Webserver protection setup problems

I'm attempting to set up Sophos UTM as Webserver protection, right now behind a different firewall, and running into issues.  Looking at Sophos I may just use it as the main firewall in the future, but for now it has to be behind another as reverse proxy.

 

Main firewall - 10.1.1.9

Sophos - one NIC (I think as bridge mode?), 10.1.1.8

Webserver - 10.1.1.16

 

I have the main firewall forwarding port 80 traffic to Sophos.

 

In Sophos I've set up the real and virtual webservers.  I have Pass host header enabled in the virtual web server.  In Network Protection I've set up a firewall rule allowing port 80 traffic from any source to the Internal network.

 

At present I have no NATs set up as some of the documentation I was reading said NATs would effectively bypass the Webserver Protection.

 

On the webserver I've set up Sophos as  Trusted Proxy, mostly so the real IPs will come through.

 

On Sophos I do see web traffic coming into the box, but the websites do not come up. I don't see the web traffic in the access or error logs of the webserver.  I haven't done any network sniffing yet to see if they are getting there.  The live web server protection logs don't show any sort of logging to indicate traffic.

 

Can anyone point me in the right direction, some documentation or how-tos?  I'm stuck.  I appreciate any help.

  • 1) I do not believe that you do not have bridge mode.   Bridge mode looks like this:

    Switch --- UTM --- Firewall

    Two (or more) physical interfaces are bound together as one logical interface to UTM.   Everything going to the firewall has to pass through UTM.

    From your description, you have this:

    Switch --- UTM
       \____________ Firewall

    In this mode, UTM only sees traffic that targets one of its addresses, so it can only do Standard Mode functions.   For more detail on Standard and Transparent mode functions, see this post:

    https://community.sophos.com/products/unified-threat-management/f/general-discussion/100848/how-to-understand-utm-port-usage

    2) Basic process that I use for configuring a webserver:

    On UTM

    • Configure the real webserver and test it internally
    • Get an SSL Certificate for the website so you can use HTTPS, which provides proof of server identity as well as encryption.
    • Configure an Additional Network Address on UTM.   (Using the primary address will create conflicts with the user portal.)   Since UTM is behind your firewall, this will be an internal address.
    • Create the virtual webserver and assign it to the chosen IP address and the (recommended) SSL certificate.
    • Enable the webserver.   If it can connect to the real webserver, the status indicator will go green.   (May need to navigate away and come back to see the correct status light.)

    On a test machine with an internal IP address

    • Create a HOSTS file entry to force your test traffic to target the UTM virtual webserver address instead of the real webserver address.
    • Enable a firewall profile with all protections enabled but in monitor mode.
    • Do all of your tests 
    • Review the logs and disable tests that are throwing false positives.
    • Decide whether to deploy to the internet in Monitor Mode or Reject Mode

    On the firewall

    • Create a NAT rule from the chosen Internet address to the UTM virtual webserver address.
    • Test again from an external PC.
    • Enable Reject mode 
  • Hi Scott and welcome to the UTM Community!

    Do you see anything in the WAF log that would indicate that it's processing the incoming requests?  Please show pictures of the Edits of the Interface definition, the Virtual Server, Real Server and the Host object in the real server.

    Cheers - Bob