Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 41 subscribers
  • Views 4989 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF not starting after reboot due to config error

EdmundSackbauer

I am on 18.5 MR2 Build 380.

Every time I reboot the firewall, the WAF is not starting. In reversproxy.log these same lines appear every couple of seconds:

[Fri Jan 28 16:02:27.194845 2022] [core:warn] [pid 17313:tid 139992993545088] AH00111: Config variable ${URLHardening_HTTP_Hostname} is not defined
AH00112: Warning: DocumentRoot [/sdisk/waffiles/d4ccc5ed9becf385efd9ba9b1f2091e7] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/44502cdd091cd7e7fc982c40b77d04a8] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/8e2dcfd7e7e24b1ca76c1193f645902b] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/21b72c0b7adc5c7b4a50ffcb90d92dd6] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/9a3c5f2e7b4cac8047ff8b0eda2fd680] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/a511102ede5324bb4b637310963a9414] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/43d400c215702e62cdcbb687a0e6b755] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/bdda8e6a9dcfc3221e683593e494f550] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/eaf6d735fd2e60ca3d293a82fb0e1adf] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/e91c73fb45b136ce1d8dec3c500d3ad0] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/a17b4e9c956a70522b3807c4b4b11eb7] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/5b5a35f45f655ad8da684f4c2b69bd4d] does not exist
AH00526: Syntax error on line 990 of /cfs/waf/reverseproxy.conf:
Invalid encrypted key

The line number hints at a WAF rule, and my workaround to get it working is to change the advanced setting the Protection Policy to "none".
I have 5 rules out of 18 where I need to do this, WAF won't start properly until those 5 rules are changed to protection policy "none".

WAF is then automatically starting properly and serving web pages.

And now the strange thing: Once I apply on those 5 rules the original protection policies again, it keeps working. But only until the next reboot.

The same happens if I restore a backup. I have to undergo the same process.

Where can I look further for investigating? The rules or the policies affected are very different, I can't figure out a common denominator.



This thread was automatically locked due to age.
Parents
  • 0

    Additional info:

    The invalid crypto key line (#990 in the case above).
    It starts with "URLHardeningSignKey" and then comes a long UUID.

    This key is always the same for all rules.

    If I change the Protection Policy to "None" for the 5 rules, there is no "URLHardeningSignKey" in the whole configuration. Also the reverseproxy.conf is only half of the size.

    When I change back to the protection policies e.g. "Exchange General" and "Exchange AutoDiscover" and so on, it seems to write the exact same config again, with the same URLHardeningSignKey UUID.

    For me it seems some process is fiddling with the config, and inserting this URLHardeningSignKey at the wrong places - with working rule set and the policies applied, the URLHardeningSignKey is only found for Exchange General and Autodiscover rules. However after reboot this error is also reported for other rules.

  • 0 in reply to EdmundSackbauer

    Same issue here! Had to disable the Static URL hardening option in the Exchange protection policy to get WAF to start. 

  • 0 in reply to momurray

    Same here. How to proceed as a home user?

  • 0 in reply to Pascal Bieri

    The reason for me turned out to be a corrupt configuration due to a defect memory module.

    Sophos Support did recreate the Signing Key on my installation, emmosophos took over the communication to the support guys.

    Otherwise I guess you must start over with a blank configuration/installation.

Reply
  • 0 in reply to Pascal Bieri

    The reason for me turned out to be a corrupt configuration due to a defect memory module.

    Sophos Support did recreate the Signing Key on my installation, emmosophos took over the communication to the support guys.

    Otherwise I guess you must start over with a blank configuration/installation.

Children
No Data
Unfiltered HTML