SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Auto Blacklist IPS from WAF/IDS triggers

    I have had an IP trigger 4 separate WAF rules.
    SQL Comment Sequence Detected.
    Detects classic SQL injection probings 1/2
    SQL Injection Attack: Common Injection Testing Detected
    SQL Injection Attack: SQL Operator Detected

    This guy is up to no good, I could see perhaps 1, but 4?
    It would be nice after X amount of triggers or X type of triggers in X time. The IP is added to a black list.

    We could view this list of auto banned IPs and get information like Who/what/where/when/how and decide to leave them on the list, remove them, or change the ban…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow more detailed modifying of UTM WAF rules and behaviour. (ModSecurity function)

    UTM preventing some internet traffic going to e.g. apache linux servers due to escaping of the \ which is required for all systems to be able to identify a character such as $ or @.
    When this happens using multiple layers of backslash escaping, Sophos treats this as an SQL Injection. There is currently no way of modifying this behaviour legally, and you need to enter SQL Injection Bypasses on particular pages on your Apache hosted site, which is not optimal.

    Giving end user some more power on what should and should not be captured via an advanced profile option,…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. WAF: Wildcard Support for TLDs

    As a company you often have serveral TLDs for your company name (e.g. company.com, company.de et cetera)

    If those domains are run on the same server and external IP you would have to configure every single domain as a virtual server for the WAF.

    This may result in a lot of work and also needs to be maintained.

    It would be great if <company>.* would be supported as a virtual server instead of just a preceded *

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add Single Sign On for web applications similar to what Forefront can do.

    Forefront can provide SSO for multiple web applications. I'd like to see a similar feature in UTM 9.
    For example:
    An agent signs into www.insurancecompany.com and clicks a link to www.insurancecompanyagents.com, the agent won't be prompted again for authentication because of the SSO policy for the two sites.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Drain stop real servers in WAF

    When one would remove / disable a real server in WAF, all connections are immediately killed. It would be nice if there is an option to drain a real server. So WAF would stop sending new connection to that real server, but established connection would continue until they're terminated by client/server.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. make it possible to disable weak encryption algorigths

    Make it possible to disable encryption algorithms.
    The WAF accept weak RC4 algorithms it would be nice if we could disable them.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add log off code for web applications using reverse authentication

    Forefront has the ability log off clients using "?cmd=logoff" in the web applications code for logging off. This would be nice to have so clients can log off the site with cookie deleted or request to close the browser.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Link translation with custom dictionary - like TMG has in a web publishing reverse proxy role

    Today I publish sap portal through TMG. To accomplish that publishing through a reverse proxy, I need to be able to replace sap specific code such as; 80&#x2f with 443&#x2f and http&#x3a with https&#x3a. This makes our webdynpro's work. These text replacing techniques are called custom dictionaries in TMG.

    Basically TMG goes through the entire page as its delivered to the end user's browser and changes this code on the fly. I use link translation for other situations too so I would love to see this feature added. Thank you.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. WAF: Filtering IP-Adresses for an network interface

    WAF only let us chosse an network interface for the virtuel server to communicate to the Internet. No further filtering, e.g. a Firewall Rule for defined IP-Adresses that can connect to the network interface, ist possible.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Need to set up 2FA

    Can you set up Web Application Firewall section to allow reverse proxied sites to use 2FA but not the one time password used by the UTM. Namely we use Vasco fobs as a Corporate Solution and would like one site to use this facility to authenticate but not the other web sites we reverse proxy.
    Thanks

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Ability to renew certificates in Web Application Security

    Now it's quite a hassle to renew existing certificates in the web application security section. Have the option during upload of the new certificate to replace the existing certificate with the same common name.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. 2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. edit HTTP Header

    Edit or hide HTTP Headers such as the Server Header.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. ip filtering web application firewall

    Have the ability to specify which source networks, hosts are allowed to access a published website. This way we can add the IP-restrictions on the UTM box itself for a specific site instead of having to do this on the webserver hosting the site itself.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Web Server Protection: Honeypot Profiling (Intrusion Deception)

    Have the WAF add harmless, yet tempting targets to sites it is protecting, and then blacklist or punish who takes advantage of them.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Web Server Protection: Transparent reverse proxy

    Please provide the option to use reverse proxy also with transparent mode. This way permits to have the real remote host IP traced on the web server log files instead of the IP of the firewall. Now without transparent mode, every web analyzer software is not able to give real traffic reports...

    48 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add ACL Support for Web Application Firewall

    Though it isn't the best form of security, adding the capability to specify at least an allowed source object for access through the WAF would be beneficial to many. Even if it was in the form of the same allowance as the NTP, DNS, SMTP, POP3, FTP, HTTP and HTTPS proxies (where you just specify sources that are allowed to use the service and not a particular site). I don't have sites hosted that I want visible to the whole world, just a particular subset of hosts. I can use DNAT rules to accomplish this, but they don't offer ModSecurity-based…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. please filter outlook anywhere (rpc over https) in the waf. just pass is a big security risk!

    From the Online Help. Microsoft Outlook traffic will not be checked or protected by the WAF! Please implement a filter so that we can publish Outlook anywhere in a secure manner.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Extend Security for Microsoft Exchange OWA 2010 Publishing

    The strong security features like URL-hardening, cookie-signing and form-hardening are still not available with owa newer than 2003. The knowledgebase just told me, to deactivate those feature. But they are important for higher security level.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Reverse Proxy: Authentication Offloading like TMG

    will there be a feature like Authentication / captive portal (e.g. the proxy settings"transparent with authentication" ) for enabling a reverse proxy?
    This would be so usfull for small installations with no frontend exchange / DMZ.
    (juniper calls this "webauth" )

    178 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    23 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
    Planned  ·  Angelo Comazzetto responded

    We are hard at work on this feature and will deliver the first implementation of front end authentication as part of our Web Server protection (reverse proxy) in UTM 9.2. The public beta will begin in October. Stay Tuned!

  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.