Let's Encrypt Integration came with UTM 9.6. That's great!

You should now implement the support of Let's Encrypt Wilcard domains with ACMEv2.

Best Regards

It should be possible to configure the tls version per virtual-webserver.

Also see https://community.sophos.com/products/unified-threat-management/f/web-server-security/99587/waf---vws---tls-version-setting-removed-from-utm-9-506/367224#367224

The ability to not just create a "skip rule ID" entry for a signature, but actually modify whether the firewall treats it as critical or not. Similar to tuning rules and rule categories in the IPS.

Currently, Web Server Protection logs only note the first listed domain to identify which virtual web server was used by the client.
• server: first domain name of the virtual server serving the request

Since there can be a number of domains used by the same virtual web server, it would be much more useful to log the actual domain requested in the host header. As different domains can be used for different environments, this would provide much better analytics on how the virtual web server is being used.

Currently when logging in and specifying a bad username or password, no feedback is given. The page simply reloads with no indication that the login attempt was even processed.
Request:
Provide basic authentication feedback preferably by populating runtime variables. These could be common auth failure results of "bad username or password", "account disabled", "password expired", "authorization failure", etc.

When UTM is deployed as part of a proxy chain the WAF logs do not capture the client source details present in the X-Forward-For headers, but will instead log the upstream proxy's IP address as source.
Can we have a log field that allows administrators to also see the original requester's source address?

Note that ProxyProtocol support does not solve this issue as many upstream proxies do not support this for traffic already tagged with X-Forward-For information.

Allow administrators to modify the pre-supplied rules for the WAF as custom rules cannot override existing signatures. Having to create a custom signature and then exempt the built-in signature causes lots of additional administration and clutter.

Support the latest version of TLS protocol for improved security and performance. TLS 1.3 is huge step forward for web security and performance.

Please provide the option in the Reverse proxy to enable encodedslashes for a specific virtual webserver.

Because some web applications use for example %2F for a slash and the reverse proxy cannot translate this back to / because of allowencodedslashes is not enabled by default. So this results in a 404 error.

http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

When changing the configuration file of the reverseproxy it is working fine, but the configuration is overwritten all the time. So a checkbox in the Webadmin to enable this option would be nice.

a web application firewall hits the first server in the authentication list. If a domain controller is first, it'll always use that server. However, if I'm using a DUO 2-factor authentication proxy, I want the ability to use DUO on a case-by-case use for web application servers, not all or nothing.

Update WAF to support RDG passthrough when using Server 2016 RDWeb gateway.

We are hosting a SAP Fiori webserver behind a UTM-220. To make this fuction, you have to edit the virtual host in reverseproxy.conf manually, because Fiori needs the Apache directive "AllowEncodedSlashes On" and the parameter "nocanon" at the ProxyPass directive (for example "balancer://8f757b42....20/" lbmethod=bybusyness nocanon).

After manual edit of the conf file it works, but after every change in the GUI we lost these entries. Please make it possible, to change these settings in the GUI. Thank you.

The UTM should have a function in the Web Server Protection that allows the administrator to configure whether or not encoded slashes are allowed for the servers.

This is especially important for specific SAP-relevant functions, such as Fiori systems.
At the moment it's possible to manually configure this setting but it's reset everytime a change to a server is made.
I believe that it would be best to either:
- not overwrite the that point in the config, if enabled
- or straight up allow this configuration in the panel.

Request for the list of WAF Signature on Sophos UTM

Can we switch of the ssl weakness for WAF. Please do a server test at www.ssllabs.com and type a url from a site behind the WAF. you get this for all ssl v ersions

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits FS WEAK 112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

When downloading a file from a Owncloud backend via the Sophos UTM WAF, no estimated time and no file size are displayed.
The content-length header is probably not passed through here.
Disabling WAF features or AV scanning does not change this.

The Sophos WAF should determine the file size and display the estimated download time when supported by the backend.

It would be very nice if Let's Encrypt CA start with public certificates (letsencrypt.org), that we can get certs throug the UTM Gui. So that the "Let's Encrypt Client" is integrated in the UTM. Would it be possible?
Best Regards

If the UserAgent provided by the client is not a web browser, fall back to Basic Authentication, instead of presenting the Forms Authentication. This is a feature present in ISA 2006 and TMG 2010.