It should be possible to configure the tls version per virtual-webserver.

Also see https://community.sophos.com/products/unified-threat-management/f/web-server-security/99587/waf---vws---tls-version-setting-removed-from-utm-9-506/367224#367224

Support the latest version of TLS protocol for improved security and performance. TLS 1.3 is huge step forward for web security and performance.

a web application firewall hits the first server in the authentication list. If a domain controller is first, it'll always use that server. However, if I'm using a DUO 2-factor authentication proxy, I want the ability to use DUO on a case-by-case use for web application servers, not all or nothing.

Update WAF to support RDG passthrough when using Server 2016 RDWeb gateway.

We are hosting a SAP Fiori webserver behind a UTM-220. To make this fuction, you have to edit the virtual host in reverseproxy.conf manually, because Fiori needs the Apache directive "AllowEncodedSlashes On" and the parameter "nocanon" at the ProxyPass directive (for example "balancer://8f757b42....20/" lbmethod=bybusyness nocanon).

After manual edit of the conf file it works, but after every change in the GUI we lost these entries. Please make it possible, to change these settings in the GUI. Thank you.

The UTM should have a function in the Web Server Protection that allows the administrator to configure whether or not encoded slashes are allowed for the servers.

This is especially important for specific SAP-relevant functions, such as Fiori systems.
At the moment it's possible to manually configure this setting but it's reset everytime a change to a server is made.
I believe that it would be best to either:
- not overwrite the that point in the config, if enabled
- or straight up allow this configuration in the panel.

Can we switch of the ssl weakness for WAF. Please do a server test at www.ssllabs.com and type a url from a site behind the WAF. you get this for all ssl v ersions

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits FS WEAK 112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

When downloading a file from a Owncloud backend via the Sophos UTM WAF, no estimated time and no file size are displayed.
The content-length header is probably not passed through here.
Disabling WAF features or AV scanning does not change this.

The Sophos WAF should determine the file size and display the estimated download time when supported by the backend.

It would be very nice if Let's Encrypt CA start with public certificates (letsencrypt.org), that we can get certs throug the UTM Gui. So that the "Let's Encrypt Client" is integrated in the UTM. Would it be possible?
Best Regards

If the UserAgent provided by the client is not a web browser, fall back to Basic Authentication, instead of presenting the Forms Authentication. This is a feature present in ISA 2006 and TMG 2010.

With 'Skip remote lookups for clients with bad reputation' option, Sophos will use cached information instead of online checks which is fine, but we need to be able to configure how long Sophos keep this cached information.

As the online database updated all the time, there should be a configuration to clear up cached information, for example every 24 hours.

Currently, I was told by Sophos support that I have disable this temporarily and re-enable it to clear out the previously cached information.

When we configure WAF in monitor mode we did not receive proper categorized logs in Alert but when we configure in REJECT MODE - it works fine

Requesting you to look this because before applying WAF we have to monitor traffic and pattern and after then we can create required rules in WAF

Here this part is missing which will misguide user while configuring it

Request for the list of WAF Signature on Sophos UTM

Waf-fle support

Waf Server security monitoring console we need the waf part of the waf can or improve the reporting part and the waf-fle console is a useful tool

To be taken into account by you

I use the Sophos UTM and WAF to enhance protections to our hosted websites. Occasionally I am receiving traffic from spiders that advertise themselves as Scrapy (scrapy.org) via the User Agent. I would like to add a check for the user_agent and black list user agents that are known to be "bad". I do know that it is trivial change the user agent to something arbitrary and the ability would still be useful.

Exchange / O365 Hybrid requires the use of WSSecurity/OAuth between O365 and on premise Exchange servers.
Webserver protection, when set to passthrough, still intercepts this and breaks the authentication.
only way to use UTM with Exchange hybrid currently is to use DNAT rules and therefore makes the whole thing redundant and useless.

please prevent passthrough from breaking WSSecurity/OAuth.

There are many companies that force employees to reset domain user passwords very often. Now, when employees need to access mail using their Web Mail and their password has expired they will have to call IT to reset their password, but if working hours has finished and there is no IT personnel in the office, or maybe it's weekend, which is even worse, they will have to wait until next working day so that IT can help. In situation like this, enabling users to reset their domain account password using Web Mail Portal, like Microsoft TMG does, would help.