Forbidden - You don't have permission to access / on this server.

WAF Logs (editted the domain name part)

zzzp8 said:

 Hostname in HTTP request (172.18.175.138) does not match the server name (files.xxxx.co.uk)

It appears that in stead of using the registered name, an application is using the IP-address directly which is forbidden (status 403).

Thanks for the reply

I still dont quite get it tho?

In IIS, I have bindings setup to service files.xxxx.co.uk on port 80 , and the setup in the WAF itself on the sophos looks to be ok (i think)

Im simply just browsing from a browser to files.xxxx.co.uk  and I get the Forbidden you dont have permission to access / on this server. 

Any ideas?

Sorry to be a noob, does anybody have any other ideas Im struggling abit on this one

Under virtual server > interface

I have always used the interface I would be connecting to from the client. This normally being the one connected to the internet.

Is internal the correct one?

Thanks for the reply.

I'm using it on AWS so it only displays an internal interface. Im not sure the firewall is actually aware of its external interface as AWS does networking abit differently if I understand correctly e.g. software defined 

Setting up WAF takes some effort.  It looks like you've just drastically modified the "Basic Protection" Profile instead of starting it in "Monitor" mode and making sure you can connect first.  The log is confusing me because you don't have 'Static URL hardening' selected.

Cheers - Bob

Thanks. 

I have set the Basic profile as follows:

And retaken a capture of the logs here:

2018:07:09-01:05:34 ids httpd[416]: [url_hardening:error] [pid 416:tid 4063746928] [client 125.236.212.159:19506] No signature found, URI: http://files.xxxxx.co.uk/
2018:07:09-01:05:34 ids httpd[416]: [url_hardening:error] [pid 416:tid 4055354224] [client 172.18.175.138:33718] Hostname in HTTP request (172.18.175.138) does not match the server name (files.xxxxx.co.uk)
2018:07:09-01:05:34 ids httpd: id="0299" srcip="172.18.175.138" localip="172.18.175.138" size="209" user="-" host="172.18.175.138" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="412" url="/" server="files.xxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W0K03qwSr4oAAAGgAeIAAAA7"
2018:07:09-01:05:34 ids httpd: id="0299" srcip="125.236.212.159" localip="172.18.175.138" size="177" user="-" host="125.236.212.159" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="2850" url="/" server="files.xxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W0K03qwSr4oAAAGgAeEAAAA6"
2018:07:09-01:05:35 ids httpd[416]: [url_hardening:error] [pid 416:tid 4046961520] [client 125.236.212.159:19510] No signature found, URI: files.xxxxx.co.uk/favicon.ico
2018:07:09-01:05:35 ids httpd[416]: [url_hardening:error] [pid 416:tid 4038568816] [client 172.18.175.138:33719] Hostname in HTTP request (172.18.175.138) does not match the server name (files.xxxxx.co.uk)
2018:07:09-01:05:35 ids httpd: id="0299" srcip="172.18.175.138" localip="172.18.175.138" size="220" user="-" host="172.18.175.138" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="419" url="/favicon.ico" server="files.xxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W0K036wSr4oAAAGgAeQAAAA9"
2018:07:09-01:05:35 ids httpd: id="0299" srcip="125.236.212.159" localip="172.18.175.138" size="185" user="-" host="125.236.212.159" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="2247" url="/favicon.ico" server="files.xxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W0K036wSr4oAAAGgAeMAAAA8

This is screen I get when I browse to the URL:

I suspect that you have no such problem if 'Static URL hardening' is not selected.  If so, then since you've already tried enabling/disabling URL rewrite and pass host headers, this would indicate that your website is returning URLs that contain fixed IPs - can you check that?

Cheers - Bob