SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Let's Encrypt Wildcard Integration

    Let's Encrypt Integration came with UTM 9.6. That's great!

    You should now implement the support of Let's Encrypt Wilcard domains with ACMEv2.

    Best Regards

    41 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Let's Encrypt Domain Validation via DNS challenge

    Let's Encrypt Integration is really cool but it would be even better if there is support for Domain Validation via DNS challenge. With DNS challenge, you can prove domain ownership (through responding to a challenge with a DNS TXT record) without the need to expose any services to the Internet.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Fix the Bug where X-Forward-? host headers are passed when pass host headers is turned OFF in the configuration

    This should be a critical bug in the product but has been downgraded to a feature request for an unknown reason.

    Issue details
    X-Forward-Host and others are appended to the request when the client sends the data (usually as a hack attempt). This results in both the values from the client and the value set from the firewall being sent through to the back end web server.

    Please treat this as the bug it is and not as a feature request.

    Tracking details:
    Development reference number: NUTM-11135
    Current Status: Assigned to backlog
    Issue type: Feature Request

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Update SSL Certificate Option

    We are hosting 89 websites behind the firewall using a wildcard certificate, this certificate is going to exipre in few days. When trying to update the certificate with the newly created wildcard certificate I didn't found any option to do that. The only option available was uploading that new certificate with a different name and manually assigning the new certificate to all our Virtual Webservers.
    For companies like us with a big number of web sites behind the WAF, it will become really handy to have an update option so we update the certificate entry that is there in Certificate…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Is there any way to fetch Sophos UTM WAF logs in third party log monitoring tool?

    No proper categorization of logs in WAF when configured in monitor mode, we are chasing since more than two months to get fetched the logs of WAF in any third party tool (SysLog/SIEM) for the monitoring and rule setting purpose, but we couldn't get proper support from vendor as well as Sophos technical team.

    Earlier we tried with Sophos iVew tool as per the vendor suggestion, the tools is specially developed for Sophos UTM but it works for specific features(reporting) only, not for log monitoring and WAF log fetching.

    Can you please assist in this regards, is there any way…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Let's encrypt intermediate CA sent by server

    As admin I want to have intermediate CAs automagically added for certificates issued by Let's encrypt client, so they are then served when estalishing TLS connections ad retarted libraries are not breaking due to incomplete certificate chain

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. 35 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Modify built-in mod_security rule criticality

    The ability to not just create a "skip rule ID" entry for a signature, but actually modify whether the firewall treats it as critical or not. Similar to tuning rules and rule categories in the IPS.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Support for TLS 1.3

    Support the latest version of TLS protocol for improved security and performance. TLS 1.3 is huge step forward for web security and performance.

    59 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. WAF support for Server 2016 RDWeb

    Update WAF to support RDG passthrough when using Server 2016 RDWeb gateway.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow enabling of Encoded Slashes directly on UTM Interface

    The UTM should have a function in the Web Server Protection that allows the administrator to configure whether or not encoded slashes are allowed for the servers.

    This is especially important for specific SAP-relevant functions, such as Fiori systems.
    At the moment it's possible to manually configure this setting but it's reset everytime a change to a server is made.
    I believe that it would be best to either:
    - not overwrite the that point in the config, if enabled
    - or straight up allow this configuration in the panel.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. WAF - Allow Remote Dektop Gateway protocol Windows server 2016

    Upgraded our RDP Gateway server to Windows 2016, and connection through the WAF is now failing. Answer from support:

    "I have reviewed the case and have researched this issue for you. For the RDP Gateway 2012R2, RD Gateway used to use RPC (remote procedure call) in order to transport the remote desktop session over HTTP, that was & still is supported by WAF on the UTM.

    For the Windows 2016 RDP Gateway however, Microsoft decided to change protocol they use so that instead of using RPC, they now use one called RDG. RDG is not supported by WAF on the…

    53 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. GUI Switch to enable "AllowEncodedSlashes" and "nocanon" in WAF

    We are hosting a SAP Fiori webserver behind a UTM-220. To make this fuction, you have to edit the virtual host in reverseproxy.conf manually, because Fiori needs the Apache directive "AllowEncodedSlashes On" and the parameter "nocanon" at the ProxyPass directive (for example "balancer://8f757b42....20/" lbmethod=bybusyness nocanon).

    After manual edit of the conf file it works, but after every change in the GUI we lost these entries. Please make it possible, to change these settings in the GUI. Thank you.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Can we switch of the ssl weakness for WAF. Please do a server test at www.ssllabs.com and type a url from a site behind the WAF.

    Can we switch of the ssl weakness for WAF. Please do a server test at www.ssllabs.com and type a url from a site behind the WAF. you get this for all ssl v ersions

    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 112
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits FS WEAK 112
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

    14 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. WAF filter on Headers

    I use the Sophos UTM and WAF to enhance protections to our hosted websites. Occasionally I am receiving traffic from spiders that advertise themselves as Scrapy (scrapy.org) via the User Agent. I would like to add a check for the user_agent and black list user agents that are known to be "bad". I do know that it is trivial change the user agent to something arbitrary and the ability would still be useful.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Web Ser

    Currently, the only way to enable SSTP is to use a DNAT rule and forward the entire 443 (HTTPS) traffic to an internal VPN server. This effectively "blocks" the use of 443 for anything else - be it Web Admin, User Portal, any virtual web server.

    Forefront TMG makes it possible to forward SSTP VPN connections easily to a SSTP VPN server (it's a shame a built-in SSTP is not available in UTM, but that's a different request altogether), making it possible to use other services on the default HTTPS port.

    Since Sophos UTM is advertised as a Forefront replacement…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Make UTM Webserver protection work with Exchange O365 hybrid passthrough

    Exchange / O365 Hybrid requires the use of WSSecurity/OAuth between O365 and on premise Exchange servers.
    Webserver protection, when set to passthrough, still intercepts this and breaks the authentication.
    only way to use UTM with Exchange hybrid currently is to use DNAT rules and therefore makes the whole thing redundant and useless.

    please prevent passthrough from breaking WSSecurity/OAuth.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Support setting httpd_location field in WAF login form.

    When using the UTM box as a reverse proxy handling user authentication before allowing access to an internal web app, a user is redirected to the login form if they've not logged in already. I need to be able to redirect users to the page they requested originally once they've authenticated successfully. For example, if they try to access https://example.com/foo, they get redirected to https://example.com/_something_form where they enter their credentials. They submit the form which is submitted to https://example.com/_something_login. If they're successful, they're then sent to https://example.com/. I need them to be setn to the original https://example.com/foo

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. HTTP/2 support

    Please add HTTP/2 support

    92 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. WAF & Reverse Proxy

    Add a page to show current logged on users, log on time & duration. Possibly a link to the log of what pages they have visited whilst logged on?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6 7 8
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.