Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 40 subscribers
  • Views 6994 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Server Protection // Form Hardening & Anomaly Exception

intrusus

Hello,

i have a question about form hardening on the XG firewall (SFOS version: see signature under the post).

I am in the process of creating a Web Server Protection Policy according to the Technician Guide and have chosen the highest security level appropriate for me and the situation. The web server is a Nextcloud v18 installation. I have created the protection policy as follows:

The first error starts directly with the login page of Nextcloud, I get a so called form_hardening error for the login form. It seems to be enough that the page is only loaded. I have not entered anything into the form yet neither have I submitted it.

SFVH_VM01_SFOS 18.0.0 GA-Build354# tail -f reverseproxy.log | grep form_hardening
[Sat Apr 11 01:34:22.260276 2020] [form_hardening:error] [pid 14058:tid 139927475971840] [client x.x.x.x:60674] Form validation failed: Received unhardened form data
[Sat Apr 11 01:34:22.344610 2020] [form_hardening:error] [pid 14058:tid 139927467579136] [client x.x.x.x:60673] Form validation failed: Received unhardened form data
[Sat Apr 11 01:34:34.222704 2020] [form_hardening:error] [pid 14058:tid 139927459186432] (22)Invalid argument: [client x.x.x.x:60676] No form context found when parsing <input> tag
[Sat Apr 11 01:34:34.457881 2020] [form_hardening:error] [pid 14058:tid 139927459186432] [client x.x.x.x:60676] Form validation failed: Received unhardened form data

Then I added an exception to the WAF Rule as follows:

And now I "just" receive this error:

SFVH_VM01_SFOS 18.0.0 GA-Build354# tail -f reverseproxy.log | grep form_hardening
[Sat Apr 11 01:26:54.244434 2020] [form_hardening:error] [pid 12634:tid 140536161761024] [client x.x.x.x:60625] Form validation failed: Received unhardened form data

So it seems that I was able to fix at least part of the error with the added exception. But how do I now tackle the remaining error?

Looking forward to your answers!



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Form Hardening protects against web form rewriting. It saves the original structure of a web form and signs it. Therefore, if the structure of a form has changed, when it is submitted Sophos XG Firewall rejects the request. The XG Firewall also inspects and validates the information submitted by visitors via forms on your web sites. This stops malicious users from passing invalid data which can damage or exploit your server as it is processed.

    Live logs are available on GUI.
    Navigate to Monitor & Analyze > Reports > Log Viewer and select ‘Web Application Filter’ from ‘View logs for’ drop-down list
     
    Accept unhardened form data to verify

    https://community.sophos.com/kb/en-us/124574

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • +2 in reply to Keyur

    Hello 

    I don't know if you actually have read my post or not... but I already created an exclusion for form hardening and still I get a Form_Hardening error on the WAF. Is there a way to increase the logging level? Unfortunately, I do not receive more information than the one I already provided in my first post.

    I've edited the exclusion now and added the path "/*" to the already existing "/login/*".


    Could you explain to me whether "/*" should be taken as an exception at all? It now looks to me as if I have added a Form_Hardening exception for the whole website.

    Thanks!

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

Reply
  • +2 in reply to Keyur

    Hello 

    I don't know if you actually have read my post or not... but I already created an exclusion for form hardening and still I get a Form_Hardening error on the WAF. Is there a way to increase the logging level? Unfortunately, I do not receive more information than the one I already provided in my first post.

    I've edited the exclusion now and added the path "/*" to the already existing "/login/*".


    Could you explain to me whether "/*" should be taken as an exception at all? It now looks to me as if I have added a Form_Hardening exception for the whole website.

    Thanks!

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

Children
  • 0 in reply to intrusus

    Hi  

    It should take as an exception, could you please try adding the specific path?

    I would recommend you to open a support a case to investigate the issue further - https://secure2.sophos.com/en-us/support/open-a-support-case.aspx

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Hey

    The exception seems to have worked now, I guess I was a little impatient! :D
    But now after some time I also get another error message that an anomaly score was reached:

    [Tue Apr 14 21:06:18.407481 2020] [security2:error] [pid 904:tid 140038817773312] [client x.x.x.x:46474] [client x.x.x.x] Mod
    Security: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/apache/conf/waf/rules/RESPONSE-959-BLOCKING-EVALUATI
    ON.conf"] [line "75"] [id "959100"] [msg "Outbound Anomaly Score Exceeded (Total Score: 4)"] [tag] [hostname "xxx.xxxxxxx.com"] [uri "/index.php/apps/files/api/v1/thumbnail/256/256/images/smartphone/gallery/2020/04/IMG_20200414_161642.jpg"] [unique
    _id "XpYJbX8AAAEAAAOIgFoAAAAw"]

    [Tue Apr 14 21:06:18.407702 2020] [security2:error] [pid 904:tid 140038817773312] [client x.x.x.x:46474] [client x.x.x.x] Mod
    Security: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/apache/conf/waf/rules/RESPONSE-980-CORRELATION.conf"
    ] [line "96"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 4): individual paranoia level scores: 0, 4, 0, 0"] [tag] [hostname "xxx.xxxxxxx.com"] [uri "/index.php/apps/files/api/v1/thumbnail/256/256/images/smartphone/gallery/2020/04/IMG
    _20200414_161642.jpg"] [unique_id "XpYJbX8AAAEAAAOIgFoAAAAw"]

    In the technician certification it was always said that an exception should be created for the WAF outbound common filter - but I can no longer find the checkbox for outbound in the exceptions of the firewall rule.

    How do I proceed here? Also creating a support case? ^^

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

  • +2 in reply to intrusus

    Hi in your Policy "NextCloud" add the Id's from the log in the filed "skip filter rules" that gets blocked in this case 959100 and 980140.

     

    //Rickard

  • 0 in reply to RickardNordahl

    Okay,

    so the exception stuff changed a bit with v18... Maybe they should update their trainings [:|]

    Thanks Rickard!
    Be safe and take care in these times.

    Cheers

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

  • 0 in reply to intrusus

    Glad to be able to help you out.

     

    //Rickard

  • 0 in reply to RickardNordahl

    Hi  

    Thank you for updating the thread with details and your feedback regarding training will be forwarded to the concerned team.

     Thank you for sharing your expertise, much appreciated.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Unfiltered HTML