Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 41 subscribers
  • Views 2417 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS (19.0.1 MR-1-Build365) WAF different ports

Jan W

Hello

I have configured a WAF Rule as following:


WAF #1 
WAN -> HTTPS Port 443 for domain xyz.xyz
Internal Web Server Port 443 

Everything works greats, i can reach my internal web-server via https://xyz.xyz

So i created a new Rule as following:

WAF #2: WAN -> HTTPS Port 8443 for domain abc.abc
internal Web Server Port 8443

When i want to open https://abc.abc:8443 i only get an error connection refused. 
But now i also get with the first url https://xyz.xyz the same error 

Disable Rule #2 the first works again.

What is wrong?



This thread was automatically locked due to age.
Parents
  • 0

    Are you using the same interface on the firewall and just difference Hostnames/FQDNs resolving on the same WAN IP? 

    If you do a packet capture on the firewall, does it hit on your alternative port? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi

    Same WAN IP on the WAF rules. packet capture does not show anything when rule 2 is active. only when rule 2 is inactive it shows traffic for rule 1.

  • 0 in reply to Jan W

    Essentially it should work - But why do you not see the packets in packet capture? This is the first part, which should show your connection regardless of the WAF rules. Packet capture is based on the Interface level. 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Jan W

    Essentially it should work - But why do you not see the packets in packet capture? This is the first part, which should show your connection regardless of the WAF rules. Packet capture is based on the Interface level. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    i had a mistake on capturing. now capture works, but problem is still the same.

    rule#1 -> 

    Ethernet header
Source MAC address:bc:x
Destination MAC address: c8:x
Ethernet type IPv4 (0x800)
 
IPv4 Header
Source IP address:185.x
Destination IP address:94.x
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 52 Bytes
Identification:27650
Fragment offset:16384
Time to live: 118
Checksum: 39422
 
TCP Header:
Source port: 19637
Destination port: 443
Flags: SYN
Sequence number: 1508870166
Acknowledgement number: 0
Window: 64240
Checksum: 17658


    is consumed by rule 15 (this is WAF rule#1) Same when rule2 is active.

    rule#2 ->

    Ethernet header
Source MAC address:bc:x
Destination MAC address: c8:x
Ethernet type IPv4 (0x800)
 
IPv4 Header
Source IP address:185.x
Destination IP address:94.x
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 52 Bytes
Identification:27693
Fragment offset:16384
Time to live: 118
Checksum: 39379
 
TCP Header:
Source port: 1069
Destination port: 12389
Flags: SYN
Sequence number: 507478842
Acknowledgement number: 0
Window: 64240
Checksum: 40804

    is consumed by rule 25 (default drop) WHY?!?

  • 0 in reply to Jan W

    Just to be sure: You are using https://hostname:12389 not http://? 

    Could you check the /log/reverseproxy.log, if you see any kind of "Invalid encryption key". 

    __________________________________________________________________________________________________________________

  • +1 in reply to LuCar Toni

    Hi, it is https:// 

    i found the problem but i don't know how this can happen.

    in /log/reverseproxy.log (can i access this only over ssh?) i found following:

    [Tue Aug 30 09:52:24.597108 2022] [ssl:emerg] [pid 4716:tid 140673883045568] AH02565: Certificate and private key abc.abc:12389:0 from /conf/certificate/abc.abc.pem and /conf/certificate/private/abc.abc.key do not match
    AH00016: Configuration Failed

    this repeats every few seconds, so i belive thats the reason why no site works.

    after reuploading the same pem & key file via web, rule 2 works....

    that is confusing thank you for your help!

Unfiltered HTML