Web Server Protection stopped working

Hello guys!

I have a home server running a few services on port 80 and 2-3 other ports

I also have dyndns (3 hostnames)  and have been using waf to connect to those 3 services without the need to enter a port in the url

(There are also a couple of other services that are accessed by using the port in the url)

Finally, there is also a 4th dyndns hostname that accesses a different machine in port 80

Only the first dyndns (port 80) is really in use, the other three are  mostly for testing.

Yesterday I tried to enter this first one on port 80 and could not connect.

I also tried accessing the 4th which is also using port 80 and could not connect either.

I initially thought that perhaps something happened with my isp (started blocking port 80 or something like that), mainly because another service which is on a different port could be accessed normally using the port in the url

But then I noticed that the other 3 dyndns hostnames were also returning an error when trying to connect (which 2 of them are not using port 80)

So finally realized that "port forwarding" works as it should, however all waf connections do not.

Please keep in mind that I haven't changed anything in the firewall configuration lately.. 

In the afternoon I also reverted to a week old backup, just in case, but I got the same results

 So I can't really understand what has happened.

Do you have any advice regarding where I can check in order to understand what went wrong and waf rules stoppped working?

Thanks!



Edited TAGs to Home/v20
[edited by: Erick Jan at 8:38 AM (GMT -8) on 12 Feb 2024]
Parents
  • Hi,

    please advise which version of XG firmware you are running? Possibly one of the patterns updated and is causing you an issue. What do th elogviewer reports show as happening to the traffic?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Ian!

    Yeap, sorry should have mentioned my XG version in the original post.. It is the latest version SFVH (SFOS 20.0.0 GA-Build222)

    Regarding the log, I pulled up the web server protection log and the last log line is from the day before yesterday (2024-02-07 21:58:40)

    No log entry since that time... 

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)

  • Hi ChriZathens 

    Please check and verify traffic flow under MONITOR & ANALYZE || Diagnostics || Packet Capture passing from the same WAF firewall rule.

    Run the command: tail -f /log/reverseproxy.log from CLI option 5>3

    Can you see hit on WAF firewall rule if no, disable the same firewal rule and re creat WAF rule and post the the rule here.

    Source link : Sophos Firewall: WAF troubleshooting scenarios

    Regards

    "Sophos Partner: InfrassistTechnologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • I thing I am a bit lost, sorry... Where is monitor and Analyze?

    The command from the console returns the following repeatedly even when not trying to access one hostname

    [Fri Feb 09 14:32:06.037912 2024] [core:warn] [pid 29786:tid 140311307505344] AH00111: Config variable ${URLHardening_HTTP_Hostname} is not defined

    EDIT: Thanks a lot for trying to help

    I will read the troubleshooting scenarios, try to do what it says and get back here

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)

  • Click on configure and add string as 

    host <destination IP> and port 80

    or 

    host <example.com> and port 80

    Please go to SYSTEM--->Backup and Firmware--->Firmware and share the screenshot here,it seems no in and out traffic for WAF rule can you confirm ?

    Regards

    Regards

    "Sophos Partner: InfrassistTechnologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Hello again guys!

    I finally found where the problem was..

    I searched the webservers and found all the rules those servers were included into.

    And I found a couple of orphaned NAT entries that were the cause of the issue. After deleting them everything started working again as it should. The strange thing is that until 3 days all was working and suddenly it stopped.. Anyway, since it is working now, all is good.

    I would like to thank you very much for trying to help me and especially   you even jumped in to offer help via a remote session.

    Have a great day!

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)

Reply
  • Hello again guys!

    I finally found where the problem was..

    I searched the webservers and found all the rules those servers were included into.

    And I found a couple of orphaned NAT entries that were the cause of the issue. After deleting them everything started working again as it should. The strange thing is that until 3 days all was working and suddenly it stopped.. Anyway, since it is working now, all is good.

    I would like to thank you very much for trying to help me and especially   you even jumped in to offer help via a remote session.

    Have a great day!

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)

Children
No Data