This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

is it possible to combine SFOS WAF with the built in OTP / MFA function

I found some old posts (>2y ago) about the XG WAF module not supporting MFA authentication for a webservice.

Has this changed since? We want to use MFA before using on-prem Exchange OWA.

Many internal users already have an Sophos MFA token and it would be nice to use that second factor also for WAF services.

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 1 year ago in reply to LHerzog +2 verified

SFOS does not support MFA from the Firewall itself. We could do it with Azure AD + ZTNA (for https) and the OWA, if you want to integrate it like that.

Parents

0 BrucekConvergent over 1 year ago

Interesting that you bring this up; just had a customer ask us about this, and after talking with our channel SE, it appears this is not a current feature in SFOS. Apparently there is mention of it in the dev plan, but no ETA.

Of course they suggested ZTNA -- which for 90% of my customers, including this one, is not a fit as they still do not support on-prem AD. If you have Azure AD, this may be an option for you.

That, or you can use a 3rd party RADIUS-based solution, etc. to control MFA in conjunction with WAF.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 1 year ago in reply to BrucekConvergent

BrucekConvergent said:
That, or you can use a 3rd party RADIUS-based solution, etc. to control MFA in conjunction with WAF.

that's what we did alread, using Challenge-Response with LinOTP and Loadmaster in between that supports dual factor Auth. That also brings some additional account lockout features as well, that would'nt have been there otherwise.

Wondering that Sophos Staff was not able to tell some (negative) details here.

XG WAF is for almost no use.
Cancel
Vote Up 0 Vote Down

Cancel
+1 LuCar Toni over 1 year ago in reply to LHerzog

SFOS does not support MFA from the Firewall itself.

We could do it with Azure AD + ZTNA (for https) and the OWA, if you want to integrate it like that.

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Cancel

Reply

+1 LuCar Toni over 1 year ago in reply to LHerzog

SFOS does not support MFA from the Firewall itself.

We could do it with Azure AD + ZTNA (for https) and the OWA, if you want to integrate it like that.

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Cancel

Children

0 LHerzog over 1 year ago in reply to LuCar Toni

Thanks for confirming BrucekConvergent 's post LuCar Toni .

To conclude, it's not supported in v19.5 and as far I can tell also not with v20. On-prem servers cannot be OTP protected with SFOS WAF.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to LHerzog

No Change in this field.

I am also prefer to do OTP in a IDP like Entra ID instead, and utilize tools like ZTNA and other tools to get the most out of MFA.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel