We'd love to hear about it! Click here to go to the product suggestion community
we're currently implementing Sophos XG as Microsoft TMG replacement and I've seen that in WAF rules it's possible to restrict access to published web servers by specifying only particular paths of the webserver. One use case for us would be to publish Exchange 2016 - but only the paths that are actually needed.
It seems we can restrict access to particular paths either using Path-specific routing directly within the rule OR by specifying Entry URLs in Strict URL Hardening within a Protection Policy. If using Strict URL Hardening for this, it also seems necessary to add an Exception to the WAF rule to allow publishing content behind the paths that were specified as Entry URLs within the Protection Policy.
From a functional perspective I can't see any difference between both options besides logging. When using Path-specific routing the XG simply logs a green 404 Not Found if a path is accessed that is not specified within the rule. When using Strict URL the XG logs a red Request Blocked (No signature found) message.
Not having errors logged when non-specified paths are accessed is fine to me so I'd like to restrict access to URLs of web servers directly within Path-specific routing instead of using Strict URL hardening in Protection Policies - just because it's much more easy to configure (all info directly within the WAF rule, no need to create Exceptions to allow all content below Entry URLs).
My question: Is there any downside to restrict access to URLs using Path-specific routing instead of using Strict URL hardening?
Hi layer9 Please refer to the article for site path routing - https://community.sophos.com/kb/en-us/126470