Our company network uses a Sophos firewall with an Apache reverse-proxy, which is configured to allow HTTPS connections.
After we realized that some of our clients can not connect over HTTPS, our internal network department told us that the OpenSSL settings of the Apache reverse proxy may be adjusted to our specific needs, but the settings might get overwritten with every Sophos firewall update.
Is there a way to protect the OpenSSL configuration so that Sophos updates will not be able to change it?
'Bonus' questions: is it a common feature of commercial firewall products to override customer configuration? ;)
Well, you can make the file immutable:
To get around that, the Sophos installer would have to remove the immutable flag before writing the file, which I very much doubt they're doing. This may break their installer, though. You should make sure you have a copy of the OpenSSL config in your config management system so that you can re-deploy it if needed.