Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 41 subscribers
  • Views 2412 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS (19.0.1 MR-1-Build365) WAF different ports

Jan W

Hello

I have configured a WAF Rule as following:


WAF #1 
WAN -> HTTPS Port 443 for domain xyz.xyz
Internal Web Server Port 443 

Everything works greats, i can reach my internal web-server via https://xyz.xyz

So i created a new Rule as following:

WAF #2: WAN -> HTTPS Port 8443 for domain abc.abc
internal Web Server Port 8443

When i want to open https://abc.abc:8443 i only get an error connection refused. 
But now i also get with the first url https://xyz.xyz the same error 

Disable Rule #2 the first works again.

What is wrong?



This thread was automatically locked due to age.
  • 0

    May want to ask on the XG forums.  You posted on UTM forums.  :)  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0

    Hi Jan Wippermann

    By default 8443 already used by SSL VPN service running on Sophos XG.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    hi, thanks for your answer.

    i have changed rule#2 external port to 12389

    same error, when rule #2 is activated none of the waf rules works, every connection gets refused...

  • 0 in reply to Jan W

    WAF only protects plain text (HTTP) and encrypted (HTTPS) servers with default ports 80 and 443.

    If you want forward unknown ports use DNAT with PAT 

    Refer to the below link for DNAT and PAT settings to meet your requirement 

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html#specify-the-nat-rule-settings 

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Are you using the same interface on the firewall and just difference Hostnames/FQDNs resolving on the same WAN IP? 

    If you do a packet capture on the firewall, does it hit on your alternative port? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi

    Same WAN IP on the WAF rules. packet capture does not show anything when rule 2 is active. only when rule 2 is inactive it shows traffic for rule 1.

  • 0 in reply to Bharat J

    Hi

    I can't belive, that XGS WAF does not supports other ports? Why can i change it. On my old UTM the WAF works with different ports...

  • 0 in reply to Jan W

    Essentially it should work - But why do you not see the packets in packet capture? This is the first part, which should show your connection regardless of the WAF rules. Packet capture is based on the Interface level. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    i had a mistake on capturing. now capture works, but problem is still the same.

    rule#1 -> 

    Ethernet header
Source MAC address:bc:x
Destination MAC address: c8:x
Ethernet type IPv4 (0x800)
 
IPv4 Header
Source IP address:185.x
Destination IP address:94.x
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 52 Bytes
Identification:27650
Fragment offset:16384
Time to live: 118
Checksum: 39422
 
TCP Header:
Source port: 19637
Destination port: 443
Flags: SYN
Sequence number: 1508870166
Acknowledgement number: 0
Window: 64240
Checksum: 17658


    is consumed by rule 15 (this is WAF rule#1) Same when rule2 is active.

    rule#2 ->

    Ethernet header
Source MAC address:bc:x
Destination MAC address: c8:x
Ethernet type IPv4 (0x800)
 
IPv4 Header
Source IP address:185.x
Destination IP address:94.x
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 52 Bytes
Identification:27693
Fragment offset:16384
Time to live: 118
Checksum: 39379
 
TCP Header:
Source port: 1069
Destination port: 12389
Flags: SYN
Sequence number: 507478842
Acknowledgement number: 0
Window: 64240
Checksum: 40804

    is consumed by rule 25 (default drop) WHY?!?

  • 0 in reply to Jan W

    Just to be sure: You are using https://hostname:12389 not http://? 

    Could you check the /log/reverseproxy.log, if you see any kind of "Invalid encryption key". 

    __________________________________________________________________________________________________________________

Unfiltered HTML