Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ID numbers from WAF log - Common threat filter - Skip filter rules

How can I find rule ID (like [id "981176"]) in Sophos XG - web server publishing to add it to bypass at Web server - Protection policies?

When using Sophos SG it was in logs.

For Sophos XG there is article https://community.sophos.com/kb/en-us/122833  and ID has to be in logs: [id "981176"] [msg "Inbound Anomaly Score Exceeded

 

When I open Log viewer from Sophos XG webconsole -Detailed view - module Web server protection
and log seems like this (without ID number):


messageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="MYURL" src_ip="mypublicIP" local_ip="my-XG-IP-address" protocol="HTTP/1.1" url="/RDWeb/Pages/en-US/login.aspx" query_string="" cookie="_ga=GA1.2.553296830.1454709251; _gcl_au=1.1.2086021688.1580460192" referer="myURL" method="POST" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 6, SQLi=1, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded" content_type="text/html" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0" host="mypublicIP" response_time="4656" bytes_sent="429" bytes_received="1055" fw_rule_id="76"

There is not ID like 981176.
I am using XG230 (SFOS 17.5.9 MR-9) 

 

Thanks

Martin



This thread was automatically locked due to age.
Parents
  • Martin,

    if the ID does not come out, put the WAF service in debug from the advanced shell.

    service WAF:debug -ds nosync

    Check the logs again from log viewer or from the /log/reverseproxy.log and you should see more information from the log since the service is in debug mode.

    To disable the debug, please run the command again.

    More info here:

    community.sophos.com/.../124574

    Regards

Reply
  • Martin,

    if the ID does not come out, put the WAF service in debug from the advanced shell.

    service WAF:debug -ds nosync

    Check the logs again from log viewer or from the /log/reverseproxy.log and you should see more information from the log since the service is in debug mode.

    To disable the debug, please run the command again.

    More info here:

    community.sophos.com/.../124574

    Regards

Children
  • Hi

     

    Thanks for fast reply.

    Command "service WAF:debug -ds nosync" returns 400 Bad Request

    XG230_WP02_SFOS 17.5.9 MR-9# service WAF:debug -ds nosync
    400 Bad Request

     

    "service -S" shows:WAF                  RUNNING

    "service WAF:restart -ds nosync"  is working

    What I am doing wrong?

    Martin