XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
Let's Encrypt Integration
It would be very nice if Let's Encrypt certificates (letsencrypt.org) can be generated directly from the XG Gui. So that the "Let's Encrypt Client" is integrated in the XG. Would it be possible?
Best Regards932 votes -
Share IP between User Portal and WAF
Many small installation could benefit from ability to publish User Portal using Business Rule instead of enabling it directly in Device Access section. The difference is that a single IP can be used to host both User Portal and custom Web applications such as Web mail, Web storage, Web cameras, etc.
Now, the only solution is to change User Portal listening port to something non-standard but this limits the ability to use it from some network environments where only standard WWW ports (80,443) are allowed.
156 votes -
WAF: more authentication type
At the moment there are different type of authentication missing even on UTM9 against ISA server 2006, such as:
- Two-factor authentication using forms-based authentication and a client certificate.
- Delegation of credentials by using NTLM or Kerberos authentication.
- Kerberos constrained delegation.
- Secure Sockets Layer (SSL) client certificate constraints
In this way, XG and UTM9 are the very alternative to ISA Server.
148 votes -
WAF OTP
Migrating from TMG 2010 server to XG 330. Currently, have a few websites, like OWA, remote desktop, etc...that we require 2 factor authentication. Would be great if WAF rules supported OTP authentication using the built in OTP product. Was told by support this is not possible. Thanks.
104 votes -
URL Redirection
Same idea as http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/6101344-url-redirection for the UTM. We need the ability to redirect URL requests.
For example:
67 votes -
WAF Load Balancing - Add additional features
On HTTP/S NLB I would like to have more features, such as:
Weighted roud-robin
Weighted least connection
Hash based on Source/Destination IP
Hash based on Cookies
Hash based on Header/URLThanks
53 votes -
WAF: IPv6 support
Allow IPv6 (and IPv4) for WAF
47 votes -
http/2 support
our customers are asking for the http/2 Support for there webservers, please add the http/2 Support to the WAF - Webserverprotection
45 votes -
HSTS, HTTP Strict Transport Security on sophos XG WAF
Please add support for HSTS, HTTP Strict Transport Security on sophos XG WAF
38 votes -
WAF Virtual Patching and Brute Force Attack
Other UTM/WAF vendors integrate virtual patching features on their product. A really brute force protection in missing on WAF too.
Please add it.37 votes -
Web Server Protection should support multiple group membership
Recently we have create a new ticket with Sophos support (#9307623) and they confirm that 'at a time a user would be part of one group'. It leads us to the hard way when having 2 websites which are needed to be authenticated with 2 domain groups, and from them, we have multipla users who are belonged to these 2 groups as well. Therefore, we can not separate to authencate these ones properly.
I suggest Sophos should improve this feature to make customers easy to configure many authenticated websites appropriately.
Thanks.
34 votes -
WAF: Allow Wildcard domain names
Allow the use of wildcard domain names for Webservers. Also allow them to be sorted in priority so that a more specfic FQDN takes precidence over a wildcard domain.
30 votes -
Reverse proxy add encodedslashes option
Please provide the option in the Reverse proxy to enable encodedslashes for a specific virtual webserver.
Because some web applications use for example %2F for a slash and the reverse proxy cannot translate this back to / because of allowencodedslashes is not enabled by default. So this results in a 404 error.
http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes
This is essential for Web Applications like SAP Fiori! I think we not the only company who have this issue.
25 votes -
Allow more than 60 HTTP-based/WAF policies - URGENT
I reached the limit of 60 HTTP-based / WAF policies. I am migrating the rules from an ASG to an XG. We still have to create more than 18 policies. Please urgently need this limitation to be removed or extended.
23 votes -
WAF possibility to edit SecRequestBodyNoFilesLimit value
In the WAF configuration is impossible to edit the SecRequestBodyNoFilesLimit instruction.
If an user upload a file greater than 1 Mb receives the error
Request body no files data length is larger than the configured limit - 413 Request entity too large15 votes -
Add X-Forwarded-For / CF-Connecting-IP support
Many of the sites nowadays are behind CloudFlare. It would be great to have an option to inspect and see the real IP address in the WAF logs / Reports.
It will be like 1 raw entry in the Apache configs!
13 votes -
WAF Signature ID does not show in GUI Log viewer; only availible via console logs
Team, This request is to include the actual signature ID being invoked in the GUI WAF logs. Including this will assist us when figured out which rule to bypass, if needed.
12 votes -
x-header forwarders in XG Firewall
Please add x-header forwarders in XG Firewall to see real IP addresses from Cloud fare or CDN networks.
11 votes -
Web Server Protection: Certificate-based Authentication
Hello Team,
Asking assistance if we could be able to add Certificate-based Authentication for web server protection. We have customer here needing this as requirement on their set up.
11 votes -
Add protocoll of current Windows product to the business rules ... (Windows 2016 / 2019)
You had support for Remote Desktop Gateway protocoll (Windows 2008 and 2008 R2) implenented. In the state of the art fw, the modern OS (Windows 2012, Windows 2012, Windows 2019) is not supported for some protocolls.
10 votes
- Don't see your idea?