As long as you open a https page via browser you may see that there is an ssl verification error and xg did block traffic.
as tls verification is also implemented in FTPS (Scan FTP for Malware) you wont get any message on fails, you just can imagine that traffic won't pass because of an tls error.
same if https is use by applications e.g. internal software updates3 votes
please add the posibility to add a country or country group to "Allowed Client Networks" and "Blocked Client Networks". This is very important for us.
Request to have IP List to be configure under Allowed /Blocked client networks under Access Permission on WAF Firewall Rule
We have customer here requesting to have IP List to be configure under Allowed /Blocked client networks under Access Permission on WAF Business Application Firewall Rule.
For your assistance please. Thank You.1 vote
Webserver Protection forms authentication do not have any kind of validation for wrong username or password. IF a user types in incorrect credentials there is not notification why, just reloads page. This product is not ready for production without it. Even the Hotspot login page have customization for errors. https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LoginPageTemplate.html1 vote
Migrating from TMG 2010 server to XG 330. Currently, have a few websites, like OWA, remote desktop, etc...that we require 2 factor authentication. Would be great if WAF rules supported OTP authentication using the built in OTP product. Was told by support this is not possible. Thanks.54 votes
We would like it to be possible to increase the timeout period in for underlying web servers. In some specific requirements, web pages will take longer than 60 seconds to load - thus exceeding the hard-coded timeout of the Sophos XG.
Please allow us to increase this timeout manually.2 votes
Please add support for HSTS, HTTP Strict Transport Security on sophos XG WAF23 votes
Asking assistance if we could be able to add Certificate-based Authentication for web server protection. We have customer here needing this as requirement on their set up.6 votes
Currently disabling trace http is only possible using the Advance Shell using some commands. Please make this option possible in the GUI.4 votes
On HTTP/S NLB I would like to have more features, such as:
Weighted least connection
Hash based on Source/Destination IP
Hash based on Cookies
Hash based on Header/URL
The XG still supports protocols that are insecure and fail PCI compliance scans. These protocols such as TLS v1.0, 64-bit block ciphers, etc should be able to be disabled through at a minimum the CLI and preferably the UI.64 votes
This is being implemented in v17 as a UI configurable option.
Note though, that PCI standards enforcing this requirement do not go into effect until mid-2018. Any audit failures due to crypto strength, prior to then, are premature.
Same idea as http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/6101344-url-redirection for the UTM. We need the ability to redirect URL requests.
For example:50 votes
Set the schedule for the Business Rules Applications rules would be an important thing to enter.
It would be very nice if Let's Encrypt certificates (letsencrypt.org) can be generated directly from the XG Gui. So that the "Let's Encrypt Client" is integrated in the XG. Would it be possible?
Best Regards423 votes
We’re considering this
Allow the use of wildcard domain names for Webservers. Also allow them to be sorted in priority so that a more specfic FQDN takes precidence over a wildcard domain.21 votes
our customers are asking for the http/2 Support for there webservers, please add the http/2 Support to the WAF - Webserverprotection22 votes
I neead to pass websocket protocol with WAF rule. It is one of very important protocol needed wit WEB servers.27 votes
Many small installation could benefit from ability to publish User Portal using Business Rule instead of enabling it directly in Device Access section. The difference is that a single IP can be used to host both User Portal and custom Web applications such as Web mail, Web storage, Web cameras, etc.
Now, the only solution is to change User Portal listening port to something non-standard but this limits the ability to use it from some network environments where only standard WWW ports (80,443) are allowed.82 votes
At the moment there are different type of authentication missing even on UTM9 against ISA server 2006, such as:
1. Two-factor authentication using forms-based authentication and a client certificate.
2. Delegation of credentials by using NTLM or Kerberos authentication.
3. Kerberos constrained delegation.
4. Secure Sockets Layer (SSL) client certificate constraints
In this way, XG and UTM9 are the very alternative to ISA Server.122 votes
Other UTM/WAF vendors integrate virtual patching features on their product. A really brute force protection in missing on WAF too.
Please add it.30 votes
- Don't see your idea?