SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. webserver protection waf download size

    When downloading a file from a Owncloud backend via the Sophos UTM WAF, no estimated time and no file size are displayed.
    The content-length header is probably not passed through here.
    Disabling WAF features or AV scanning does not change this.

    The Sophos WAF should determine the file size and display the estimated download time when supported by the backend.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add file type filtering to WAF

    Allow admins to list a set of file extensions and MIME types they wish to filter from either upload, downloads or both.

    Include the true filetype detection already present in Web Protection (http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1468141-web-security-file-extension-blocking-inside-archi) to make evasion harder.

    Optionally: Make the list of file-types a reverse authentication attribute, so that different groups of users are allowed to use different types of files.

    This functionality will allow for greater flexibility and protection when using the WAF. It can work as a DLP filter in downloads, or as a way of blocking executable code in uploads.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. websocket support for WAF

    we are hosting a SignalR hub (http://signalr.net/) behind a Sophos UTM 320. We use the Web Server Protection feature extensively in our environment, and as such have opted to use the same for this.
    SignalR will always try to use Web Sockets (http://en.wikipedia.org/wiki/WebSocket), a new HTML5 API, and fallback to other technologies where this isn't possible to be used.
    Since we've been hosting the hub via the reverse proxy, none of our clients are able to connect via Web Sockets :so having support for websockets in WAF would be super cool

    476 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    57 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Forms Authentication fallback to Basic Authentication for non-browser applications

    If the UserAgent provided by the client is not a web browser, fall back to Basic Authentication, instead of presenting the Forms Authentication. This is a feature present in ISA 2006 and TMG 2010.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. 'Skip remote lookups for clients with bad reputation' - configurable cached clean up

    With 'Skip remote lookups for clients with bad reputation' option, Sophos will use cached information instead of online checks which is fine, but we need to be able to configure how long Sophos keep this cached information.

    As the online database updated all the time, there should be a configuration to clear up cached information, for example every 24 hours.

    Currently, I was told by Sophos support that I have disable this temporarily and re-enable it to clear out the previously cached information.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. No proper categorization of logs in WAF when configured in monitor mode

    When we configure WAF in monitor mode we did not receive proper categorized logs in Alert but when we configure in REJECT MODE - it works fine

    Requesting you to look this because before applying WAF we have to monitor traffic and pattern and after then we can create required rules in WAF

    Here this part is missing which will misguide user while configuring it

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Make onboard OTP usable for special virtuell webserver

    At the Moment we can use the new OTP Feature just for all virtuell webserver. Therefore, it is not possible to use this great new function in most implementations.

    An example, many customers want to publish Exchange Services like OWA, ActiveSync and Outlook Anywhere. OWA with OTP and ActiveSync without OTP. But that is not possible.

    I suggest, you implement a new authentication Profile for OTP that we can use in the site path Routing.

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add configurable request header field for reverse proxy into webadmin

    Browser generate sometimes for services like ADFS very big request headers.

    It would be great if you can implement such a editable field in webadmin.

    One issue is described in the following threat.

    https://www.astaro.org/gateway-products/web-server-security/53339-9-205-12-adfs-2-0-waf-dont-work.html

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Waf-fle support Waf Server security monitoring console we need the waf part of the waf can or improve the reporting part and the waf-fle co

    Waf-fle support

    Waf Server security monitoring console we need the waf part of the waf can or improve the reporting part and the waf-fle console is a useful tool

    To be taken into account by you

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Web Server Protection: Certificate-based Authentication

    I would appreciate to support certificate-based authentication like at Microsoft TMG. I don't know why Sophos is making advertisements for "Replace your TMG with Sophos UTM" if UTM even can't do this! I want the reverse proxy to check a client certificate, If this certificate is not valid or it doesn't exists it shows an error page.

    TMG Config: http://4sysops.com/wp-content/uploads/2011/07/SSL-Client-Certificate-Authentication_thumb.png

    208 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Ability to specify Logout URLS (Reverse Auth/WebServer protection)

    In TMG/ISA, when publishing a server such as Outlook Web Access, we had the ability to define a logout url so that it would terminate the connection when the user clicked 'log out' in the OWA interface.

    At present, we are reliant on the session timeouts or disabling reverse authentication together, using Exchange's built in form authentication to handle it. Would be great to have this feature so we can make the most of reverse auth and limit possible unauthorised use.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. UTM WAF - Custom HEADER

    Add the ability to add custom HTTP Headers while processing HTTP requests through the WAF

    The idea will allow me to "copy" header data
    e.g.: X-My-Custom-Header: $x-forwarded-proto

    Use case:
    When running a server behind 2 layered AWS ELB the first x-forwarded-proto header is overwritten by the 2nd layer, that mean that the application server cant see the original user requested protocol

    Lahav Savir @ Emind Cloud Expert

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enable users to reset their domain user password using Web Mail

    There are many companies that force employees to reset domain user passwords very often. Now, when employees need to access mail using their Web Mail and their password has expired they will have to call IT to reset their password, but if working hours has finished and there is no IT personnel in the office, or maybe it's weekend, which is even worse, they will have to wait until next working day so that IT can help. In situation like this, enabling users to reset their domain account password using Web Mail Portal, like Microsoft TMG does, would help.

    23 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. WAF Reverse Proxy with authentication: add authenticated username in http header

    If WAF authentication is selected to be done by the UTM, the username of the authenticated user should be added in the http request header sent to the backend web server. Im addition the groups should be added in another header attribute. That would be a function comparable to IBM Webseal and it's http hread iv-user and iv-groups.

    For security, this feature should be combined with mutual https authentication, i.e. adding a https client certificated by the UTM to prevent modification of the http request header between UTM and backend.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. WAF: option to set secure flag on cookies

    In the case where we want to have the UTM do the SSL encryption and keep our web servers serving plain text, we can't set the secure flag on the cookies at the web server. I like to leave the HTTP port open and use the new HTTP->HTTPS redirection feature in WAF but it does create a security hole in regards to authentication cookies.

    Can WAF include the option to set the secure flag on cookies for a selected virtual server?

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Web Application Firewall: Remote Desktop Gateway support

    Similar to support for Outlook Anywhere, it would be really beneficial if the WAF allowed for the publishing of Remote Desktop Gateway and handled those methods. RDGOUTDATA followed by RPCINDATA and RPCOUTDATA, and including /RemoteDesktopGateway in the request. It seems like common functionality that many customers must be looking for...

    160 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. WAF: Wildcard Support for TLDs

    As a company you often have serveral TLDs for your company name (e.g. company.com, company.de et cetera)

    If those domains are run on the same server and external IP you would have to configure every single domain as a virtual server for the WAF.

    This may result in a lot of work and also needs to be maintained.

    It would be great if <company>.* would be supported as a virtual server instead of just a preceded *

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Web Application Firewall OTP support for form to form authentication

    Support for form to form authentication with one time passwords in the WAF.

    The WAF should be able to pass authentication through to a website which authenticates using a form (as opposed to only basic auth) if there is configuration on the UTM that defines the URL to the page which can process the login (not the login form) and the field names for the username and password.

    38 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. elliptic curves

    UTM should Support elliptic curves for ReverseProxy

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. AWS auto-scaled UTM WAF alerting

    First, its absurd that I have to ask here for basic functionality. Sophos UTM does alerting when attacks against web apps are detected. this does not work in your AWS auto scaled UTM stack. the worker nodes send logs to the queen node, but the queen does not alert on the events in those logs. We would have to use a 3rd party SIEM solution to process the logs. Your AWS auto scaled UTM is incomplete without this functionality and I would like it added.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.