Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 39 subscribers
  • Views 4766 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF rules and IIS redirects with trailing slashes

Martijn Bouman

Situation.

We have a WAF rule with several test sites in the domains list. Example below.

test1.testurl.com

test2.testurl.com

test3.testurl.com

test4.testurl.com

These all point to one IIS. On the IIS these are all separate sites.

When we request an url to a directory on one of those sites and we do not add the trailing slash, IIS will, by default, if the Directory exists on the webserver, send a 301 redirect back to the firewall, and adds a slash, telling the firewall to check the url with the slash behind it. It probably sends the relative pad back to the firewall.

We would expect that the firewall then opens that same URL with the slash added.

However. The firewall does not do that.

When we request test4.testurl.com/NL we would expect the firewall to then request test4.testurl.com/NL/

However, the firewall opens test1.testurl.com/NL/

If we change the order of the WAF rules it will always opens the top one in the domains list. Why does this happen?



This thread was automatically locked due to age.
  • 0

    I have found out today that it has to do with the webserver, IIS, sending a courtesy 301 redirect. 

    It detects that the directory exists, and then sends it back to the firewall. The firewall then interprets this redirect incorrectly and changes the url.

Unfiltered HTML