Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos WAF understand

Good morning all .
I have a behavior that I cannot understand with the WAF function or maybe I did not understand how the WAF works.

On my XG I opened ports 443 and 80 to a web server.
Until then, no problem.

Following a change in the firewall rule in my company (impossible to use non-standard ports other than 80 and 443).
So impossible to use port forwarding to another server

I decided to set up the WAF.

I created a WAF rule with a certificate for HTTPS.

My problem is that this rule only works if I deactivate my firewall and my NAT rule for my WEB server

To do my tests I took care to put the WAF rule before my rule for my WEB server

Did I get it wrong somewhere or just didn't understand the principle of WAF?

thank you in advance
I hope I was clear enough

Sophos xg 18.0.5 MR-5



This thread was automatically locked due to age.
  • I would think the old DNAT rule take precedence over WAF rules.

    discussed often for blocking unwanted traffic using a blackhole-rule (support.sophos.com/.../KB-000038943

    But the packetflow-picture shows other details...

    community.sophos.com/.../life-of-a-packet---sophos-xg-v18-0


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello ,
    thank you for your reply .
    But I don't see how putting a black hole will solve my problem?

  • Hello,

    you can't have both at the same time: a WAF-rule and a DNAT rule for internal servers.

    If using WAF, you grab the ports 80 and 443 and then decide with the URL-reference from the calling user-agent where to pass this request to.

    You cannot have a DNAT-rule in place for the same ports on that same IP-address.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I understand what you are saying.
    What I cannot explain to myself is why the WAF rule does not work when it is before the DNAT rule.
    This is mostly what I want to understand

  • Its the XG Firewall setup, which causes your issue.

    The architecture of WAF and NAT come from a unified perspective. In V17.5, NAT was embedded into firewall (Called Business application rule). Therefore a NAT decouple, like in V18.0 still has some tights into this setup, as WAF is still a firewall rule and a NAT rule in one place. But as NAT is decoupled, the system internal NAT rule for WAF is the last one the rule set, you cannot move a DNAT rule below this threshold. Its a limitation within the architecture, which is not resolved yet. But the use case of those NAT rules is not clear to me. Why do you want to have a NAT Rule below the WAF ? This rule, generally speaking, will never be applied. 

    __________________________________________________________________________________________________________________

  • Hello Lucar Toni.
    Thank you for your answer and your explanation.
    So this is a bug that is not one we are going to say.
    It's not that I need a NAT rule under a WAF rule.
    It's just that during my test of the WAF rule I left my WAF and firewall rules active.
    So I didn't understand why my WAF rule wasn't working.
    Now I have an explanation.

    On the other hand I do not see the possibility of putting a geographic restriction in the WAF rule.
    Because by default on the incoming service I prefer to limit myself to France.

  • You can do this geo blocking by using a NAT with unwanted countries and a blackhole destination. 

    __________________________________________________________________________________________________________________

  • Hello LuCar Toni,
    Last question .
    How to access Sophos XG with a WAF rule.
    I have tried several things but it doesn't work.
    thank you in advance