SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Web Application Firewall - Allow more granular exceptions

    Allow exceptions to be defined more granular. For example allow specific protocol anomalies in HTTP Policy or specific checks in SQL Injection Attacks.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Request for the list of WAF Signature on Sophos UTM

    Request for the list of WAF Signature on Sophos UTM

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. webserver protection waf download size

    When downloading a file from a Owncloud backend via the Sophos UTM WAF, no estimated time and no file size are displayed.
    The content-length header is probably not passed through here.
    Disabling WAF features or AV scanning does not change this.

    The Sophos WAF should determine the file size and display the estimated download time when supported by the backend.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Make RBL list update possible via Pattern update or check their availability

    Recently the Web Server Security reverse proxy experienced timeout problems because "block clients with bad reputation" was active and one of the three internally user DNS RBL lists is down (dnsbl.proxybl.org).

    As the DNS RBL list stuff is not very reliable and often these lists are down due to DOS attacks or lack of administrators, it would make sense to react to such changes very quickly.

    So I suggest making updates of RBL lists using the pattern update mechanism (applies to both SMTP and reverse proxy and maybe Web Security as well).

    Another approach would be to chek the availability…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. websocket support for WAF

    we are hosting a SignalR hub (http://signalr.net/) behind a Sophos UTM 320. We use the Web Server Protection feature extensively in our environment, and as such have opted to use the same for this.
    SignalR will always try to use Web Sockets (http://en.wikipedia.org/wiki/WebSocket), a new HTML5 API, and fallback to other technologies where this isn't possible to be used.
    Since we've been hosting the hub via the reverse proxy, none of our clients are able to connect via Web Sockets :so having support for websockets in WAF would be super cool

    460 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    58 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Forms Authentication fallback to Basic Authentication for non-browser applications

    If the UserAgent provided by the client is not a web browser, fall back to Basic Authentication, instead of presenting the Forms Authentication. This is a feature present in ISA 2006 and TMG 2010.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. 'Skip remote lookups for clients with bad reputation' - configurable cached clean up

    With 'Skip remote lookups for clients with bad reputation' option, Sophos will use cached information instead of online checks which is fine, but we need to be able to configure how long Sophos keep this cached information.

    As the online database updated all the time, there should be a configuration to clear up cached information, for example every 24 hours.

    Currently, I was told by Sophos support that I have disable this temporarily and re-enable it to clear out the previously cached information.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. No proper categorization of logs in WAF when configured in monitor mode

    When we configure WAF in monitor mode we did not receive proper categorized logs in Alert but when we configure in REJECT MODE - it works fine

    Requesting you to look this because before applying WAF we have to monitor traffic and pattern and after then we can create required rules in WAF

    Here this part is missing which will misguide user while configuring it

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Make onboard OTP usable for special virtuell webserver

    At the Moment we can use the new OTP Feature just for all virtuell webserver. Therefore, it is not possible to use this great new function in most implementations.

    An example, many customers want to publish Exchange Services like OWA, ActiveSync and Outlook Anywhere. OWA with OTP and ActiveSync without OTP. But that is not possible.

    I suggest, you implement a new authentication Profile for OTP that we can use in the site path Routing.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Waf-fle support Waf Server security monitoring console we need the waf part of the waf can or improve the reporting part and the waf-fle co

    Waf-fle support

    Waf Server security monitoring console we need the waf part of the waf can or improve the reporting part and the waf-fle console is a useful tool

    To be taken into account by you

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add configurable request header field for reverse proxy into webadmin

    Browser generate sometimes for services like ADFS very big request headers.

    It would be great if you can implement such a editable field in webadmin.

    One issue is described in the following threat.

    https://www.astaro.org/gateway-products/web-server-security/53339-9-205-12-adfs-2-0-waf-dont-work.html

    14 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Web Server Protection: Certificate-based Authentication

    I would appreciate to support certificate-based authentication like at Microsoft TMG. I don't know why Sophos is making advertisements for "Replace your TMG with Sophos UTM" if UTM even can't do this! I want the reverse proxy to check a client certificate, If this certificate is not valid or it doesn't exists it shows an error page.

    TMG Config: http://4sysops.com/wp-content/uploads/2011/07/SSL-Client-Certificate-Authentication_thumb.png

    194 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. WAF documentation upgrades

    Recently, I went through a fire drill to discover how to know the client IP when a webserver is sitting behind a WAF site. The answer is in the community forum (x-forwarded-for header), but why is this information not in the documentation? Most technology needs both concepts documentation (how do I achieve a business objective) and feature documentation (what does this button do.) Since the UTM manual is simply a repackaging of the online help, and both are intended only to describe how to fill in the forms, important information does not get communicated. (Another important bit of undocumented-but-critical information…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Enable users to reset their domain user password using Web Mail

    There are many companies that force employees to reset domain user passwords very often. Now, when employees need to access mail using their Web Mail and their password has expired they will have to call IT to reset their password, but if working hours has finished and there is no IT personnel in the office, or maybe it's weekend, which is even worse, they will have to wait until next working day so that IT can help. In situation like this, enabling users to reset their domain account password using Web Mail Portal, like Microsoft TMG does, would help.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. WAF Reverse Proxy with authentication: add authenticated username in http header

    If WAF authentication is selected to be done by the UTM, the username of the authenticated user should be added in the http request header sent to the backend web server. Im addition the groups should be added in another header attribute. That would be a function comparable to IBM Webseal and it's http hread iv-user and iv-groups.

    For security, this feature should be combined with mutual https authentication, i.e. adding a https client certificated by the UTM to prevent modification of the http request header between UTM and backend.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Web Application Firewall: Remote Desktop Gateway support

    Similar to support for Outlook Anywhere, it would be really beneficial if the WAF allowed for the publishing of Remote Desktop Gateway and handled those methods. RDG_OUT_DATA followed by RPC_IN_DATA and RPC_OUT_DATA, and including /RemoteDesktopGateway in the request. It seems like common functionality that many customers must be looking for...

    151 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Remove bug that erases custom domains from Virtual Web Servers when using Wildcard Certificates

    When creating a Virtual Web Server and a wildcard certificate is used the domains list is auto-populated with *.domain.com and domain.com. If you delete those and put in custom domains and then click to expand the "Advanced" options, all the custom domains are deleted and replaced with the defaults.

    After renewing the wildcard certificate and updating it on the existing Virtual Web Server object, all the custom domains are again deleted and replaced with the default.

    This could cause a site outage if the changes get saved without the administrator noticing.

    I recommend fixing the bug with the "Advanced" dialog,…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. waf header

    Suppress server header from WAF reverse proxy. Most *********** testers flag up the fact that it gives away that it is running apache. Please add to the GUI the ability to turn this header off. It can be done manually at the moment with a hack, but it is unsupported, please make it an official settting.

    Add to httpd.conf the following code:-

    <IfModule security2_module>
    SecRuleEngine on
    ServerTokens Full
    SecServerSignature " "
    </IfModule>

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. elliptic curves

    UTM should Support elliptic curves for ReverseProxy

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Web Application Firewall OTP support for form to form authentication

    Support for form to form authentication with one time passwords in the WAF.

    The WAF should be able to pass authentication through to a website which authenticates using a form (as opposed to only basic auth) if there is configuration on the UTM that defines the URL to the page which can process the login (not the login form) and the field names for the username and password.

    35 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.