SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Web Server Protection: Guard against "Insecure Crytographic Storage" by adding an HSM

    Integrate the WAF with HSM so the OWASP "Insecure Cryptographic Storage" concern can be addressed.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Improve web load balancing healthchecks

    Can we please get Layer 7 http health-checks when using the WAF? We'd like to look at http response code on a configured object and/or match some text received in a response.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Web Server Protection: "Sticky" sessions between HTTP and HTTPS

    It is possible to have sticky sessions using the WAF, however, in our e-commerce websites, we use both HTTP & HTTPS. Sticky sessions work only during the HTTP session, and when the user changes to an HTTPS links a new server may be assigned. Sometimes we can loose the session as a result.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. WAF - TLS 1.2 support

    The WAF should support the latest version of TLS, and be secure against BEAST and CRIME exploits.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Ability to tune & define WAF rules

    The ability to have fine-grained control over which WAF rules report & block would make it far easier to perform a gradual implementation. Custom WAF rules would allow users to use the UTM for "external patching" - mitigating known vulnerabilities when it is not possible to patch the application immediately.

    This would need to be combined with the ability to report and alert on WAF blocks & triggers to be useful.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Web Server Protection: Rate limiting for anti-d/dos protection

    The WAF should have rate limiting functionality to protect against DoS attacks. This could take the form of blocking or slowing down connections from a certain IP if >X number of requests have been received over a certain time period.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Web Server Protection: Error page / re-direct if all servers offline

    The web load balancing component (under the WAF section) should be able to spot if all servers are offline and deliver a user-configurable "sorry page".

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Enable transparent use in bridged mode

    I have a new client that's a hosting facility. At present, there are hundreds of websites with existing IPs, DNS entries, etc. It's not practical to protect these existing sites because of the requirement that a Virtual Server use an IP on the arriving interface.

    We attempted to go around this by running all of the traffic to a test server through the UTM in bridged mode. We tried using a DNAT to direct the traffic back to the bridged interface with the address of the bridge. This didn't work because the REDIRECT capability isn't configurable in WebAdmin (per Development).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Web Application Firewall: Time-based Rulesets/Events

    More and more customers see a need in restricting their (internal) webservices (owa/active sync for example) to business hours only to ensure occupational safety and health guidelines or even laws.

    We/our customers would greatly appreciate a feature like this added into the WAF of ASG/UTM, some option where you choose to make certain services available only at specific times.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Web Server Protection: Display In-Line reporting

    The web load balancing component (under the WAF section) should contain a status page showing number of ongoing requests, recently blocked requests, web server health check status & response time.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Web Server Protection: Image Optimization by Scaling / Compression

    Al-la the packeteer days, it would be great to not need to use an upstream proxy to achieve Image scaling/compression for our low bandwidth applications.

    It would be preferable to have this built into our Astaro/UTM and remove the need for another device to manage.

    Being able to specify the level of compression/scaling for different clients, device/agent types, or browsers would also be awesome!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Web Application Security: Block access to specific URLs

    Right now i'm trying to use the Astaro WAS for a setup, where we normally would use a linux server with apache configured as reverse proxy.
    In this constellation we could block the access on some URLs from the outside via simple "Order deny" directives on the reverse proxy.
    As far as i can see there's no similar option on the Astaro.
    The URL Hardening feature is no option for us here, as you can do only whitelisting with that.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Web Server Protection: Max File Upload Size

    It would be nice to limit the maximum file size that could be uploaded.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. WAF - limit skipped rule-ID to ip and networks

    We have the possibility to skip certain rule-ID in the WAF-Firewall-Profiles. Normally we are doing this for known visitor hosts or networks. We need an extra function to limit the skipping to host an networks or any network object the asg knows.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Web Server Protection: DoS Protection

    The WAF, based on Apache reverse proxy, if enabled, can become a target for App layer DoS attacks.
    These are easy to execute(tools are publicly available) and the WAF would take the hit rather than the backend web server. Most WAF vendors already implemented protection against such attacks.

    The easiest way to mitigate these attacks can be to use ModSecurity, e.g.:
    http://www.astaro.org/astaro-gateway-products/web-application-security/41078-upgrade-version-modsecurity.html

    Alternatively mod_reqtimeout in combination with some ModSecurity rules can be used; this approach is described in the above link(ModSecurity blog entry).

    Currently, to fend off such attacks, an workaround is to disable the WAF, use a DNAT rule…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Web Application Control - Visitor Messages for Block Events

    Let the user know why they are not able to get to the site/url/application when visiting a site protected by Web Application Security. While difficult, it would be great if Astaro could somehow display feedback or show him a message. (like in URL filtering). (So he would not call support and nag.)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Ability to renew certificates in Web Application Security

    Now it's quite a hassle to renew existing certificates in the web application security section. Have the option during upload of the new certificate to replace the existing certificate with the same common name.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Web Server Protection: Allow Uplink Interfaces and Interface Groups in Virtual Web Server configuration

    The title says it all. In WAF, allow the Primary Uplink Addresses object to be used as an interface options for those with multiple WAN links and Uplink Balancing/Standby Interfaces for failover.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Web Application Security: White / Blacklist Support for Visitor IP's

    I would like to see an option to deny or allow certain ip adresses that can access the webservers. Not only based on country but on the ip adres itself.

    34 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Under Review  ·  14 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Web Application Security: User-created/Custom Rules

    For those saavy enough to create their own rules, it should be possible to craft and deploy custom ones.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.