Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 4162 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Server Protection stopped working

ChriZathens

Hello guys!

I have a home server running a few services on port 80 and 2-3 other ports

I also have dyndns (3 hostnames)  and have been using waf to connect to those 3 services without the need to enter a port in the url

(There are also a couple of other services that are accessed by using the port in the url)

Finally, there is also a 4th dyndns hostname that accesses a different machine in port 80

Only the first dyndns (port 80) is really in use, the other three are  mostly for testing.

Yesterday I tried to enter this first one on port 80 and could not connect.

I also tried accessing the 4th which is also using port 80 and could not connect either.

I initially thought that perhaps something happened with my isp (started blocking port 80 or something like that), mainly because another service which is on a different port could be accessed normally using the port in the url

But then I noticed that the other 3 dyndns hostnames were also returning an error when trying to connect (which 2 of them are not using port 80)

So finally realized that "port forwarding" works as it should, however all waf connections do not.

Please keep in mind that I haven't changed anything in the firewall configuration lately.. 

In the afternoon I also reverted to a week old backup, just in case, but I got the same results

 So I can't really understand what has happened.

Do you have any advice regarding where I can check in order to understand what went wrong and waf rules stoppped working?

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    please advise which version of XG firmware you are running? Possibly one of the patterns updated and is causing you an issue. What do th elogviewer reports show as happening to the traffic?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hello Ian!

    Yeap, sorry should have mentioned my XG version in the original post.. It is the latest version SFVH (SFOS 20.0.0 GA-Build222)

    Regarding the log, I pulled up the web server protection log and the last log line is from the day before yesterday (2024-02-07 21:58:40)

    No log entry since that time... 

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)
  • 0 in reply to ChriZathens

    Hi ChriZathens 

    Please check and verify traffic flow under MONITOR & ANALYZE || Diagnostics || Packet Capture passing from the same WAF firewall rule.

    Run the command: tail -f /log/reverseproxy.log from CLI option 5>3

    Can you see hit on WAF firewall rule if no, disable the same firewal rule and re creat WAF rule and post the the rule here.

    Source link : Sophos Firewall: WAF troubleshooting scenarios

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    I thing I am a bit lost, sorry... Where is monitor and Analyze?

    The command from the console returns the following repeatedly even when not trying to access one hostname

    [Fri Feb 09 14:32:06.037912 2024] [core:warn] [pid 29786:tid 140311307505344] AH00111: Config variable ${URLHardening_HTTP_Hostname} is not defined

    EDIT: Thanks a lot for trying to help

    I will read the troubleshooting scenarios, try to do what it says and get back here

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)
  • 0 in reply to ChriZathens

    Click on configure and add string as 

    host <destination IP> and port 80

    or 

    host <example.com> and port 80

    Please go to SYSTEM--->Backup and Firmware--->Firmware and share the screenshot here,it seems no in and out traffic for WAF rule can you confirm ?

    Regards

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hello again guys!

    I finally found where the problem was..

    I searched the webservers and found all the rules those servers were included into.

    And I found a couple of orphaned NAT entries that were the cause of the issue. After deleting them everything started working again as it should. The strange thing is that until 3 days all was working and suddenly it stopped.. Anyway, since it is working now, all is good.

    I would like to thank you very much for trying to help me and especially   you even jumped in to offer help via a remote session.

    Have a great day!

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)
Reply
  • 0 in reply to Bharat J

    Hello again guys!

    I finally found where the problem was..

    I searched the webservers and found all the rules those servers were included into.

    And I found a couple of orphaned NAT entries that were the cause of the issue. After deleting them everything started working again as it should. The strange thing is that until 3 days all was working and suddenly it stopped.. Anyway, since it is working now, all is good.

    I would like to thank you very much for trying to help me and especially   you even jumped in to offer help via a remote session.

    Have a great day!

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)
Children
No Data
Unfiltered HTML