SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. WAF Reverse Proxy with authentication: forward session cookie to backend http server

    When using the WAF (Web Server Protection) with authentication, a session cookie named BACKENDHOSTNAME_COOKIE is exchanged between Browser and UTM on each http request. For our application which is launched via Webstart from the web application and communicates via http we need to forward that session cookie to the external client process.

    Therefor the session cookie should be made optionally forwardably from the UTM to the backend http server.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. allow DNS-Group Objects in Webserver Protection Access List

    Hello,

    i really love your Access-List for the Site-Path-Routing in the Webserver-Protection Area, which comes with 9.3 i think. . We are able to put in Networks here, which works like a charm. But:
    We would like to add a DNS-Group here, too. Its a bunch of clients from differents subnets, simply put together to a dns-group. (it 's the same object as the "supportaccess.sophos.com " DNS Group.

    I would like to block a similar DNS Group (of course not the support-access-Group) with the access-list feature from the webserver protection.

    thank you

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. DNS blacklist outage fix.

    Recently dnsbl.proxybl.org went off line, a 3rd party blacklist Web Server Protection uses to block ips/domains with a "bad reputation"

    When this 3rd party provider went out. The WAF served up pages extremely slowly to the outside world ( it took about 1 minute for a page fully load).

    I'm guessing every time a file was requested over the WAF, a look-up was done on the requester's IP and it would wait until the look-up timed out.

    My suggestion is to run a heartbeat on any such 3rd party service that turns on if a timeout occurred, if the service…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. WebServer Protection: GZIP encoding of proxied HTTP traffic

    The WAF strips the Accept-Encoding header from client requests, which is fine, as compression is not generally useful between the origin server and the proxy. However, it doesn't use the header itself, either. It doesn't compress proxied traffic before returning it to the client. Interestingly, pages generated by the WAF itself (such as error documents) are compressed. Only the proxied content remains uncompressed, and this can have a substantial impact on page speed.

    26 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Webserver Protection & Citrix Support

    Would love to have Citrix supported with the reverse proxy.

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Websites Lists - Filter Actions

    Currently the Websites lists in a Filter Action is only available in one Filter Action. When you remove the Websites List it cannot be created with the same name across any of the filter actions.

    Ideally you should be able to totally remove a Websites List as well as assign the exact same Websites List (with all the same Websites and any future changes) to multiple Filter Actions. I would suggest this has significant benefit to large business; more specifically education. Schools want to be able to add a Website list to all students for block/allow but still keep individual…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Web Applikation Firewall: Web-Access for Remote Desktop

    Please add Web-Access for Remote Desktop-Feature for Win2012 R2 to the WAF and make it working with an additional OTP-Formbased-Auth.

    Would be very very great!

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. 3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. web application firewall rewrite rules


    • Change the Rewrite from domain.de/ to domain.de/index.php with site path routing activated.

    • WAF rewrite rules for files like .php or .xml

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Auto Blacklist IPS from WAF/IDS triggers

    I have had an IP trigger 4 separate WAF rules.
    SQL Comment Sequence Detected.
    Detects classic SQL injection probings 1/2
    SQL Injection Attack: Common Injection Testing Detected
    SQL Injection Attack: SQL Operator Detected

    This guy is up to no good, I could see perhaps 1, but 4?
    It would be nice after X amount of triggers or X type of triggers in X time. The IP is added to a black list.

    We could view this list of auto banned IPs and get information like Who/what/where/when/how and decide to leave them on the list, remove them, or change the ban…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow more detailed modifying of UTM WAF rules and behaviour. (ModSecurity function)

    UTM preventing some internet traffic going to e.g. apache linux servers due to escaping of the \ which is required for all systems to be able to identify a character such as $ or @.
    When this happens using multiple layers of backslash escaping, Sophos treats this as an SQL Injection. There is currently no way of modifying this behaviour legally, and you need to enter SQL Injection Bypasses on particular pages on your Apache hosted site, which is not optimal.

    Giving end user some more power on what should and should not be captured via an advanced profile option,…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add Single Sign On for web applications similar to what Forefront can do.

    Forefront can provide SSO for multiple web applications. I'd like to see a similar feature in UTM 9.
    For example:
    An agent signs into www.insurancecompany.com and clicks a link to www.insurancecompanyagents.com, the agent won't be prompted again for authentication because of the SSO policy for the two sites.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Drain stop real servers in WAF

    When one would remove / disable a real server in WAF, all connections are immediately killed. It would be nice if there is an option to drain a real server. So WAF would stop sending new connection to that real server, but established connection would continue until they're terminated by client/server.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. make it possible to disable weak encryption algorigths

    Make it possible to disable encryption algorithms.
    The WAF accept weak RC4 algorithms it would be nice if we could disable them.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add log off code for web applications using reverse authentication

    Forefront has the ability log off clients using "?cmd=logoff" in the web applications code for logging off. This would be nice to have so clients can log off the site with cookie deleted or request to close the browser.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Link translation with custom dictionary - like TMG has in a web publishing reverse proxy role

    Today I publish sap portal through TMG. To accomplish that publishing through a reverse proxy, I need to be able to replace sap specific code such as; 80&#x2f with 443&#x2f and http&#x3a with https&#x3a. This makes our webdynpro's work. These text replacing techniques are called custom dictionaries in TMG.

    Basically TMG goes through the entire page as its delivered to the end user's browser and changes this code on the fly. I use link translation for other situations too so I would love to see this feature added. Thank you.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. WAF: Filtering IP-Adresses for an network interface

    WAF only let us chosse an network interface for the virtuel server to communicate to the Internet. No further filtering, e.g. a Firewall Rule for defined IP-Adresses that can connect to the network interface, ist possible.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Need to set up 2FA

    Can you set up Web Application Firewall section to allow reverse proxied sites to use 2FA but not the one time password used by the UTM. Namely we use Vasco fobs as a Corporate Solution and would like one site to use this facility to authenticate but not the other web sites we reverse proxy.
    Thanks

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Ability to renew certificates in Web Application Security

    Now it's quite a hassle to renew existing certificates in the web application security section. Have the option during upload of the new certificate to replace the existing certificate with the same common name.

    21 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.