It would be very nice if Let's Encrypt certificates (letsencrypt.org) can be generated directly from the XG Gui. So that the "Let's Encrypt Client" is integrated in the XG. Would it be possible?
Best Regards

At the moment there are different type of authentication missing even on UTM9 against ISA server 2006, such as:

1. Two-factor authentication using forms-based authentication and a client certificate.
2. Delegation of credentials by using NTLM or Kerberos authentication.
3. Kerberos constrained delegation.
4. Secure Sockets Layer (SSL) client certificate constraints

In this way, XG and UTM9 are the very alternative to ISA Server.

Under: Policies
Security Policies

Adding a Business application non-HTTP rule you should have the option to use "Objects > Hosts and Services > Services" objects as the Port Forwarding target.

This reduces the rules required and keeps it more unified..

At the moment you need to add multiple rules I.E. A hosted service uses a mixture of single ports, port ranges and both tcp/udp will require multiple rules to achieve something very simple.

Many small installation could benefit from ability to publish User Portal using Business Rule instead of enabling it directly in Device Access section. The difference is that a single IP can be used to host both User Portal and custom Web applications such as Web mail, Web storage, Web cameras, etc.

Now, the only solution is to change User Portal listening port to something non-standard but this limits the ability to use it from some network environments where only standard WWW ports (80,443) are allowed.

The XG still supports protocols that are insecure and fail PCI compliance scans. These protocols such as TLS v1.0, 64-bit block ciphers, etc should be able to be disabled through at a minimum the CLI and preferably the UI.

Migrating from TMG 2010 server to XG 330. Currently, have a few websites, like OWA, remote desktop, etc...that we require 2 factor authentication. Would be great if WAF rules supported OTP authentication using the built in OTP product. Was told by support this is not possible. Thanks.

Same idea as http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/6101344-url-redirection for the UTM. We need the ability to redirect URL requests.

For example:

http://email.mydoamin.com -> https://email.mydoamin.com/owa

On HTTP/S NLB I would like to have more features, such as:

Weighted roud-robin
Weighted least connection
Hash based on Source/Destination IP
Hash based on Cookies
Hash based on Header/URL

Thanks

Set the schedule for the Business Rules Applications rules would be an important thing to enter.
Thanks
Carlo

Other UTM/WAF vendors integrate virtual patching features on their product. A really brute force protection in missing on WAF too.
Please add it.

our customers are asking for the http/2 Support for there webservers, please add the http/2 Support to the WAF - Webserverprotection

Enable WAF Business rules for incoming IPv6 connections.

All the protection is provided for IPv4 webserver, but hosting on IPv6 bypasses protections

I neead to pass websocket protocol with WAF rule. It is one of very important protocol needed wit WEB servers.

Please add support for HSTS, HTTP Strict Transport Security on sophos XG WAF

Allow the use of wildcard domain names for Webservers. Also allow them to be sorted in priority so that a more specfic FQDN takes precidence over a wildcard domain.

Allow IPv6 (and IPv4) for WAF

Hej,
please add the posibility to add a country or country group to "Allowed Client Networks" and "Blocked Client Networks". This is very important for us.

Thank you.

Best regards,
Michael

DSCP is a new feature but can be only used on User/Network rule. I would like to see the DSCP even on BAR in order to better manage multiple ISP.
Cyberoam has this feature.
Thanks.

Please provide the option in the Reverse proxy to enable encodedslashes for a specific virtual webserver.

Because some web applications use for example %2F for a slash and the reverse proxy cannot translate this back to / because of allowencodedslashes is not enabled by default. So this results in a 404 error.

http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

This is essential for Web Applications like SAP Fiori! I think we not the only company who have this issue.