SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Let's Encrypt Wildcard Integration

    Let's Encrypt Integration came with UTM 9.6. That's great!

    You should now implement the support of Let's Encrypt Wilcard domains with ACMEv2.

    Best Regards

    3 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • sso
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • 26 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • sso
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        5 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • Modify built-in mod_security rule criticality

        The ability to not just create a "skip rule ID" entry for a signature, but actually modify whether the firewall treats it as critical or not. Similar to tuning rules and rule categories in the IPS.

        1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • sso
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • Log the domain used for virtual web servers in WAF

          Currently, Web Server Protection logs only note the first listed domain to identify which virtual web server was used by the client.
          • server: first domain name of the virtual server serving the request

          Since there can be a number of domains used by the same virtual web server, it would be much more useful to log the actual domain requested in the host header. As different domains can be used for different environments, this would provide much better analytics on how the virtual web server is being used.

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • sso
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • WAF - Reverse Authentication - Auth Failure Feedback

            Currently when logging in and specifying a bad username or password, no feedback is given. The page simply reloads with no indication that the login attempt was even processed.
            Request:
            Provide basic authentication feedback preferably by populating runtime variables. These could be common auth failure results of "bad username or password", "account disabled", "password expired", "authorization failure", etc.

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • sso
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • Resolve X-Forward-For headers to client IP addresses in the log

              When UTM is deployed as part of a proxy chain the WAF logs do not capture the client source details present in the X-Forward-For headers, but will instead log the upstream proxy's IP address as source.
              Can we have a log field that allows administrators to also see the original requester's source address?

              Note that ProxyProtocol support does not solve this issue as many upstream proxies do not support this for traffic already tagged with X-Forward-For information.

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • sso
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • Modify mod_sec built-in rules

                Allow administrators to modify the pre-supplied rules for the WAF as custom rules cannot override existing signatures. Having to create a custom signature and then exempt the built-in signature causes lots of additional administration and clutter.

                1 vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • sso
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • Support for TLS 1.3

                  Support the latest version of TLS protocol for improved security and performance. TLS 1.3 is huge step forward for web security and performance.

                  37 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • sso
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • Reverse proxy add encodedslashes option

                    Please provide the option in the Reverse proxy to enable encodedslashes for a specific virtual webserver.

                    Because some web applications use for example %2F for a slash and the reverse proxy cannot translate this back to / because of allowencodedslashes is not enabled by default. So this results in a 404 error.

                    http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

                    When changing the configuration file of the reverseproxy it is working fine, but the configuration is overwritten all the time. So a checkbox in the Webadmin to enable this option would be nice.

                    59 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • sso
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      12 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • Web Application Firewall - change Authentication server on a case-by-case scenario.

                      a web application firewall hits the first server in the authentication list. If a domain controller is first, it'll always use that server. However, if I'm using a DUO 2-factor authentication proxy, I want the ability to use DUO on a case-by-case use for web application servers, not all or nothing.

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • sso
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • Allow customizable block pages for WAF

                        Currently the WAF displays a generic HTTP status page (403 "Authentication required") for errors and blocked actions. This really break the general look and feel of the product as they feature no branding whatsoever.

                        It would be very nice if these pages feature the same style as the status pages in the rest of the UTM (Email, Web), and if we could offer similar customizability for them.

                        This will work two-fold: On the one hand it will make the generic blockpages prettier and more attuned to the rest of the product, and at the same time it will allow organizations…

                        23 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • sso
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • WAF support for Server 2016 RDWeb

                          Update WAF to support RDG passthrough when using Server 2016 RDWeb gateway.

                          4 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • sso
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • GUI Switch to enable "AllowEncodedSlashes" and "nocanon" in WAF

                            We are hosting a SAP Fiori webserver behind a UTM-220. To make this fuction, you have to edit the virtual host in reverseproxy.conf manually, because Fiori needs the Apache directive "AllowEncodedSlashes On" and the parameter "nocanon" at the ProxyPass directive (for example "balancer://8f757b42....20/" lbmethod=bybusyness nocanon).

                            After manual edit of the conf file it works, but after every change in the GUI we lost these entries. Please make it possible, to change these settings in the GUI. Thank you.

                            10 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • sso
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • Allow enabling of Encoded Slashes directly on UTM Interface

                              The UTM should have a function in the Web Server Protection that allows the administrator to configure whether or not encoded slashes are allowed for the servers.

                              This is especially important for specific SAP-relevant functions, such as Fiori systems.
                              At the moment it's possible to manually configure this setting but it's reset everytime a change to a server is made.
                              I believe that it would be best to either:
                              - not overwrite the that point in the config, if enabled
                              - or straight up allow this configuration in the panel.

                              7 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • sso
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • WAF - Allow Remote Dektop Gateway protocol Windows server 2016

                                Upgraded our RDP Gateway server to Windows 2016, and connection through the WAF is now failing. Answer from support:

                                "I have reviewed the case and have researched this issue for you. For the RDP Gateway 2012R2, RD Gateway used to use RPC (remote procedure call) in order to transport the remote desktop session over HTTP, that was & still is supported by WAF on the UTM.

                                For the Windows 2016 RDP Gateway however, Microsoft decided to change protocol they use so that instead of using RPC, they now use one called RDG. RDG is not supported by WAF on the…

                                41 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • sso
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • Request for the list of WAF Signature on Sophos UTM

                                  Request for the list of WAF Signature on Sophos UTM

                                  2 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • sso
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Can we switch of the ssl weakness for WAF. Please do a server test at www.ssllabs.com and type a url from a site behind the WAF.

                                    Can we switch of the ssl weakness for WAF. Please do a server test at www.ssllabs.com and type a url from a site behind the WAF. you get this for all ssl v ersions

                                    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 112
                                    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits FS WEAK 112
                                    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

                                    10 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • sso
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • webserver protection waf download size

                                      When downloading a file from a Owncloud backend via the Sophos UTM WAF, no estimated time and no file size are displayed.
                                      The content-length header is probably not passed through here.
                                      Disabling WAF features or AV scanning does not change this.

                                      The Sophos WAF should determine the file size and display the estimated download time when supported by the backend.

                                      2 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • sso
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Let's Encrypt Integration

                                        It would be very nice if Let's Encrypt CA start with public certificates (letsencrypt.org), that we can get certs throug the UTM Gui. So that the "Let's Encrypt Client" is integrated in the UTM. Would it be possible?
                                        Best Regards

                                        1,629 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • sso
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          295 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Forms Authentication fallback to Basic Authentication for non-browser applications

                                          If the UserAgent provided by the client is not a web browser, fall back to Basic Authentication, instead of presenting the Forms Authentication. This is a feature present in ISA 2006 and TMG 2010.

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • sso
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 6 7
                                          • Don't see your idea?

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.