SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. WAF filter on Headers

    I use the Sophos UTM and WAF to enhance protections to our hosted websites. Occasionally I am receiving traffic from spiders that advertise themselves as Scrapy (scrapy.org) via the User Agent. I would like to add a check for the user_agent and black list user agents that are known to be "bad". I do know that it is trivial change the user agent to something arbitrary and the ability would still be useful.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Make UTM Webserver protection work with Exchange O365 hybrid passthrough

    Exchange / O365 Hybrid requires the use of WSSecurity/OAuth between O365 and on premise Exchange servers.
    Webserver protection, when set to passthrough, still intercepts this and breaks the authentication.
    only way to use UTM with Exchange hybrid currently is to use DNAT rules and therefore makes the whole thing redundant and useless.

    please prevent passthrough from breaking WSSecurity/OAuth.

    13 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Web Ser

    Currently, the only way to enable SSTP is to use a DNAT rule and forward the entire 443 (HTTPS) traffic to an internal VPN server. This effectively "blocks" the use of 443 for anything else - be it Web Admin, User Portal, any virtual web server.

    Forefront TMG makes it possible to forward SSTP VPN connections easily to a SSTP VPN server (it's a shame a built-in SSTP is not available in UTM, but that's a different request altogether), making it possible to use other services on the default HTTPS port.

    Since Sophos UTM is advertised as a Forefront replacement…

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. WAF documentation upgrades

    Recently, I went through a fire drill to discover how to know the client IP when a webserver is sitting behind a WAF site. The answer is in the community forum (x-forwarded-for header), but why is this information not in the documentation? Most technology needs both concepts documentation (how do I achieve a business objective) and feature documentation (what does this button do.) Since the UTM manual is simply a repackaging of the online help, and both are intended only to describe how to fill in the forms, important information does not get communicated. (Another important bit of undocumented-but-critical information…

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support setting httpd_location field in WAF login form.

    When using the UTM box as a reverse proxy handling user authentication before allowing access to an internal web app, a user is redirected to the login form if they've not logged in already. I need to be able to redirect users to the page they requested originally once they've authenticated successfully. For example, if they try to access https://example.com/foo, they get redirected to https://example.com/somethingform where they enter their credentials. They submit the form which is submitted to https://example.com/somethinglogin. If they're successful, they're then sent to https://example.com/. I need them to be setn…

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Remove bug that erases custom domains from Virtual Web Servers when using Wildcard Certificates

    When creating a Virtual Web Server and a wildcard certificate is used the domains list is auto-populated with *.domain.com and domain.com. If you delete those and put in custom domains and then click to expand the "Advanced" options, all the custom domains are deleted and replaced with the defaults.

    After renewing the wildcard certificate and updating it on the existing Virtual Web Server object, all the custom domains are again deleted and replaced with the default.

    This could cause a site outage if the changes get saved without the administrator noticing.

    I recommend fixing the bug with the "Advanced" dialog,…

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. HTTP/2 support

    Please add HTTP/2 support

    111 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. WAF & Reverse Proxy

    Add a page to show current logged on users, log on time & duration. Possibly a link to the log of what pages they have visited whilst logged on?

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Advanced Web Application Firewall - Enable HttpOnly flag for Cookie Signing

    Enable HttpOnly flag for Cookie Signing for Cookies containing a Hash

    15 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. WebSocket for XG Appliance

    Make the Sophos XG Firewall to work with WebSocket

    22 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Disable Server Signature

    Can you please disable the Server Signature header on the Web Server Protection so that it shows NULL or anything else apart from "Apache".

    Although this is not a failure for PCI compliance, it does flag on the check and not showing closes a possible issue.

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Under Review  ·  1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. WAF plus SSL VPN plus Userportal on Port 443

    UTM 9

    Sophos UTM already uses OpenVPN port sharing if the userportal uses the same port als SSL VPN. But I can't use SSL VPN on port 443, too.

    Basically it should be possible to use OpenVPN port sharing with the web application firewall instead of the user portal.
    In the WAP it should be possible to define a virtual web server that points to the userportal.

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. WAF GeoIP or ACL intergration.

    Publishing a web server and limiting it to GEO location using WAF.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Log the domain used for virtual web servers in WAF

    Currently, Web Server Protection logs only note the first listed domain to identify which virtual web server was used by the client.
    • server: first domain name of the virtual server serving the request

    Since there can be a number of domains used by the same virtual web server, it would be much more useful to log the actual domain requested in the host header. As different domains can be used for different environments, this would provide much better analytics on how the virtual web server is being used.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. WAF - Reverse Authentication - Auth Failure Feedback

    Currently when logging in and specifying a bad username or password, no feedback is given. The page simply reloads with no indication that the login attempt was even processed.

    Request:
    Provide basic authentication feedback preferably by populating runtime variables. These could be common auth failure results of "bad username or password", "account disabled", "password expired", "authorization failure", etc.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Enable OTP for WAF on a per-Authentication Profile basis

    At the Moment we can use the new OTP Feature just for all virtuell webserver. Therefore, it is not possible to use this great new function in most implementations.

    An example, many customers want to publish Exchange Services like OWA, ActiveSync and Outlook Anywhere. OWA with OTP and ActiveSync without OTP. But that is not possible.

    I suggest, you implement a new authentication Profile for OTP that we can use in the site path Routing.

    34 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. ID33532 9.209 RDWeb via WAF is not possible on customers site

    Issue ID 33532 the ability to publish a Remote Desktop Gateway would be appreciated. currently there is no support for it in UTM.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Reverse proxy add encodedslashes option

    Please provide the option in the Reverse proxy to enable encodedslashes for a specific virtual webserver.

    Because some web applications use for example %2F for a slash and the reverse proxy cannot translate this back to / because of allowencodedslashes is not enabled by default. So this results in a 404 error.

    http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

    When changing the configuration file of the reverseproxy it is working fine, but the configuration is overwritten all the time. So a checkbox in the Webadmin to enable this option would be nice.

    67 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Webserver Protection: Reverse Authentification with NTLM and Kerberos

    The Reverse Authentification feature (UTM 9.2) for WAF is a nice progres, but I'm hoping that it will soon be extended. There are many scenarios that require at least NTLM; Kerberos would be nice as well. Yes, we are coming from TMG :-)

    226 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. notification for expiring certificate

    Notification for expiring installed certificate under Webserver Protection - Certificate Management. Could be either thru email notification or thru the UTM dashboard.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.