This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about moving server from DNAT to WAF and source address of incoming packets.

Hi there.

When i moved my web server from standard dnat to waf rule all incoming packets in server have scr address = wan interface.

Is it possible to set up WAF without changing source addresses of incoming packets?

I need to see on the web server original source ip's from the internet.

This thread was automatically locked due to age.

Top Replies

ThomW over 2 years ago +1

Hello. Perhaps the setting "Pass host header" under advanced within the firewall rule does the trick for you. This will add an extra header "X-Forwarded-For" tho the request which contains the client…

Parents

0 lki over 2 years ago

may I warm up this thread by asking you kindly if passing the original source adress is possible with v19?

Sophos Firewall v19 – Xstream SD-WAN - Announcements - SFOS v19 Early Access Program - Sophos Community
Cancel
Vote Up 0 Vote Down

Cancel
0 Vishal_R over 2 years ago in reply to lki

Hi lki: Unfortunately no and the reason that's how the WAF works. WAF is a reverse-proxy server by nature. so when any outside request comes to XG over WAF, XG will initiate a new request to a mapped server and due to that, you may only get the actual source IP by tracking of "X-Forwarded-For" header on the end server.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 lki over 2 years ago in reply to Vishal_R

Hi Vishal_R. Many thanks for your reply. So the X-Fowarded-For header should be set on the side, where the WAF rule is mapped to, right?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vishal_R over 2 years ago in reply to lki

Hi lki: Yes correct:

Reference snapshot and Doc help section which gives information on same.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/WebServerProtection/WAF/Rules/WAFRuleAdd/index.html

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vishal_R over 2 years ago in reply to lki

Hi lki: Yes correct:

Reference snapshot and Doc help section which gives information on same.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/WebServerProtection/WAF/Rules/WAFRuleAdd/index.html

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 lki over 2 years ago in reply to Vishal_R

Perfect - I already mentioned that hint on the help section for WAF. For me it was unclear if this is configured on the WAF itself or on the destination, the traffic is forwarded to.

Your help is much appreciated!
Cancel
Vote Up 0 Vote Down

Cancel
0 ThomW over 2 years ago in reply to Vishal_R

Hello Vishal_R, Hello Iki.

This is exactly what I already wrote 2months ago.

So for backend applications it is required to configure the WAF to pass the host header (in SG and XG) and the backend application has to do the job to evaluate the header fields accordingly.

Regards.

T

Sophos Gold Partner

4TISO GmbH, Germany

If a post solves your question click the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Cancel
0 lki over 2 years ago in reply to ThomW

Hi ThomW, wasn't clear for me, but now I see that using 'pass host header' on WAF rule + configuring header field on destination is necessary.
Cancel
Vote Up 0 Vote Down

Cancel
0 ThomW over 2 years ago in reply to lki

Hi Iki.

Great. If you want to examine that in your backend web server logs it is normallyy required to change the web server log format. You will find a lot for that for e.q. apache or nginx in the web.

HtH.

Thom

Sophos Gold Partner

4TISO GmbH, Germany

If a post solves your question click the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel