Question about moving server from DNAT to WAF and source address of incoming packets.

Hello.

Perhaps the setting "Pass host header"  under advanced within the firewall rule does the trick for you.

This will add an extra header "X-Forwarded-For" tho the request which contains the client IP that you may analyze.

Thanks but it doesn't resolve the problem.

When i'm behind DNAT roule connections to web server (in layer 3) have their original source addresses, wireshark shows something like this:
IP 80.20.20.20.5475 > 172.16.16.17.https: Flags [F.], seq 2104, ack 5140, win 1022.................

but when i switch to WAF rule the source ip address is changing to local lan ip address of the sophos firewall: and looks like this:
IP 172.16.16.16.5460 > 172.16.16.17.https: Flags [P.], seq 8982:9006, ack 13..........

So web server doesn't know who is connecting when it is behind WAF. I've got on web server many rules to log and to serve specific content depends on source ip addresses.

Is it possible to WAF doesn't change source ip address on layer 3 packets?

Well. The source address will change. This is the WAF job.

But within web applications and web servers it is common to check for X-Forwarder-For headers. You may also enable it in apache web server logging behind. X-Forwarded-For is the feature that is the standard fo this.

What do mean "rules in the web server". Apache / nginx? Or is it your web application.

OK, so here is a simple example:

I host nextcloud as mydomain.com/nextcloud with access from all the world.

The same server hosts zabbix instance at mydomain.com/zabbix but in zabbix.conf (/etc/apache2/conf-enabled/zabbix.conf) are entries like: "Require ip 192.168" etc. so zabbix is avaiable only from "Required" addresses (local intranet).

Can't do this when i move mydomain.com behind waf, enabling "pass host header" change nothing, zabbix is accessible from lan and internet.

Ok. I understand.

I think, you are talking about differnt things.

If you just have everything open on the internal webserver but want to secure one path (here /zabbix ) you may do this within the WAF by using an addition site path route to the Sophos WAF with access control enabled.

One thing you would loose behind the WAF is, that your logs would see the firewall.

If you want to add an additional layer of security to your backend apache, you may have a look ad mod_remoteip.

For nextcloud:

If you want to use IP-filters there (which is implemented at the nextcloud application level) you have to look at the nextcloud configuration (config/config.php). For that have a look here:  Reverse proxy — Nextcloud latest Administration Manual latest documentation

Ok, I thought the web server could be secured transparently without making changes to the packets.

So now, can you explain "....using an addition site path route to the Sophos WAF with access control enabled." ?
I found "Path-specific routing" settings, I can add path /zabbix, set "allowed clients network" to my lan addresses but i still miss something and zabbix is accessible form any ip.

may I warm up this thread by asking you kindly if passing the original source adress is possible with v19?

Sophos Firewall v19 – Xstream SD-WAN - Announcements - SFOS v19 Early Access Program - Sophos Community

Hi lki: Unfortunately no and the reason that's how the WAF works. WAF is a reverse-proxy server by nature. so when any outside request comes to XG over WAF, XG will initiate a new request to a mapped server and due to that, you may only get the actual source IP  by tracking of "X-Forwarded-For" header on the end server.

Hi Vishal_R. Many thanks for your reply. So the X-Fowarded-For header should be set on the side, where the WAF rule is mapped to, right?

Hi lki: Yes correct:

Reference snapshot and Doc help section which gives information on same.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/WebServerProtection/WAF/Rules/WAFRuleAdd/index.html