SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Let you utilize different web servers depending on URL folder path

    Microsoft ISA Server 2006 lets you configure separate protected web servers for any URL folder path. I liked that, because it made the entrypoint simple – everything was based on the path name, not the server name. Any chance you would add this functionality to your product to make it cover what Microsoft’s ISA server could do? See call #5242748 for more info.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Enable the use of the WAF as a front end for Remote Desktop Gateway.

    Include RDG over HTTP in the webserver protection firewall in a similar way to allowing Outlook Anywhere. to allow the use of Remote Desktop Gateway services, including the remote apps feature within /rdweb. Currently the HTTP based traffic is passed fine however when attempting to negotiate the use of a remote app the WAF resets the connection due to RDG_OUT_DATA not being a valid header. Would if be possible to pass this traffic uninspected as you do with RPC.

    Thank you.

    Mark

    10 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. (Webserver Protection) WAF + (Network Protection) Server Load Balancing.

    It would be great if there was a way to use the WAF but with Server Load Balancer setup in the Network Protection area or at least have the same type of control if not even more types of load balancing controls then there are now.

    As noted in another feature suggestion of having Layer 7 checks in the WAF Load balancer would be great. And I agree. But along those same lines I also have needs to specify load to not be round robin and to weight it. Which you can do to a degree in the Network Protection…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add file type filtering to WAF

    Allow admins to list a set of file extensions and MIME types they wish to filter from either upload, downloads or both.

    Include the true filetype detection already present in Web Protection (http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1468141-web-security-file-extension-blocking-inside-archi) to make evasion harder.

    Optionally: Make the list of file-types a reverse authentication attribute, so that different groups of users are allowed to use different types of files.

    This functionality will allow for greater flexibility and protection when using the WAF. It can work as a DLP filter in downloads, or as a way of blocking executable code in uploads.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Enable Sharepoint2013 encryption in SafeGuard Enterprise

    Enable that SafeGuard Enterprise client can encrypt files on SharePoint sites

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Outlook anywhere connection with WAF for Mac Clients

    At the moment, there is no support for Outlook Anywhere connections on Mac clients. Please make Outlook anywhere connection work with the WAF.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. WAF Reverse Proxy with authentication: forward session cookie to backend http server

    When using the WAF (Web Server Protection) with authentication, a session cookie named BACKENDHOSTNAME_COOKIE is exchanged between Browser and UTM on each http request. For our application which is launched via Webstart from the web application and communicates via http we need to forward that session cookie to the external client process.

    Therefor the session cookie should be made optionally forwardably from the UTM to the backend http server.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add configurable request header field for reverse proxy into webadmin

    Browser generate sometimes for services like ADFS very big request headers.

    It would be great if you can implement such a editable field in webadmin.

    One issue is described in the following threat.

    https://www.astaro.org/gateway-products/web-server-security/53339-9-205-12-adfs-2-0-waf-dont-work.html

    13 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. allow DNS-Group Objects in Webserver Protection Access List

    Hello,

    i really love your Access-List for the Site-Path-Routing in the Webserver-Protection Area, which comes with 9.3 i think. . We are able to put in Networks here, which works like a charm. But:
    We would like to add a DNS-Group here, too. Its a bunch of clients from differents subnets, simply put together to a dns-group. (it 's the same object as the "supportaccess.sophos.com " DNS Group.

    I would like to block a similar DNS Group (of course not the support-access-Group) with the access-list feature from the webserver protection.

    thank you

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. DNS blacklist outage fix.

    Recently dnsbl.proxybl.org went off line, a 3rd party blacklist Web Server Protection uses to block ips/domains with a "bad reputation"

    When this 3rd party provider went out. The WAF served up pages extremely slowly to the outside world ( it took about 1 minute for a page fully load).

    I'm guessing every time a file was requested over the WAF, a look-up was done on the requester's IP and it would wait until the look-up timed out.

    My suggestion is to run a heartbeat on any such 3rd party service that turns on if a timeout occurred, if the service…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. WebServer Protection: GZIP encoding of proxied HTTP traffic

    The WAF strips the Accept-Encoding header from client requests, which is fine, as compression is not generally useful between the origin server and the proxy. However, it doesn't use the header itself, either. It doesn't compress proxied traffic before returning it to the client. Interestingly, pages generated by the WAF itself (such as error documents) are compressed. Only the proxied content remains uncompressed, and this can have a substantial impact on page speed.

    26 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Webserver Protection & Citrix Support

    Would love to have Citrix supported with the reverse proxy.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Websites Lists - Filter Actions

    Currently the Websites lists in a Filter Action is only available in one Filter Action. When you remove the Websites List it cannot be created with the same name across any of the filter actions.

    Ideally you should be able to totally remove a Websites List as well as assign the exact same Websites List (with all the same Websites and any future changes) to multiple Filter Actions. I would suggest this has significant benefit to large business; more specifically education. Schools want to be able to add a Website list to all students for block/allow but still keep individual…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ability to specify Logout URLS (Reverse Auth/WebServer protection)

    In TMG/ISA, when publishing a server such as Outlook Web Access, we had the ability to define a logout url so that it would terminate the connection when the user clicked 'log out' in the OWA interface.

    At present, we are reliant on the session timeouts or disabling reverse authentication together, using Exchange's built in form authentication to handle it. Would be great to have this feature so we can make the most of reverse auth and limit possible unauthorised use.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Web Applikation Firewall: Web-Access for Remote Desktop

    Please add Web-Access for Remote Desktop-Feature for Win2012 R2 to the WAF and make it working with an additional OTP-Formbased-Auth.

    Would be very very great!

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. 3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. UTM WAF - Custom HEADER

    Add the ability to add custom HTTP Headers while processing HTTP requests through the WAF

    The idea will allow me to "copy" header data
    e.g.: X-My-Custom-Header: $x-forwarded-proto

    Use case:
    When running a server behind 2 layered AWS ELB the first x-forwarded-proto header is overwritten by the 2nd layer, that mean that the application server cant see the original user requested protocol

    Lahav Savir @ Emind Cloud Expert

    9 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. WAF Reverse Proxy with authentication: add authenticated username in http header

    If WAF authentication is selected to be done by the UTM, the username of the authenticated user should be added in the http request header sent to the backend web server. Im addition the groups should be added in another header attribute. That would be a function comparable to IBM Webseal and it's http hread iv-user and iv-groups.

    For security, this feature should be combined with mutual https authentication, i.e. adding a https client certificated by the UTM to prevent modification of the http request header between UTM and backend.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. web application firewall rewrite rules

    - Change the Rewrite from domain.de/ to domain.de/index.php with site path routing activated.
    - WAF rewrite rules for files like *.php or *.xml

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. WAF: option to set secure flag on cookies

    In the case where we want to have the UTM do the SSL encryption and keep our web servers serving plain text, we can't set the secure flag on the cookies at the web server. I like to leave the HTTP port open and use the new HTTP->HTTPS redirection feature in WAF but it does create a security hole in regards to authentication cookies.

    Can WAF include the option to set the secure flag on cookies for a selected virtual server?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.