Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF for multiple ports

Gday

Needed to forward 25 ports to a webserver using WAF. I can't for the life of me work out how to enter in more than one port to either. Surely I don't need to create 25 webserver and 25 WAF rules?

Anyone done this before?



This thread was automatically locked due to age.
  • Hey  ,

    Thank you for reaching out to the community, this is currently a feature request - SFSW-I-1910.

    I'd recommend you reach out to your Account Manager, Sales Engineer, or Sales Representative so that they can help link the FR request into our system with your account. You can also log a support case so that our support representative can help link that FR to the account. 

    Additionally, you can use the in-product feedback in the Sophos Firewall located in the Top Menu Bar.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • So it's not possible. I have to create 25 web servers and 25 WAF rules. Teriffic.

    Sophos don't deliver on features requests, or listen to partners, they never have. They even shut down the feature request forum. NTP server was the most popular requested feature with more than a thousand partner votes. Still waiting. Can't even group NAT rules still.

  • Why do you want to build a NTP server in SFOS? What is the benefit compared to a NAT approach, which can load IPS pattern as well and force clients to use your NTP server.

    Additionally: NTP server means, public server on firewall, which needs more hardening etc. for a feature, which you can simply build by one NAT Rule. 

    You could move your NAT to your internal AD server with NTP installed as well, it will bring the same feature. 

    __________________________________________________________________________________________________________________

  • Sounds like the discussion Sophos should have had with those 1000+ partners that wanted it (i wasn’t one of them), instead of not replying to thread for 4+ years and then shutting down the whole board.

    Instead of engaging with partners and working together, Sophos Firewall team just do whatever they want. So no point putting in a suggestion. Other Sophos product teams are excellent and have worked with partners to create a much better product.

  • So i had this discussion with multiple Partners in DACH. 
    Ideas.sophos.com was a "open space". So everybody could vote (multiple votes). This means, everybody with a Sophos ID (not related even to a Sophos customer, every home user) could vote for a feature. It was not reflecting the Market or the demand of customers. 

    I am here to raise some feedback, if you have an edge case, where NTP Server could be interesting within the World of SFOS, we are glad to hear. By now, the only feedback, we got about NTP, is if you use a DNAT workaround to a server and the server is not reachable. In Times of multiple WAN connections, this scenario is unlikely and even if this is a concern of your NTP setup, you could move to a local AD Server. 

    BTW: using a NTP DNAT will reflect transparent 100% the feature like a NTP server did. So the client does not notice, SFOS is not even a NTP server. 

    __________________________________________________________________________________________________________________

  • As I mentioned, I wasn't one of the people who needed an NTP server, I have no idea why that was the #1 item people requested, and I don't know why people would have needed it. I was merely making a point that Sophos Firewall product team doesn't listen to suggestions. None of the feature suggestions I made in that forum have been implemented. Not that I can even remember the issues I raised now because it was all just deleted.

    NAT rules were decoupled in Cyberoam. Sophos took over and put them all in one firewall rule, removing functionality. Then you decided we shouldn't have done that and went back to decoupling NAT rules back in version 18. Here we are in version 20 STILL unable to group NAT rules. WAF has been around forever in a day and still only supports a single port. Switching an interface to NONE still deletes all the associated firewall and NAT rules that are linked to that interface instead of simply disabling them, or even warning you that there are linked rules that will be deleted. These are incredibly basic, rudimentary features that affect day to day management of the firewall. If I have a Sophos Central customer that has active firewall licensing but no other Sophos products, they don't even appear in the console and are hidden. There are many more examples. Why aren't these a priority? Sophos FW is a great product, but some of the basic features that haven't been implemented after 8+ years are far more important than some of the other stuff that's been developed.

    Why didn't you just lock the forum down to partners instead? Where can partners get a list of the current feature requests? What is the priority level on these feature requests? Why aren't partners involved directly in focus groups with Sophos to work with them to develop the product together in a partnership? When was SFSW-I-1910 first logged? How am I even meant to know that feature request exists? How can I add my support/priority towards it? What's the status? When's it going to be delivered? What's the roadmap? Partners should be consulted on what is important to them. Everytime I log a support case about a missing feature, or something that's annoying, the response is always "that's by design". My account manager barely responds to emails.

    This isn't a Sophos problem, this is a Firewall product team problem. Other product teams are brilliant with their interaction with partners and actively work with them to develop features and work with them to make their products better and meet the expectations of partners.

  • This is not possible. As confirmed by Sophos, if you want to forward 25 ports to a webserver, you need to create 25 WAF rules and 25 web server instances to the same server.