SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Advanced Web Application Firewall - Enable HttpOnly flag for Cookie Signing

    Enable HttpOnly flag for Cookie Signing for Cookies containing a Hash

    15 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Disable Server Signature

    Can you please disable the Server Signature header on the Web Server Protection so that it shows NULL or anything else apart from "Apache".

    Although this is not a failure for PCI compliance, it does flag on the check and not showing closes a possible issue.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Under Review  ·  1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Log the domain used for virtual web servers in WAF

    Currently, Web Server Protection logs only note the first listed domain to identify which virtual web server was used by the client.
    • server: first domain name of the virtual server serving the request

    Since there can be a number of domains used by the same virtual web server, it would be much more useful to log the actual domain requested in the host header. As different domains can be used for different environments, this would provide much better analytics on how the virtual web server is being used.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. WAF - Reverse Authentication - Auth Failure Feedback

    Currently when logging in and specifying a bad username or password, no feedback is given. The page simply reloads with no indication that the login attempt was even processed.
    Request:
    Provide basic authentication feedback preferably by populating runtime variables. These could be common auth failure results of "bad username or password", "account disabled", "password expired", "authorization failure", etc.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Resolve X-Forward-For headers to client IP addresses in the log

    When UTM is deployed as part of a proxy chain the WAF logs do not capture the client source details present in the X-Forward-For headers, but will instead log the upstream proxy's IP address as source.
    Can we have a log field that allows administrators to also see the original requester's source address?

    Note that ProxyProtocol support does not solve this issue as many upstream proxies do not support this for traffic already tagged with X-Forward-For information.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Modify mod_sec built-in rules

    Allow administrators to modify the pre-supplied rules for the WAF as custom rules cannot override existing signatures. Having to create a custom signature and then exempt the built-in signature causes lots of additional administration and clutter.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. WAF plus SSL VPN plus Userportal on Port 443

    UTM 9

    Sophos UTM already uses OpenVPN port sharing if the userportal uses the same port als SSL VPN. But I can't use SSL VPN on port 443, too.

    Basically it should be possible to use OpenVPN port sharing with the web application firewall instead of the user portal.
    In the WAP it should be possible to define a virtual web server that points to the userportal.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Enable OTP for WAF on a per-Authentication Profile basis

    At the Moment we can use the new OTP Feature just for all virtuell webserver. Therefore, it is not possible to use this great new function in most implementations.

    An example, many customers want to publish Exchange Services like OWA, ActiveSync and Outlook Anywhere. OWA with OTP and ActiveSync without OTP. But that is not possible.

    I suggest, you implement a new authentication Profile for OTP that we can use in the site path Routing.

    30 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. ID33532 9.209 RDWeb via WAF is not possible on customers site

    Issue ID 33532 the ability to publish a Remote Desktop Gateway would be appreciated. currently there is no support for it in UTM.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Reverse proxy add encodedslashes option

    Please provide the option in the Reverse proxy to enable encodedslashes for a specific virtual webserver.

    Because some web applications use for example %2F for a slash and the reverse proxy cannot translate this back to / because of allowencodedslashes is not enabled by default. So this results in a 404 error.

    http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

    When changing the configuration file of the reverseproxy it is working fine, but the configuration is overwritten all the time. So a checkbox in the Webadmin to enable this option would be nice.

    63 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Webserver Protection: Reverse Authentification with NTLM and Kerberos

    The Reverse Authentification feature (UTM 9.2) for WAF is a nice progres, but I'm hoping that it will soon be extended. There are many scenarios that require at least NTLM; Kerberos would be nice as well. Yes, we are coming from TMG :-)

    224 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. URL Redirection

    It would be great if it would be possible to redirect certain URLs

    For example:

    www.company.com => www.company.ch/site1
    www.company.com/site1 => www.company.com/newsite

    Thank you :)

    381 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    48 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow customizable block pages for WAF

    Currently the WAF displays a generic HTTP status page (403 "Authentication required") for errors and blocked actions. This really break the general look and feel of the product as they feature no branding whatsoever.

    It would be very nice if these pages feature the same style as the status pages in the rest of the UTM (Email, Web), and if we could offer similar customizability for them.

    This will work two-fold: On the one hand it will make the generic blockpages prettier and more attuned to the rest of the product, and at the same time it will allow organizations…

    26 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Web Application Firewall - change Authentication server on a case-by-case scenario.

    a web application firewall hits the first server in the authentication list. If a domain controller is first, it'll always use that server. However, if I'm using a DUO 2-factor authentication proxy, I want the ability to use DUO on a case-by-case use for web application servers, not all or nothing.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Enable SPDY protocol for reverse proxy feature

    Please add the SPDY protocol to the reverse proxy to enhance HTTPS page load times through the UTM. Both on the client and server side, especially if the back end webserver supports the protocol.

    Thank you

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Site Path Routing: Network Groups in Access Control

    Web Server Protection : Site Path Routing - Access control Lists

    Site Path Routing - Access control should allow Network Groups for management of large ACLs

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Ability to publish FTP through the WAF

    Having the ability to publish FTP through the WAF instead of direct firewall passthrough, then you could detect and block brute force attacks and such at the sophos.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. OCSP Stapling Support for WAF

    Please can you Support OCSP Stapling.

    The obvious advantage to OCSP Stapling is the improvement in
    speed and availability of the OCSP certificate status check.

    OCSP Stapling helps maintain the privacy of the end user, since a CA can see which web sites a user has visited (only those web sites that have certificates issued by the CA). If OCSP Stapling is used, the CA will see OCSP requests
    only from the web site, not the web site’s end users.

    Many wi-fi hotspots use Captive Portals to control access to the
    Internet, sometimes requiring entry of a credit card number…

    23 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Web server protection - Add HSTS header support

    Request that the Sophos UTM supports HTTP Strict Transport Security (HSTS). RFC6797 - https://tools.ietf.org/html/rfc6797

    67 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. SSO over WAF

    Planning to replace TMG with other UTM product. Sophos is looking good - but some features is missing which are a must have for me:
    Any change we will se
    * SSO for reverse proxy
    * Link translation like we know it in TMG
    * AD user change password option through rev. auth

    These are the only major issues preventing us from switching to Sophos

    26 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.