Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos WAF understand

Good morning all .
I have a behavior that I cannot understand with the WAF function or maybe I did not understand how the WAF works.

On my XG I opened ports 443 and 80 to a web server.
Until then, no problem.

Following a change in the firewall rule in my company (impossible to use non-standard ports other than 80 and 443).
So impossible to use port forwarding to another server

I decided to set up the WAF.

I created a WAF rule with a certificate for HTTPS.

My problem is that this rule only works if I deactivate my firewall and my NAT rule for my WEB server

To do my tests I took care to put the WAF rule before my rule for my WEB server

Did I get it wrong somewhere or just didn't understand the principle of WAF?

thank you in advance
I hope I was clear enough

Sophos xg 18.0.5 MR-5



This thread was automatically locked due to age.
Parents Reply Children
  • Its the XG Firewall setup, which causes your issue.

    The architecture of WAF and NAT come from a unified perspective. In V17.5, NAT was embedded into firewall (Called Business application rule). Therefore a NAT decouple, like in V18.0 still has some tights into this setup, as WAF is still a firewall rule and a NAT rule in one place. But as NAT is decoupled, the system internal NAT rule for WAF is the last one the rule set, you cannot move a DNAT rule below this threshold. Its a limitation within the architecture, which is not resolved yet. But the use case of those NAT rules is not clear to me. Why do you want to have a NAT Rule below the WAF ? This rule, generally speaking, will never be applied. 

    __________________________________________________________________________________________________________________

  • Hello Lucar Toni.
    Thank you for your answer and your explanation.
    So this is a bug that is not one we are going to say.
    It's not that I need a NAT rule under a WAF rule.
    It's just that during my test of the WAF rule I left my WAF and firewall rules active.
    So I didn't understand why my WAF rule wasn't working.
    Now I have an explanation.

    On the other hand I do not see the possibility of putting a geographic restriction in the WAF rule.
    Because by default on the incoming service I prefer to limit myself to France.

  • You can do this geo blocking by using a NAT with unwanted countries and a blackhole destination. 

    __________________________________________________________________________________________________________________

  • Hello LuCar Toni,
    Last question .
    How to access Sophos XG with a WAF rule.
    I have tried several things but it doesn't work.
    thank you in advance