SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. URL Redirection

    It would be great if it would be possible to redirect certain URLs

    For example:

    www.company.com => www.company.ch/site1
    www.company.com/site1 => www.company.com/newsite

    Thank you :)

    389 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    48 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow customizable block pages for WAF

    Currently the WAF displays a generic HTTP status page (403 "Authentication required") for errors and blocked actions. This really break the general look and feel of the product as they feature no branding whatsoever.

    It would be very nice if these pages feature the same style as the status pages in the rest of the UTM (Email, Web), and if we could offer similar customizability for them.

    This will work two-fold: On the one hand it will make the generic blockpages prettier and more attuned to the rest of the product, and at the same time it will allow organizations…

    28 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Web Application Firewall - change Authentication server on a case-by-case scenario.

    a web application firewall hits the first server in the authentication list. If a domain controller is first, it'll always use that server. However, if I'm using a DUO 2-factor authentication proxy, I want the ability to use DUO on a case-by-case use for web application servers, not all or nothing.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. QoS for Virtual Webservers

    QoS / Throttling the upload for virtual webservers (Web Server Protection). It would be nice if you have many webservers, that you can throttle the upload for each "virtual server"

    exampe: - virtual webserver a (wan) unlimited upload to wan side

              - virtual webserver b (wan) limited upload 10mbit to wan side
    

    that would be realy nice, is it possible?

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Enable SPDY protocol for reverse proxy feature

    Please add the SPDY protocol to the reverse proxy to enhance HTTPS page load times through the UTM. Both on the client and server side, especially if the back end webserver supports the protocol.

    Thank you

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Site Path Routing: Network Groups in Access Control

    Web Server Protection : Site Path Routing - Access control Lists

    Site Path Routing - Access control should allow Network Groups for management of large ACLs

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Ability to publish FTP through the WAF

    Having the ability to publish FTP through the WAF instead of direct firewall passthrough, then you could detect and block brute force attacks and such at the sophos.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Configurable HTTPS DH parameter in the Web Application Firewall

    The web application firewall cannot support HTTPS connections by Java 6/7 clients because the DH parameter for HTTPS is set to a value greater than 1024 and this is not configurable.

    For an easy reference for the issue:
    http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

    The error message the clients will receive is:

    javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair

    The only option is to manually add a DH-pair of 1024 or less into the first certificate generated by the sophos device under /var/chroot-reverseproxy/usr/apache/conf/ssl/ (and then, do that every time the configuration changes), or not use the WAF.

    Warnings for those who come across this post: …

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. OCSP Stapling Support for WAF

    Please can you Support OCSP Stapling.

    The obvious advantage to OCSP Stapling is the improvement in
    speed and availability of the OCSP certificate status check.

    OCSP Stapling helps maintain the privacy of the end user, since a CA can see which web sites a user has visited (only those web sites that have certificates issued by the CA). If OCSP Stapling is used, the CA will see OCSP requests
    only from the web site, not the web site’s end users.

    Many wi-fi hotspots use Captive Portals to control access to the
    Internet, sometimes requiring entry of a credit card number…

    25 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Web server protection - Add HSTS header support

    Request that the Sophos UTM supports HTTP Strict Transport Security (HSTS). RFC6797 - https://tools.ietf.org/html/rfc6797

    75 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Parallel Usage of VPN(SSL), Userportal and other HTTPS Sites on Port 443

    It would be nice if you could handle it, that we can either use port 443 for VPN (SSL) as also OWA/WAF and(!) Userportal. May this is possible?

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. SSO over WAF

    Planning to replace TMG with other UTM product. Sophos is looking good - but some features is missing which are a must have for me:
    Any change we will se
    * SSO for reverse proxy
    * Link translation like we know it in TMG
    * AD user change password option through rev. auth

    These are the only major issues preventing us from switching to Sophos

    26 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Web Application Firewall - Allow more granular exceptions

    Allow exceptions to be defined more granular. For example allow specific protocol anomalies in HTTP Policy or specific checks in SQL Injection Attacks.

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. (Webserver Protection) WAF + (Network Protection) Server Load Balancing.

    It would be great if there was a way to use the WAF but with Server Load Balancer setup in the Network Protection area or at least have the same type of control if not even more types of load balancing controls then there are now.

    As noted in another feature suggestion of having Layer 7 checks in the WAF Load balancer would be great. And I agree. But along those same lines I also have needs to specify load to not be round robin and to weight it. Which you can do to a degree in the Network Protection…

    16 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Enable Sharepoint2013 encryption in SafeGuard Enterprise

    Enable that SafeGuard Enterprise client can encrypt files on SharePoint sites

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. webserver protection waf download size

    When downloading a file from a Owncloud backend via the Sophos UTM WAF, no estimated time and no file size are displayed.
    The content-length header is probably not passed through here.
    Disabling WAF features or AV scanning does not change this.

    The Sophos WAF should determine the file size and display the estimated download time when supported by the backend.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Make RBL list update possible via Pattern update or check their availability

    Recently the Web Server Security reverse proxy experienced timeout problems because "block clients with bad reputation" was active and one of the three internally user DNS RBL lists is down (dnsbl.proxybl.org).

    As the DNS RBL list stuff is not very reliable and often these lists are down due to DOS attacks or lack of administrators, it would make sense to react to such changes very quickly.

    So I suggest making updates of RBL lists using the pattern update mechanism (applies to both SMTP and reverse proxy and maybe Web Security as well).

    Another approach would be to chek the availability…

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add file type filtering to WAF

    Allow admins to list a set of file extensions and MIME types they wish to filter from either upload, downloads or both.

    Include the true filetype detection already present in Web Protection (http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1468141-web-security-file-extension-blocking-inside-archi) to make evasion harder.

    Optionally: Make the list of file-types a reverse authentication attribute, so that different groups of users are allowed to use different types of files.

    This functionality will allow for greater flexibility and protection when using the WAF. It can work as a DLP filter in downloads, or as a way of blocking executable code in uploads.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. websocket support for WAF

    we are hosting a SignalR hub (http://signalr.net/) behind a Sophos UTM 320. We use the Web Server Protection feature extensively in our environment, and as such have opted to use the same for this.
    SignalR will always try to use Web Sockets (http://en.wikipedia.org/wiki/WebSocket), a new HTML5 API, and fallback to other technologies where this isn't possible to be used.
    Since we've been hosting the hub via the reverse proxy, none of our clients are able to connect via Web Sockets :so having support for websockets in WAF would be super cool

    471 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    57 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Forms Authentication fallback to Basic Authentication for non-browser applications

    If the UserAgent provided by the client is not a web browser, fall back to Basic Authentication, instead of presenting the Forms Authentication. This is a feature present in ISA 2006 and TMG 2010.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.