SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. SSO over WAF

    Planning to replace TMG with other UTM product. Sophos is looking good - but some features is missing which are a must have for me:
    Any change we will se
    * SSO for reverse proxy
    * Link translation like we know it in TMG
    * AD user change password option through rev. auth

    These are the only major issues preventing us from switching to Sophos

    26 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. WAF Reverse Proxy with authentication: add authenticated username in http header

    If WAF authentication is selected to be done by the UTM, the username of the authenticated user should be added in the http request header sent to the backend web server. Im addition the groups should be added in another header attribute. That would be a function comparable to IBM Webseal and it's http hread iv-user and iv-groups.

    For security, this feature should be combined with mutual https authentication, i.e. adding a https client certificated by the UTM to prevent modification of the http request header between UTM and backend.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. web application firewall rewrite rules


    • Change the Rewrite from domain.de/ to domain.de/index.php with site path routing activated.

    • WAF rewrite rules for files like .php or .xml

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Websites Lists - Filter Actions

    Currently the Websites lists in a Filter Action is only available in one Filter Action. When you remove the Websites List it cannot be created with the same name across any of the filter actions.

    Ideally you should be able to totally remove a Websites List as well as assign the exact same Websites List (with all the same Websites and any future changes) to multiple Filter Actions. I would suggest this has significant benefit to large business; more specifically education. Schools want to be able to add a Website list to all students for block/allow but still keep individual…

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Webserver Protection: Reverse Authentification with NTLM and Kerberos

    The Reverse Authentification feature (UTM 9.2) for WAF is a nice progres, but I'm hoping that it will soon be extended. There are many scenarios that require at least NTLM; Kerberos would be nice as well. Yes, we are coming from TMG :-)

    228 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. 3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow more detailed modifying of UTM WAF rules and behaviour. (ModSecurity function)

    UTM preventing some internet traffic going to e.g. apache linux servers due to escaping of the \ which is required for all systems to be able to identify a character such as $ or @.
    When this happens using multiple layers of backslash escaping, Sophos treats this as an SQL Injection. There is currently no way of modifying this behaviour legally, and you need to enter SQL Injection Bypasses on particular pages on your Apache hosted site, which is not optimal.

    Giving end user some more power on what should and should not be captured via an advanced profile option,…

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Make onboard OTP usable for special virtuell webserver

    At the Moment we can use the new OTP Feature just for all virtuell webserver. Therefore, it is not possible to use this great new function in most implementations.

    An example, many customers want to publish Exchange Services like OWA, ActiveSync and Outlook Anywhere. OWA with OTP and ActiveSync without OTP. But that is not possible.

    I suggest, you implement a new authentication Profile for OTP that we can use in the site path Routing.

    20 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add configurable request header field for reverse proxy into webadmin

    Browser generate sometimes for services like ADFS very big request headers.

    It would be great if you can implement such a editable field in webadmin.

    One issue is described in the following threat.

    https://www.astaro.org/gateway-products/web-server-security/53339-9-205-12-adfs-2-0-waf-dont-work.html

    16 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Web Applikation Firewall: Web-Access for Remote Desktop

    Please add Web-Access for Remote Desktop-Feature for Win2012 R2 to the WAF and make it working with an additional OTP-Formbased-Auth.

    Would be very very great!

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. WAF: option to set secure flag on cookies

    In the case where we want to have the UTM do the SSL encryption and keep our web servers serving plain text, we can't set the secure flag on the cookies at the web server. I like to leave the HTTP port open and use the new HTTP->HTTPS redirection feature in WAF but it does create a security hole in regards to authentication cookies.

    Can WAF include the option to set the secure flag on cookies for a selected virtual server?

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Auto Blacklist IPS from WAF/IDS triggers

    I have had an IP trigger 4 separate WAF rules.
    SQL Comment Sequence Detected.
    Detects classic SQL injection probings 1/2
    SQL Injection Attack: Common Injection Testing Detected
    SQL Injection Attack: SQL Operator Detected

    This guy is up to no good, I could see perhaps 1, but 4?
    It would be nice after X amount of triggers or X type of triggers in X time. The IP is added to a black list.

    We could view this list of auto banned IPs and get information like Who/what/where/when/how and decide to leave them on the list, remove them, or change the ban…

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Ability to specify Logout URLS (Reverse Auth/WebServer protection)

    In TMG/ISA, when publishing a server such as Outlook Web Access, we had the ability to define a logout url so that it would terminate the connection when the user clicked 'log out' in the OWA interface.

    At present, we are reliant on the session timeouts or disabling reverse authentication together, using Exchange's built in form authentication to handle it. Would be great to have this feature so we can make the most of reverse auth and limit possible unauthorised use.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Webserver Protection & Citrix Support

    Would love to have Citrix supported with the reverse proxy.

    9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Web server protection - Add HSTS header support

    Request that the Sophos UTM supports HTTP Strict Transport Security (HSTS). RFC6797 - https://tools.ietf.org/html/rfc6797

    79 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Link translation with custom dictionary - like TMG has in a web publishing reverse proxy role

    Today I publish sap portal through TMG. To accomplish that publishing through a reverse proxy, I need to be able to replace sap specific code such as; 80&#x2f with 443&#x2f and http&#x3a with https&#x3a. This makes our webdynpro's work. These text replacing techniques are called custom dictionaries in TMG.

    Basically TMG goes through the entire page as its delivered to the end user's browser and changes this code on the fly. I use link translation for other situations too so I would love to see this feature added. Thank you.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. WAF: Filtering IP-Adresses for an network interface

    WAF only let us chosse an network interface for the virtuel server to communicate to the Internet. No further filtering, e.g. a Firewall Rule for defined IP-Adresses that can connect to the network interface, ist possible.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. URL Redirection

    It would be great if it would be possible to redirect certain URLs

    For example:

    www.company.com => www.company.ch/site1
    www.company.com/site1 => www.company.com/newsite

    Thank you :)

    390 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    48 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Drain stop real servers in WAF

    When one would remove / disable a real server in WAF, all connections are immediately killed. It would be nice if there is an option to drain a real server. So WAF would stop sending new connection to that real server, but established connection would continue until they're terminated by client/server.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. UTM WAF - Custom HEADER

    Add the ability to add custom HTTP Headers while processing HTTP requests through the WAF

    The idea will allow me to "copy" header data
    e.g.: X-My-Custom-Header: $x-forwarded-proto

    Use case:
    When running a server behind 2 layered AWS ELB the first x-forwarded-proto header is overwritten by the 2nd layer, that mean that the application server cant see the original user requested protocol

    Lahav Savir @ Emind Cloud Expert

    11 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.