We want to improve the UTM Firewall product whenever and however we can. Your insight, creativity and experiences are important to us. Would it not be cool to see your suggestion adopted in the roadmap and ship in a product? Well, here is your chance to have your say.
- Set the VPN configuration pages to be tabbed, rather than a wizard that has to be moved through. It's much simpler to go directly to the Phase 2 configuration than to have to click through the other settings.
- Allow time based rules (for example, to block AIM traffic during business hours, but let it be accessible for people in the office after 6pm)
- Add a larger list of predefined port groups for use in creating rules (iChat, video streaming, alternate SMTP ports).
- Allow multiple connection types to be chosen for rules (currently I may create a server definition, with all traffic types listed, that can be edited to grant or restrict access to a server. But I'd rather be able to select multiple definitions to make it easier to catch all related ports at once)
- Give a dedicated page to track aggregate usage by a particular user, and by traffic type, either over the last defined period. Maybe this is easier done in the logging software, but it would be great to have a "Top 5 users" listed on the status page.
This isn't a UTM feature request, but I do have a UTM Firewall community request: any way to add an edit button so we can clean up any typos we may have found after posting (say, within 15 minutes after posting)?
Now I see it- didn't see it before...Message was edited by: Mike on 11/12/09 4:01 PM
> - Set the VPN configuration pages to be tabbed, rather than a wizard that has to be moved through.
It will be a wizard when you create it, so you can't forget to 'do stuff'. after that it'll turn into a tabbed form. we will do this for
other subsystems too. should be in 5.0 if the schedule deities smile on us.
> - Allow time based rules (for example, to block AIM traffic during business hours, but let it be accessible for people in the office after 6pm)
Will be in 5.0.
> - Add a larger list of predefined port groups for use in creating rules (iChat, video streaming, alternate SMTP ports).
hmmm. wasn't on our radar. doesn't that get hard to search? I always found /etc/services on linux with its 500+ entries more of a hinderance than a help.
> - Allow multiple connection types to be chosen for rules (currently I may create a server definition, with all traffic types listed, that can be edited to grant or restrict access to a server. But I'd rather be able to select multiple definitions to make it easier to catch all related ports at once)
Not sure what you mean. You can already create groups of services in the Definitions section. And you can also group interfaces together. That would seem to cover what you are asking for but perhaps I misunderstand.
> - Give a dedicated page to track aggregate usage by a particular user, and by traffic type, either over the last defined period. Maybe this is easier done in the logging software, but it would be great to have a "Top 5 users" listed on the status page.
Firewall Reporter gives you most of that - off-device. Doing it 'on-device' is on the todo list. there are some resource constraints with it, so probably not going to be possible on all devices. Hopefully 5.5 but haven't done the MRD for that yet.
Updating Siproxd to a more recent version would be good. This version doesn't understand that you don't allocate RTP ports sequentially, among other things. They are in RTP/RTCP pairs.
- I think I mentioned time based rules before but another hear-hear if I didn't.
- A few wizards, for example: Guest WLAN wizard:
These things make it easier for some one to go in and make those setups themselves, and then see what changes are made in the configuration if they want to add things later.
VPN wizards would be sweet: What client do you want to use? Okay- here's the config (even if that just points to a web page at mcafee.com with detailed instructions).
- The Aliases management should get cleaned up- in 4.0.5 you bounce back to the connection when making a change- too many bounces to add/delete multiple addresses.
- Some graphical things: get rid of the vertical stripes-it makes some LCDs "dance"; the gradients should be a little more subtle (don't move from something light to dark).
- Gigabit on the WAN- seriously- we are finally starting to see some connections that exceed 100bT for less than a car payment per month (and I mean a Honda, not a Veyron). And fiber between sites is an option in a dense area like ours.
- A method to import a config from one model to another (like when you finally get that 70Mb connection and need to upgrade from a 560 to a 580).
- Better documentation: I think a lot of the manual is written with a certain expectation of the knowledge level-but there are a lot of us who are out there doing things as part time admins- we don't have the time to spend making large time investments. Some more descriptions (including some of the info that is expanded in Knowledgbase articles).
- Web based manual, with direct links to the KB articles that expand on topics, and links that search on the topic headers to pull up relevant KB articles (i.e. I'm looking at masquerading, and need more info on my particular decision tree- click "more" and I get a list of masquerading related KB articles).
We are a lot of small to medium business users- if we were bigger we might step up to the bigger firewalls- so keep in mind that not all the features are useful for us- there is an incredible amount of flexibility, but there is also a lot of complexity. Break down some of that complexity for us and we can make better use of the tools we have. I know there are some people who can really wrangle these, but some of us need a nice smooth ride.
sorry for the late response - but thank you for taking the time to provide all that feedback - very interesting.
about aliases - its a known limitation of our UI framework. looking for a good point in time to do improve the framework as its not simple to do.
hadn't heard about the LCD effect before.
better doc - feeding KB usage examples back into doc or linking is a good idea. we certainly are always looking to
provide more representative examples, and they are always tricky to make up or find.
Finding a balance of ease-of-use and features, without getting in the way of experts/veterans is quite tricky. As they say, easy is hard.
Users that have no time to train up to a level where they have a sufficiently complete model of 'how it all works' would certainly struggle
to connect the dots between WLAN, DHCP, bridging and a variety of other concepts.
We are hoping Quick-Setup > Guided configuration will work better than lots of wizards to guide people through such complexity.
If we added a 'how to setup WLAN' under guided config, covering the topics you indicated, would that do the trick?
Will the IDS/IPS still be Snort based in the next iteration of the 565? Are there any other security features on the roadmap?
Will a serial port still be present on the next gen device?
Will the next gen device have crypto accelerator like the current version?
My feature requests:
I'd like to see captive portal included on the 565's wifi.
Also it would be nice if OpenDNS Content Filtering is supported
Can some form of NAC be integrated in to the device?
A problem I've run across on a few wireless installations is that WPA2 Enterprise with 802.1x requires RADIUS auth back to a corporate server across the WAN. In installations where PCI-DSS requires WPA2 with 802.1x, we often see wifi connecting Symbol/Intermec handscanners, remote POS stations, or its now popular to use a wireless handheld ordering system. If the WAN link goes down the store/restaurant is often out of businesss until the WAN is back up because the devices can't reach the corporate RADIUS server any longer.
Could a small RADIUS system such as TinyPEAP be integrated into the 565 for a dozen or so uname/pwd's so the auth would take place on the 565? -Or,is there a way to authenticate to a corporate RADIUS but use a cached copy of the uname/pwd when the corp auth server is not available (like Windows does when the Domain Controller is not present)?