Sophos Ideas

Do you have an idea for a Sophos product? Do you recognize a good idea when you see one? We want to hear from you!

Adrien Belcourt

My feedback

  1. 428 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    58 comments  ·  SG UTM  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    IKE v2 support is critical to increasing numbers of customers and this feature request is required for implementing this.

    See "VPN: IKE V2 Support" feature request which if combined with this feature would make it the 4 highest voted for feature.

    Vote for both.

    Adrien Belcourt supported this idea  · 
  2. 562 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Under Review  ·  77 comments  ·  SG UTM » VPN  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    IKE v2 is required for Azure.
    IKE v2 is needed by credit card clearing house VPN.
    IKE v2 is supported by Fortinet, Checkpoint, Dell (SonicWall), Cisco, Juniper, Watchgaurd who are all of the UTM Competitors in the top 3 of 4 Gartner Quadrants.
    IKE v2 is supported by Windows.
    IKE v2 is supported by the current StrongSwan code used in Sophos UTM.

    All new feature delivery is through Copernicus but not available in V9. V9 currently has EAL4 certification, so is clearly not going away. Why no development in such a key EAL4 certified product? Copernicus is not even going to have parity to V9 till Summer 2016 (earliest). IKE V2 is a critical area that needs to be addressed to protect sales until Copernicus has moved past the early-adopter stage of product development.

    This should be linked with Balfason’s request to “Upgrade to modern version of StrongSWAN which uses charon instead of pluto”. The combined votes would make it the number 4 feature request here.

    Adrien Belcourt supported this idea  · 
  3. 65 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  SG UTM » VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Adrien Belcourt supported this idea  · 
    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    5 years to not close a security vulnerability like this. Security vulnerabilities are the top priority reason for updating software and SSL VPN client software from the UTM is *no exception* to this rule.

    It is crazy to have all the tools to manage and upgrade UTM software to get rid vulnerabilities like heartbleed but not bother with tools to manage the client software also provided from the UTM like the OpenVPN client.

    Ideally I would like to see connections refused from clients with known security vulnerabilities with an email alert to the admins to say this is the case.

    It would be good to see the version of the client software listed in the Remote Access page along with the connection details.

    It would also be most excellent to provide a client software user with a warning + link to install up2date client software from the firewall under the user+password dialog box as many others have mentioned.

    But for me the top reason to implement this is to make the UTM software more secure by implementing basic version management for *all* the software provided by the UTM - which includes the Sophos client.

  4. 11 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SG UTM » UTM Endpoint Protection  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    I know there is project to create a cloud security console taking a unified security view over new integrated network and endpoint security functionality. Ultimately this will supersede the endpoint management console on either the UTM or the more traditional Server used for classic AV/endpoint management.

    However, there are two issues here. First the UTM endpoint management capability is poor. I am sorry but a management console that does not allow you to check what is going on, without having to visit each PC whether physically or virtually. Not good enough for a company like Sophos - that understands so well the operational issues for managing infection on endpoints.

    Second, if we wait for the new functionality of cloud managed network/endpoint security integration to fix the poor UTM endpoint management capability - then we risk losing opportunities and momentum.

    Customers are being asked to go without now, because “you will feast later on and it will be fantastic”. Well with all the competition out there - why should we wait? May as well go with the competition and by the time Sophos delivers, maybe the competition will have delivered as well and we don’t need to swap back.

    If this GameOver virus hits as hard as we expect with 1 in 30 infected in the UK, lack of ability by Sophos in its UTM AV offering will not reflect well. Not at all. Being able to do effective management of endpoint security has never been so important or have the risk to reflect so badly on the UTM version.

    Adrien Belcourt supported this idea  · 
  5. 58 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  SG UTM » Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    AD Domain Trust works, but not in a good way. It does not work in a good way after 8.103. This problem was in the KIL list as "ID19479 8.202 user-/group mapping does not work with identical user names in different domains" but this KIL list entry is no long there in the current KIL list.

    These are the steps we took to show the problem.
    1. We create a new user on the PARIS domain controller
    2. We created a new group on the PARIS domain controller
    3. We added the new user to the new group on the PARIS dc

    4. We created an identical group on the LONDON domain controller. NOTE we have not added a single user to this group.
    5. We then added the LONDON group (with no users) to Astaro filtering.
    6. The new user in the PARIS group can now surf using the LONDON group permissions because the PARIS and LONDON groups have the same name (even though they are on different DCs).

    So if a company has 3 different Michaels on three different DCs, Astaro cannot tell the difference between them. So if they arrive with their laptops at the office, Astaro cannot tell the difference between a local Michael and a remote Michael.

    It is the same if you have a few different groups with the same name like Active Directory Users, or Allowed Users on different domain controllers.

    So AD Domain Trust works, but not in a good way.

    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    We lost to Bloxx on this feature. Bloxx can SSO authenticate very happily to multiple AD servers/domains. This is a pre-requisite for larger customers, who often have multiple divisions. In one case the IT for a healthcare trust had two hospital sites dealt with by two different AD servers (very normal). Another case we had a local government customer that had 7 AD domains/servers for different sites and schools. So this is a normal pre-requisite for larger customers.

    Adrien Belcourt supported this idea  · 
  6. 6 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  SG UTM » Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    I thought in the last release they had extended group support to nearly all areas of the interface - this must have been overlooked! Would like to see this consistent across the whole UI for Astaro.

  7. 9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SG UTM » Remote Ethernet Device (RED)  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    The ability for the RED box to have a secondary data centre pre-datafilled so that it can connect to the backup data centre in the event that the primary fails. When you have a large network of RED boxes, connecting say 50-250 retail outlets, this functionality would be useful.

    Adrien Belcourt shared this idea  · 
  8. 460 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    32 comments  ·  SG UTM » Reporting  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    For stuff that is important operationally; if I cannot prove it - I cannot use it. Have not used Astaro QOS since V4 for customer applications.

    William, I understand where you are coming from for V7/8. I can see, in general terms, that I have stopped bittorrent from occupying 95% of the available download bandwidth, or I have stopped FTP from swamping SQL traffic on the uplink. I can do that. However, I cannot prove my Highest Priority VoIP bandwidth pool is passing 100% of traffic and not discarding packets when I hammer the uplink with lower priority (FTP, etc.) traffic. This is the top application for me.

    Version 4 QOS was the best Astaro have ever had. It provided a count of the number of packets being passed & discarded against the high/normal/low bandwidth queues. I could allocate VoIP to high priority & check no packet discard when hammering Astaro with FTP. Job done. Simple, elegant, and provably working. A serious feature for serious applications. Happily deployed V4 QOS for media streaming company.

    Have not touched it since. Shame, because it looks like V8 QOS could deliver the onions.

    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    There is no way to prove QOS is working without this.

    Traffic accounting done on a per QOS rule - and a new QOS reporting category in reports, perhaps?

    (Of course I might just create QOS rules per user to see what they are upto :-)

    Nearly every other function in Astaro has reporting to show/prove value.

    Adrien Belcourt supported this idea  · 
  9. 5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SG UTM » Usability/GUI  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Adrien Belcourt commented  · 

    Gents (and Ladies),

    this is an install and test change. t will speed up performance and allow more to be done on the reporting side.

    What's not to like about this? A true quick win.

    Adrien Belcourt shared this idea  · 

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.