 comments  ·  SG UTM » Remote Ethernet Device (RED)  ·  Flag idea as inappropriate…  ·  Admin →

                                          This may not suit your needs exactly, but please check the Manual/Split deployment setup described here: http://www.sophos.com/en-us/support/knowledgebase/116573.aspx

                                          It will allow a remote network to continue to access the internet if the RED tunnel goes down.

                                        • 2 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            1 comment  ·  SG UTM » Remote Ethernet Device (RED)  ·  Flag idea as inappropriate…  ·  Admin →

                                            Hi Anonymous,
                                            There are several knowledgebase articles that cover the meaning of RED blink codes thoroughly:

                                            Astaro Security Gateway (RED) meaning of the LED outputs:
                                            http://www.sophos.com/en-us/support/knowledgebase/116173.aspx

                                            Astaro RED (Remote Ethernet Device) Technical Training Guide
                                            http://www.sophos.com/en-us/support/knowledgebase/116573.aspx

                                          ← Previous 1

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.