Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about moving server from DNAT to WAF and source address of incoming packets.

Hi there.

When i moved my web server from standard dnat to waf rule all incoming packets in server have scr address = wan interface.

Is it possible to set up WAF without changing source addresses of incoming packets?

I need to see on the web server original source ip's from the internet.



This thread was automatically locked due to age.
  • OK, so here is a simple example:

    I host nextcloud as mydomain.com/nextcloud with access from all the world.

    The same server hosts zabbix instance at mydomain.com/zabbix but in zabbix.conf (/etc/apache2/conf-enabled/zabbix.conf) are entries like: "Require ip 192.168" etc. so zabbix is avaiable only from "Required" addresses (local intranet).

    Can't do this when i move mydomain.com behind waf, enabling "pass host header" change nothing, zabbix is accessible from lan and internet.

  • Well. The source address will change. This is the WAF job.

    But within web applications and web servers it is common to check for X-Forwarder-For headers. You may also enable it in apache web server logging behind. X-Forwarded-For is the feature that is the standard fo this.

    What do mean "rules in the web server". Apache / nginx? Or is it your web application.


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • Thanks but it doesn't resolve the problem.

    When i'm behind DNAT roule connections to web server (in layer 3) have their original source addresses, wireshark shows something like this:
    IP 80.20.20.20.5475 > 172.16.16.17.https: Flags [F.], seq 2104, ack 5140, win 1022.................

    but when i switch to WAF rule the source ip address is changing to local lan ip address of the sophos firewall: and looks like this:
    IP 172.16.16.16.5460 > 172.16.16.17.https: Flags [P.], seq 8982:9006, ack 13..........

    So web server doesn't know who is connecting when it is behind WAF. I've got on web server many rules to log and to serve specific content depends on source ip addresses.

    Is it possible to WAF doesn't change source ip address on layer 3 packets?

  • Hello.

    Perhaps the setting "Pass host header"  under advanced within the firewall rule does the trick for you.

    This will add an extra header "X-Forwarded-For" tho the request which contains the client IP that you may analyze.


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.