SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support for TLS 1.3

    Support the latest version of TLS protocol for improved security and performance. TLS 1.3 is huge step forward for web security and performance.

    1 vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • webserver protection waf download size

      When downloading a file from a Owncloud backend via the Sophos UTM WAF, no estimated time and no file size are displayed.
      The content-length header is probably not passed through here.
      Disabling WAF features or AV scanning does not change this.

      The Sophos WAF should determine the file size and display the estimated download time when supported by the backend.

      2 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • Can we switch of the ssl weakness for WAF. Please do a server test at www.ssllabs.com and type a url from a site behind the WAF.

        Can we switch of the ssl weakness for WAF. Please do a server test at www.ssllabs.com and type a url from a site behind the WAF. you get this for all ssl v ersions

        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 112
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits FS WEAK 112
        TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

        8 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • Forms Authentication fallback to Basic Authentication for non-browser applications

          If the UserAgent provided by the client is not a web browser, fall back to Basic Authentication, instead of presenting the Forms Authentication. This is a feature present in ISA 2006 and TMG 2010.

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • 'Skip remote lookups for clients with bad reputation' - configurable cached clean up

            With 'Skip remote lookups for clients with bad reputation' option, Sophos will use cached information instead of online checks which is fine, but we need to be able to configure how long Sophos keep this cached information.

            As the online database updated all the time, there should be a configuration to clear up cached information, for example every 24 hours.

            Currently, I was told by Sophos support that I have disable this temporarily and re-enable it to clear out the previously cached information.

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • Let's Encrypt Integration

              It would be very nice if Let's Encrypt CA start with public certificates (letsencrypt.org), that we can get certs throug the UTM Gui. So that the "Let's Encrypt Client" is integrated in the UTM. Would it be possible?
              Best Regards

              1,289 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                224 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • Allow enabling of Encoded Slashes directly on UTM Interface

                The UTM should have a function in the Web Server Protection that allows the administrator to configure whether or not encoded slashes are allowed for the servers.

                This is especially important for specific SAP-relevant functions, such as Fiori systems.
                At the moment it's possible to manually configure this setting but it's reset everytime a change to a server is made.
                I believe that it would be best to either:
                - not overwrite the that point in the config, if enabled
                - or straight up allow this configuration in the panel.

                3 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • GUI Switch to enable "AllowEncodedSlashes" and "nocanon" in WAF

                  We are hosting a SAP Fiori webserver behind a UTM-220. To make this fuction, you have to edit the virtual host in reverseproxy.conf manually, because Fiori needs the Apache directive "AllowEncodedSlashes On" and the parameter "nocanon" at the ProxyPass directive (for example "balancer://8f757b42....20/" lbmethod=bybusyness nocanon).

                  After manual edit of the conf file it works, but after every change in the GUI we lost these entries. Please make it possible, to change these settings in the GUI. Thank you.

                  3 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • Request for the list of WAF Signature on Sophos UTM

                    Request for the list of WAF Signature on Sophos UTM

                    1 vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • Waf-fle support Waf Server security monitoring console we need the waf part of the waf can or improve the reporting part and the waf-fle co

                      Waf-fle support

                      Waf Server security monitoring console we need the waf part of the waf can or improve the reporting part and the waf-fle console is a useful tool

                      To be taken into account by you

                      5 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • No proper categorization of logs in WAF when configured in monitor mode

                        When we configure WAF in monitor mode we did not receive proper categorized logs in Alert but when we configure in REJECT MODE - it works fine

                        Requesting you to look this because before applying WAF we have to monitor traffic and pattern and after then we can create required rules in WAF

                        Here this part is missing which will misguide user while configuring it

                        1 vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • WAF - Allow Remote Dektop Gateway protocol Windows server 2016

                          Upgraded our RDP Gateway server to Windows 2016, and connection through the WAF is now failing. Answer from support:

                          "I have reviewed the case and have researched this issue for you. For the RDP Gateway 2012R2, RD Gateway used to use RPC (remote procedure call) in order to transport the remote desktop session over HTTP, that was & still is supported by WAF on the UTM.

                          For the Windows 2016 RDP Gateway however, Microsoft decided to change protocol they use so that instead of using RPC, they now use one called RDG. RDG is not supported by WAF on the…

                          11 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • WAF filter on Headers

                            I use the Sophos UTM and WAF to enhance protections to our hosted websites. Occasionally I am receiving traffic from spiders that advertise themselves as Scrapy (scrapy.org) via the User Agent. I would like to add a check for the user_agent and black list user agents that are known to be "bad". I do know that it is trivial change the user agent to something arbitrary and the ability would still be useful.

                            1 vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • Web Ser

                              Currently, the only way to enable SSTP is to use a DNAT rule and forward the entire 443 (HTTPS) traffic to an internal VPN server. This effectively "blocks" the use of 443 for anything else - be it Web Admin, User Portal, any virtual web server.

                              Forefront TMG makes it possible to forward SSTP VPN connections easily to a SSTP VPN server (it's a shame a built-in SSTP is not available in UTM, but that's a different request altogether), making it possible to use other services on the default HTTPS port.

                              Since Sophos UTM is advertised as a Forefront replacement…

                              2 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • WAF documentation upgrades

                                Recently, I went through a fire drill to discover how to know the client IP when a webserver is sitting behind a WAF site. The answer is in the community forum (x-forwarded-for header), but why is this information not in the documentation? Most technology needs both concepts documentation (how do I achieve a business objective) and feature documentation (what does this button do.) Since the UTM manual is simply a repackaging of the online help, and both are intended only to describe how to fill in the forms, important information does not get communicated. (Another important bit of undocumented-but-critical information…

                                1 vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • Enable users to reset their domain user password using Web Mail

                                  There are many companies that force employees to reset domain user passwords very often. Now, when employees need to access mail using their Web Mail and their password has expired they will have to call IT to reset their password, but if working hours has finished and there is no IT personnel in the office, or maybe it's weekend, which is even worse, they will have to wait until next working day so that IT can help. In situation like this, enabling users to reset their domain account password using Web Mail Portal, like Microsoft TMG does, would help.

                                  22 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Support setting httpd_location field in WAF login form.

                                    When using the UTM box as a reverse proxy handling user authentication before allowing access to an internal web app, a user is redirected to the login form if they've not logged in already. I need to be able to redirect users to the page they requested originally once they've authenticated successfully. For example, if they try to access https://example.com/foo, they get redirected to https://example.com/_something_form where they enter their credentials. They submit the form which is submitted to https://example.com/_something_login. If they're successful, they're then sent to https://example.com/. I need them to be setn to the original https://example.com/foo

                                    3 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Remove bug that erases custom domains from Virtual Web Servers when using Wildcard Certificates

                                      When creating a Virtual Web Server and a wildcard certificate is used the domains list is auto-populated with *.domain.com and domain.com. If you delete those and put in custom domains and then click to expand the "Advanced" options, all the custom domains are deleted and replaced with the defaults.

                                      After renewing the wildcard certificate and updating it on the existing Virtual Web Server object, all the custom domains are again deleted and replaced with the default.

                                      This could cause a site outage if the changes get saved without the administrator noticing.

                                      I recommend fixing the bug with the "Advanced" dialog,…

                                      4 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • waf header

                                        Suppress server header from WAF reverse proxy. Most *********** testers flag up the fact that it gives away that it is running apache. Please add to the GUI the ability to turn this header off. It can be done manually at the moment with a hack, but it is unsupported, please make it an official settting.

                                        Add to httpd.conf the following code:-

                                        <IfModule security2_module>
                                        SecRuleEngine on
                                        ServerTokens Full
                                        SecServerSignature " "
                                        </IfModule>

                                        1 vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • elliptic curves

                                          UTM should Support elliptic curves for ReverseProxy

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 6 7
                                          • Don't see your idea?

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.