XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

Suggest an Idea...

Dynamic (Automatic) Certificates on Web Server Protection

Currently under WebServer Protection, you are required to setup an SSL Certificate for each Web Server that you are trying to protect. In a web hosting environment this is not plausible or even practical.

Use Case Scenario:

- CPanel Web Hosting server could potentially be hosting 100's or 1000's of Web Sites.
- It is best practice to SSLize Websites. Using standard http is no longer desirable, and it's easier than ever now to automate SSL certificates on websites hosted with CPanel (See next point)
- CPanel provides automatic SSL certificate deployment from Comodo Secure to any website you want using their AutoSSL module.
- The AutoSSL certificates are valid for 90 days and then renew automatically. (In a way they are similar to LetsEncrypt certs in that they are 90 day certs).
- Because of this feature it's now common/standard to enforce SSL on all websites and not even allow standard http. (At a minimum, redirect http to https)

In order for the XG Firewall to sit in front of CPANEL based websites and provide any level of protection, you are currently required to manually import the certificate for EACH and EVERY website you want to protect into the XG.

Because of the quantity of sites (100's or 1000's) and the 90 Day period where the certs are valid, it's not even practical to try to import these certificates. The time required is absolutely prohibitive.

My suggestion is to have the XG Firewall query the web server and obtain the certificate automatically rather than requiring a manual import. This would allow the certificates on the CPANEL sites to renew at will without interfering with firewall protection.

As of right now, XG firewall cannot be used to protect CPanel sites for this reason, and other solutions must be used.

3 votes
Sign in
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

Marvin Huffaker shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
  • Marvin Huffaker commented  ·   ·  Flag as inappropriate

    I'm adding this small tidbit because a Sophos employee I was discussing this with recently did not know what CPANEL was. Cpanel (or Cpanel/WHM) is a commercial web hosting platform that is Linux based. It's a powerful hosting and management platform and is one of the most widely used hosting platforms out there. Many hosting providers use Cpanel, and when you host through them, you get a CPANEL based control panel for your website. For example Godaddy and Hostgator both provide cpanel controlled web hosting.

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.