Sophos XG Firewall - License activation unavailable (error XG-00151). See KB-000043485 for the latest updates.

Webserver Protection log for Protocol Enforcement

I have a website behind a webserver protection a virtual XG 18.5.1-326

One page on the website creates an error that leads to a blocking of the next page.

The only way to unblock it is by creating an exception for the relevant path for the "Protocol enforcement"

My problem is, that the finding of the solution was a try-and-error procedure.

The reverseproxy.log does not show any entry for this error.

Are there other log files for the different rules in "Protection plocies" that can sho me where the error really lies?

Edited TAGs
[edited by: emmosophos at 12:11 AM (GMT -7) on 22 Oct 2021]
  • Hello!

    Protocol Enforcement's errors message does show at reverseproxy.log, here's an example on how It looks like:

    [Mon Oct 18 10:09:58.504231 2021] [security2:error] [pid 25571:tid 139721485133568] [client] [client] ModSecurity: Warning. Pattern match "%[0-9a-fA-F]{2}" at ARGS
    :cursor. [file "/usr/apache/conf/waf/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1142"] [id "920230"] [msg "Multiple URL Encoding Detected"] [data "###"] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [
    tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [tag "paranoia-level/2"] [hostname "###"
    ] [uri "###"] [unique_id "YW1yJn@TM9NGFzguUaR2ygAAAGM"]

    What filter strength are you applying on the protection policies?

    Level 2 and Level 3 have the same (all-around) protection, the difference on both of them is how protocol enforcement is applied. If you're using a Level 3 filter strength consider to lowering it to Level 2 before creating exemptions.

    If a post solves your question use the 'Verify Answer' link.

  • We have Level 2
    I have found the errors. Due to a special configuration of the customer's system the "Client" IP address in the Log is different from the real IP address of the person opening the website. 
    That's why I was not able to find the errors.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner