The web proxy, before 9.6, failed open for chunked data that was missing or had a misconfigured data-range header, and the data wouldn't be scanned. The old behavior created a DoS in some circumstances where the proxy would continually try to retrieve the data from the server, filling the pipe - I've had this happen to me. The behavior now is fail-closed where the connection is reset, and data is not allowed to flow. This new behavior creates an administrative overhead that is unacceptable to many small IT departments. I manage several firewalls, and in three years I've encountered one DoS in several hundred million DNS requests and resulting connections. I would much rather have to create one or two exceptions for the web proxy anti-virus than the nearly 60 I've created since this new behavior began.

Double Check Active directory when creating users. When a new user wants to access out VPN, they must login using their AD user account. If they do this, a Sophos account is created that has backend-sync enabled and all is well.

But often, they use their e-mail address instead. In that case, a local account is creatrd with that e-mail address. This account obviously will not have the proper AD group memberships. Trying to create a new account only using the userID is then not possible because an account with that e-mail address already exists.

The only solution is that I manually remove this local account.

It would be VERY simple to check the AD also when a full e-mail address is used and if so, create the synced account instead of a local account.

After reporting that Sophos still distributes an old (august 2015) and insecure (CVE-2017-7508 CVE-2017-7520 CVE-2017-7522) version (2.3.8) of the OpenVPN client (used by the SSL VPN) as an error through SophServ, I was instructed by the support engineer to post this as an idea.

Although it seems strange that it is an idea that a security device would keep security sensitive software components up to date, I went along with this, because I want it fixed.

What *would* be an idea is that not only Sophos kept the version it distributes up to date, but also helps keeping the clients up to date.

Doing this transparently would of course be nicest, but reporting out-of-date clients and/or rejecting insecure clients would already be an improvement.

I am requesting a slight improvement change in SNMP for Sophos UTM Home edition.

Can the sysObjectID be changed to the Sophos sysObjectID?

Currently its set on the generic Linux one: 1.3.6.1.4.1.8072.3.2.10

I think the Sophos one starts with: .1.3.6.1.4.1.9789

I monitor my home net and it would be nice if discovery recognizes my Sophos UTM as a firewall instead of a Linux EndNode.

Also is it possible to add SNMP to the AP firmware for discovery purposes and simple traffic queries? SNMP query credentials could be either added to the same SNMP config or add a new one under 'Wireless Protection'. I have an AP30 and AP10 in my house that have no discovery feature nor query capability other than ping and DNS.

I wish the SEA had, file attachment linking. User attaches a file to an email, and the attachment is replaced with a URL back to it. Very nice. The issue, while a PDF problem and not a SEA one, is trying to get to an attachment in an SPX PDF is horrendous on a good day, assuming a basic computer / mobile device user. No way our clients could do it and many of the are MDs. Then back late last year, Adobe disabled all attachments sent in PDF. So that caused us a lot of trouble which brought us to Synametrics (http://web.synametrics.com/SynaMan.htm) file attachment linking feature.

Out-of-the-box Sophos UTM will generate self-signed certificates for many functions as for the Web proxy signing CA. We would like to use our internal PKI infrastructure consisting of an W2K16 Enterprise RootCA because it_s certificate is trusted automatically by all Windows clients in the domain so there is no need to distribute other certificates by GPO for e.g.

For the webadmin console we used a certificate signed by this _Root_CA and that works without problem. Because we use SSL scanning we want the web proxy _Signing CA_ to be a intermediate CA of our RootCA. I have generated the certificate and installed it as the certificate for the Signing CA. The installation shows no problem and certificates for websites for which we use SSL scanning are perfectly generated, but the _intermediate_ certificate of the web proxy signing CA is not included in the chain. Because the chain is broken the on-the-fly generated certificates are not trusted.

This website https://community.sophos.com/kb/en-us/115592 suggests this setup should work, but it doesn't.

I did install the RootCA certificate as a local Verification CA. I see that other users are reporting the same problem _https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/108203/signing-certificate-loses-chain-when-imported/387030?pi2349=3_. I_m really looking for a fix for this to work.