SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Restrict HTTP Methods based on paths

    Restrict HTTP Methods based on paths,

    We want to allow only GET methods to
    http://servername/servicepath/*

    But we want to allow GET and POST to
    http://servername/servicepath/servicepath2/*

    So any attempts to make POSTs to any sub-paths except /servicepath2 will be blocked. Fairly easy to do on ISA via the HTTP filter settings
    and would be good if we could achieve the same with UTM.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. edit HTTP Header

    Edit or hide HTTP Headers such as the Server Header.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Make Web Application Firewall Site Path Routing case insensitive.

    Site Path Routing should have an option to treat the path in a case neutral manner.

    59 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. WebServer Protection: Allow for larger upload handling

    For web sites with larger uploads (e.g. ownCloud) there is currently a 128MB (134217728 byte) limit in Web Server protection, the so called request body limit in ModSecurity.
    Please add the possibility to configure this parameter (it's "SecRequestBodyLimit" in the Apache config) to allow larger uploads to sites protected by WAF.

    53 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. 2FA form for Reverse proxy

    UTM doesn't support a Reverse authentication 2FA with third party OTP radius AaaS providers (Eg:Safenet). It would be good if this feature can be included in the next release.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. WebAdmin to use CA's from the default CA store

    Currently most web services published from the UTM make use of the Certificate Authorities uploaded by the user in the CA store (Webserver Protection >> Certificate Management >> Certificate Authority). However, the WebAdmin service uses its own CA (which affects also User Portal and SPX encryption pages).

    The self-signed CA that is generated during installation remains in the apache directory and becomes redundant if the user wishes to upload a publicly signed certificate from a trusted company (eg. Thawte, VeriSign, Comodo etc.). Even though the user uploads the CA certs from the trusted company into the CA repository, the WebAdmin…

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. create a configuration option of Cyphers in Gui.

    create a configuration option of Cyphers in Gui.

    9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Enable Web Application Firewall support to specify cipher strengths it can accept. Either cipher-by-cipher basis or on a weak/med/strong cat

    Enable Web Application Firewall support to specify cipher strengths it can accept. Either cipher-by-cipher basis or on a weak/med/strong category.

    64 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Reverse Proxy TTL for backend hosts

    It would be incredibly useful to have the ability to add the TTL to the web application firewall for reverse proxy connections.

    This is particularly critical in AWS environments where the "Real Webserver" is an Elastic Load Balancer.

    Sometimes when the ELB IP addresses update, the reverse proxy continues to use the cached IP address and will not lookup the IP's again until the Virtual Web Server is restarted

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. add customisable error messages

    Add custom error messages for when problems occur (also providing a useful error message/reason).

    We had some clients getting 403 Forbidden when connecting to our website, and it looks very unprofessional.

    A company branded page telling the user they have been blocked due to their IP having a bad reputation. (as per our last problem) would be great

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. WAF: Multiple domain support for non-wildcard SSL certificate

    WAF: Allow add multiple domain when use non-wildcard certificate

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. WAF - TLS 1.2 support

    The WAF should support the latest version of TLS, and be secure against BEAST and CRIME exploits.

    9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Virtual Webserver - Wildcard SSL Import Domains

    When using a wildcard SSL certificate, I would like the ability to import a list of domains on a virtual webserver. This is possible on a HTTP virtual webserver, but not when on the HTTPS one. We have a wildcard web development environment and have multiple servers with 50+ sub-domains on each server. Currenlty, we have to manually enter every single domain since the import functionality is not on the HTTPS virtual servers.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. MDM based access through Reverse Proxy

    With MDM (as a service) being connected to a UTM it would be good to be able to set up a Reverse Proxy (WAF) profile as counterpart. I.e.: only devices allowed by MDM may pass to ActiveSync.

    This way it would not be necessary to set up a dedicated machine for this task and DNAT rule (and you can still use 443 for other webservers as well on the same IP).

    This way UTM and MDM would benefit (UTM being more value to MDM SaaS customers). This will greatly emphasize Sophos product interconnection.

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Let you utilize different web servers depending on URL folder path

    Microsoft ISA Server 2006 lets you configure separate protected web servers for any URL folder path. I liked that, because it made the entrypoint simple – everything was based on the path name, not the server name. Any chance you would add this functionality to your product to make it cover what Microsoft’s ISA server could do? See call #5242748 for more info.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Enable the use of the WAF as a front end for Remote Desktop Gateway.

    Include RDG over HTTP in the webserver protection firewall in a similar way to allowing Outlook Anywhere. to allow the use of Remote Desktop Gateway services, including the remote apps feature within /rdweb. Currently the HTTP based traffic is passed fine however when attempting to negotiate the use of a remote app the WAF resets the connection due to RDGOUTDATA not being a valid header. Would if be possible to pass this traffic uninspected as you do with RPC.

    Thank you.

    Mark

    10 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Outlook anywhere connection with WAF for Mac Clients

    At the moment, there is no support for Outlook Anywhere connections on Mac clients. Please make Outlook anywhere connection work with the WAF.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. WAF Reverse Proxy with authentication: forward session cookie to backend http server

    When using the WAF (Web Server Protection) with authentication, a session cookie named BACKENDHOSTNAME_COOKIE is exchanged between Browser and UTM on each http request. For our application which is launched via Webstart from the web application and communicates via http we need to forward that session cookie to the external client process.

    Therefor the session cookie should be made optionally forwardably from the UTM to the backend http server.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. allow DNS-Group Objects in Webserver Protection Access List

    Hello,

    i really love your Access-List for the Site-Path-Routing in the Webserver-Protection Area, which comes with 9.3 i think. . We are able to put in Networks here, which works like a charm. But:
    We would like to add a DNS-Group here, too. Its a bunch of clients from differents subnets, simply put together to a dns-group. (it 's the same object as the "supportaccess.sophos.com " DNS Group.

    I would like to block a similar DNS Group (of course not the support-access-Group) with the access-list feature from the webserver protection.

    thank you

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. DNS blacklist outage fix.

    Recently dnsbl.proxybl.org went off line, a 3rd party blacklist Web Server Protection uses to block ips/domains with a "bad reputation"

    When this 3rd party provider went out. The WAF served up pages extremely slowly to the outside world ( it took about 1 minute for a page fully load).

    I'm guessing every time a file was requested over the WAF, a look-up was done on the requester's IP and it would wait until the look-up timed out.

    My suggestion is to run a heartbeat on any such 3rd party service that turns on if a timeout occurred, if the service…

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.