General WAF understanding

Hi guys I have a general and maybe basic WAF / reverse proxy question:

I do use some ressources from WAN-side by setting up a "simple" Firewall and DNAT rule to port-forward these ressources.
Clients that match the firewall rule have access by calling a subdomain-hostname 'service.example.com' which is resolved to my public IP.
These connections are handled by an internal nginx depending on hostname.

I recently wanted to publish a dedicated ressource through the Sophos Firewal WAF where the matching criteria is one of my subdomain-hostnames.
The incoming traffic is handled by Sophos WAF depending on the called hostname and is to be forwarded to a specific itnternal port without passing the internal nginx.

Everything works fine so far since I set up the web server with specific protection policy in my firewall.

After that I noticed that I have several incoming requests visible in the log viewer category 'Web server protection' trying to call the public ip adress or a different subdomain which I didn't use for WAF in any kind...
Another thing I also tested is that when you trying to access either hostnames or public ip you don't run in timeouts (as it was before activating WAF) but receiving status code '403' visible as 'Forbidded - you don't have permission to access this ressource'.

Is there a way to block these kind of requests by default and only generally allow requests to specified hostnames declared in WAF rule?
Maybe I am too new to WAF/reverse proxy functionality at all - just wondering why WAF offers you such information when you trying to access any other ressources than these which are intended to be public??

Thanks in advance and sorry for the long introduction ;) 



Added TAGs
[edited by: emmosophos at 5:30 PM (GMT -7) on 5 Jul 2022]
  • Hello ,

    Thank you for reaching out to the community, for the unknow hots coming from the WAN, you can always create a drop action rule on the top of the WAF rule, it could be those set of Public IPs detected in the log viewer web protection or countries you want restrict. 

    Sophos Firewall: WAF troubleshooting - https://support.sophos.com/support/s/article/KB-000036242?language=en_US


    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi Vivek, thanks for your reply.

    I already put a country-blocking rule on top of my rule set.
    For those countries which are not blocked I dont want the reverse-proxy to answer queries on hostnames different from the hostname I explicitly allowed!

    E.g.: WAF rule exists for host1.example.com, hostname resolves on ip 1.2.3.4 - requests are handled by reverse-proxy/waf

    WAF rules does NOT exist for host2.example.com, hostname resolves on 1.2.3.4 - requests are blocked / running into a timeout as there is no waf rule existing

    Currently case 1 works, case 2 results in 403 from WAF.

    Is this 'normal' that other requests are handled by waf but running into 403 or am I able to block such requests on different hostnames with same public ip?

  • I think a timeout with a missing WAF rules isn't possible.

    As there are other possible connections at these IP too, the WAF has to answer the SYN packet and check the name/SNI within the following handshakes.
    Afterwards, the WAF has to send an errormessage if something is wrong.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • so the WAF is answering to connections although the hostname is not matching and drops the connection or giving errors?

    That's sad to hear ... Problem is that I used a DNAT rule before filtered by certain public IPs to have a mobile application connected to ressources in my network. When IP was not matching the requests ran into a timeout. Now requests are rejected since the hostname is not matching through reverse proxy and the app is crashing/logs me out.

    Any further ideas to solve?

  • possible you can use WAF with multiple ip's too.

    but before waf can check the hostname it has to accept the tcp-connection. so there is no timeout.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Dirk, thanks for your explanation.
    Is there any viable way to skip requests to a specific ressource even if SYN packets are being not dropped in the first place?

    My problem here is similar to lki: One of my mobile apps tries to reach the public ip/hostname but since there is no WAF rule for that specific hostname the authentication runs into timeout and I am getting locked out from the app (can't use it in cache mode any longer).

  • no, the only option i know, is to use a different IP or Service.

    ... but btw ... why you have defined access within app/device and should not reach something?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Enabling WAF lets Sophos Firewall act as reverse proxy, that's clear so far!

    I configured specific IPs that are able to reach hostname1.xyz.com through DNAT rule. hostname1.xyz.com matches public IP.
    This service should be only available from specific sources and internal LAN since the dedicated services runs sensitive data!

    So that's why my goal is to only make hostname2.xyz.com (matched on same public IP as hostname1) available from WAN through WAF!

    I see no other way than deleting CNAMEs for my domain and enter them manually on these sides that should be able to reach the specific, sensitive data.