SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

HTTP/2 support

Please add HTTP/2 support

89 votes
Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

Fred. shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

15 comments

Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    we are already in 2019 and the lack of support for HTTP / 2 is beginning to be a limiting factor when working with the sophos product and that invites us to consider other alternatives

  • Anonymous commented  ·   ·  Flag as inappropriate

    Not only http2 is missing. A new version of apache would be usefull at all. But tls1 and tls1.1 would no longer be available.

  • Chris Schaller commented  ·   ·  Flag as inappropriate

    Customers keep complaining that their websites look bad when we host them behind a sophos firewall, most google based apis such as fonts services use http/2 and all of our customers who have upgraded their websites in the last year have forced use to move their sites to resources not secured by Sophos UTM so that they can have pretty websites. We have now migrated 70% of our web app hosting to hardware secured by other vendors, without http/2 support we wont have a need to renew our licenses when they next expire.

  • Marcel Wittwer commented  ·   ·  Flag as inappropriate

    Our company would be highly interested in this as well, but without a commited roadmap or similar, we will switch to another vendor.

  • Daniel commented  ·   ·  Flag as inappropriate

    We need HTTP/2 support. Other WAF providers (Incapsula, CloudFlare, etc) have it.

  • FosterDoug commented  ·   ·  Flag as inappropriate

    I am concerned about the security issues introduced by lack of HTTP/2 support. HTTP/2 makes several changes to the HTTP data stream which improve performance by reducing the number of round trips needed to complete a web page. It also sends binary data rather than text. For it to be used, the web client must indicate willingness to support HTTP/2 (using a flag in the HTTP request) and the server must confirm that it provides support. For HTTPS with inspection, UTM will not supply the flag so we will not get the performance gain but we will have no reduction in security. For HTTPS without inspection, UTM does not try to see inside the session anyway. But for HTTP without encryption, I am concerned that UTM will allows the HTTP/2 session to be established, and then be unable to perform content inspection, or worse will suffer unpredictable confusion because of the binary data stream. Therefore, 'I think the minimum necessary action is to strip the HTTP/2 header from any HTTP request that UTM sees going outbound. Follow up to my suppot ticket# 6019863

  • Phillip Hesse commented  ·   ·  Flag as inappropriate

    This should be relatively easy to achieve as UTM firmware v. 9.351-3 is running Apache 2.4.12 and http/2 support is available in v.2.4.17

    Please update this soon as browser support for http/2 is already wide spread (around 70% according to the web)

    It would be nice to be ahead of the curve on this one :)

    Thanks

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.