The Support told me, its a bug buy sophos design, so this should be fixed.

If you have a DNS Entry, with more than one A DNS entrys, Lets Encrypt does not work like the standard from lets encrypt define it. The verification does not work anymore.

The UTM have to listen to all A entrys and catch the handshake/verification request.

best regards.

When publishing websites that has large request headers the WAF dismisses the request with "Size of a request header field exceeds server limit".

This is a major issue when publishing ADFS and other authentication mechanisms that use claims/tokens and sometimes they exceed the default value of 8K.

Please make firmware changes so that this value can be changed through the UI. optimally as a pr. virtual web server setting.

Let's Encrypt Integration came with UTM 9.6. That's great!

You should now implement the support of Let's Encrypt Wilcard domains with ACMEv2.

Best Regards

Please give the option to log also the IP address of internal servers on reverse proxy log file.

Give the way to modify the PCRE limit via web interface or shell.

As you know, Facebook is a social media platform. You can send a friend request to your friends, relatives, and any others. Facebook also used as a business purpose; you can sell or buy anything from your location. The Facebook Game room also use with the help of Facebook. On Facebook, you can upload any post which could be the image, docs file, video, etc. You can also get the news about the world happening.
Contact Facebook Customer Representative
Facebook Customer phone number: (866)535-7333
https://www.cuesinfo.com/blog/facebook-customer-representative/
https://www.cuesinfo.com/blog/facebook-no-news-feed/
https://www.cuesinfo.com/blog/facebook-customer-service

Let's Encrypt Integration is really cool but it would be even better if there is support for Domain Validation via DNS challenge. With DNS challenge, you can prove domain ownership (through responding to a challenge with a DNS TXT record) without the need to expose any services to the Internet.

This should be a critical bug in the product but has been downgraded to a feature request for an unknown reason.

Issue details
X-Forward-Host and others are appended to the request when the client sends the data (usually as a hack attempt). This results in both the values from the client and the value set from the firewall being sent through to the back end web server.

Please treat this as the bug it is and not as a feature request.

Tracking details:
Development reference number: NUTM-11135
Current Status: Assigned to backlog
Issue type: Feature Request

As admin I want to have intermediate CAs automagically added for certificates issued by Let's encrypt client, so they are then served when estalishing TLS connections ad retarted libraries are not breaking due to incomplete certificate chain

It should be possible to configure the tls version per virtual-webserver.

Also see https://community.sophos.com/products/unified-threat-management/f/web-server-security/99587/waf---vws---tls-version-setting-removed-from-utm-9-506/367224#367224

Support the latest version of TLS protocol for improved security and performance. TLS 1.3 is huge step forward for web security and performance.

When UTM is deployed as part of a proxy chain the WAF logs do not capture the client source details present in the X-Forward-For headers, but will instead log the upstream proxy's IP address as source.
Can we have a log field that allows administrators to also see the original requester's source address?

Note that ProxyProtocol support does not solve this issue as many upstream proxies do not support this for traffic already tagged with X-Forward-For information.

The ability to not just create a "skip rule ID" entry for a signature, but actually modify whether the firewall treats it as critical or not. Similar to tuning rules and rule categories in the IPS.

Allow administrators to modify the pre-supplied rules for the WAF as custom rules cannot override existing signatures. Having to create a custom signature and then exempt the built-in signature causes lots of additional administration and clutter.

Update WAF to support RDG passthrough when using Server 2016 RDWeb gateway.

The UTM should have a function in the Web Server Protection that allows the administrator to configure whether or not encoded slashes are allowed for the servers.

This is especially important for specific SAP-relevant functions, such as Fiori systems.
At the moment it's possible to manually configure this setting but it's reset everytime a change to a server is made.
I believe that it would be best to either:
- not overwrite the that point in the config, if enabled
- or straight up allow this configuration in the panel.

We are hosting a SAP Fiori webserver behind a UTM-220. To make this fuction, you have to edit the virtual host in reverseproxy.conf manually, because Fiori needs the Apache directive "AllowEncodedSlashes On" and the parameter "nocanon" at the ProxyPass directive (for example "balancer://8f757b42....20/" lbmethod=bybusyness nocanon).

After manual edit of the conf file it works, but after every change in the GUI we lost these entries. Please make it possible, to change these settings in the GUI. Thank you.