Thread Info
  • State Suggested Answer
  • Replies 14 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 929 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall - WAF response 403 Forbidden for Internal requests

R Beatrix

Hello Sophos Community,

We are migrating from a UTM 9 unit to a new Sophos Firewall unit and I've setup a WAF rule for two internal web servers.  When setting up the firewall rule, I chose the Action dropdown option of "Protect with web server protection".  I have added both "real" web servers and copied the configuration from what we have setup in the UTM 9 unit. (ie. listening port, Redirect HTTP, Pass host header, etc., etc.)... everything was copied to be the same as we have setup in the UTM 9 system.

I'll use the domain www.example.com as the sample domain name here; from my LAN (internal network) computer, this domain name resolves to the same public IP address as defined in DNS on the WAN side (ie. "nslookup" from both external WAN clients and my internal LAN client return the same public IP address).  I am able to access the virtual host WAF domain name from a WAN (external) client without any problems; the web page loads and it would appear that the WAF is working correctly.  However, when I try accessing the domain from a LAN client I get a "403 Forbidden" response in the browser.  Looking at the Sophos Firewall Logs page for "Web server protection", I'm seeing the firewall is returning valid 200 responses for requests from an external Source IP/name request, but returning 403 responses for requests from our internal LAN subnets.  

Below is a screenshot of the "Web server protection" logs; the red circled responses are the 403 Forbidden responses I'm getting from my internal LAN computer.  Why would the WAF be returning 403 for internal client requests?  I can't figure out what I've done wrong with the configuration in the new Sophos Firewall unit.

Thanks in advance for any help!



Added TAGs
[edited by: Erick Jan at 7:55 AM (GMT -7) on 25 Apr 2024]
Parents
  • 0

    Hi  ,

    Thank you for reaching out to the community, please refer the following useful KBAs:
    1.) 403 forbidden detections.
    2.) WAF troubleshooting scenarios.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thanks for posting these KBA links Vivek.

    I tried the option of tailing the reverse proxy log to try and capture any errors.  I was able to capture the following log lines immediately after making a connection attempt to the WAF-protected domain from my internal LAN client.

    The logs seem to indicate the following issue: AH01630: client denied by server configuration: proxy:balancer://611f5a0dc89ff6797ef98e2cf59c24af/

    [Thu Apr 25 23:56:51.688378 2024] [authz_core:error] [pid 13483:tid 140015396878080] [client 192.168.2.23:61133] AH01630: client denied by server configuration: proxy:balancer://611f5a0dc89ff6797ef98e2cf59c24af/

    [Thu Apr 25 23:56:51.687851 2024] timestamp="1714089411" srcip="192.168.2.23" localip="35.34.33.32" user="-" method="GET" statuscode="403" reason="-"
    extra="-" exceptions="-" duration="994" url="/" server="www.example.com" referer="-" cookie="wfx_unq=MHsJtyXbMXiJypTH" set-cookie="-"
    recvbytes="2669" sentbytes="586" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (WindowsNT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
    querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="17"

    As a test, I added my internal LAN network in the "Allowed client networks" configuration for the WAF rule (screenshot below), but that didn't help.  Logging still shows the "client denied by server configuration" messages.

  • 0 in reply to R Beatrix

    How would the internal address arrive on the external interface/?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I have a NAT rule defined as follows:

    Original source == internal 192.168.2.0/24 network, Original destination == Any, Original service == Any
    Translated source == our WAN public IP (which is 35.34.33.30, different from 35.34.33.32 for the web servers), Translated destination == Original, Translated service == Original
    Inbound Interface = VLAN Interface 192.168.2.254/24, Outbound Interface == Hardware Port 2 which has our ISP connected 35.34.33.30/24

    There is also a firewall rule allowing inter-vlan traffic (ie. traffic from my client VLAN to the VLAN running the webservers).

    Am I missing something in the above setup?  Or have something wrong?

  • 0 in reply to R Beatrix

    Hi,

    I am guessing here,, burt suspect you  will need a nat to allow your internal devices access to the webserver IP.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
  • 0 in reply to rfcat_vk

    Hey Ian,

    That could be - I had thought it was configured with the above NAT rule that I showed, but if there is a different one required would you have an example of what to set?  Taking my above NAT rule as template ... what should be defined for Original source/dest/service?  and for Translated source/dest/service and the Inbound/Outbound interfaces?

    I'm not sure what I would add.  Could you provide an example of what the NAT rule would be for internal clients on 192.168.2.0/24 to access a WAF on 35.34.33.32 ?

    Thanks,

Unfiltered HTML