Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall - WAF response 403 Forbidden for Internal requests

Hello Sophos Community,

We are migrating from a UTM 9 unit to a new Sophos Firewall unit and I've setup a WAF rule for two internal web servers.  When setting up the firewall rule, I chose the Action dropdown option of "Protect with web server protection".  I have added both "real" web servers and copied the configuration from what we have setup in the UTM 9 unit. (ie. listening port, Redirect HTTP, Pass host header, etc., etc.)... everything was copied to be the same as we have setup in the UTM 9 system.

I'll use the domain as the sample domain name here; from my LAN (internal network) computer, this domain name resolves to the same public IP address as defined in DNS on the WAN side (ie. "nslookup" from both external WAN clients and my internal LAN client return the same public IP address).  I am able to access the virtual host WAF domain name from a WAN (external) client without any problems; the web page loads and it would appear that the WAF is working correctly.  However, when I try accessing the domain from a LAN client I get a "403 Forbidden" response in the browser.  Looking at the Sophos Firewall Logs page for "Web server protection", I'm seeing the firewall is returning valid 200 responses for requests from an external Source IP/name request, but returning 403 responses for requests from our internal LAN subnets.  

Below is a screenshot of the "Web server protection" logs; the red circled responses are the 403 Forbidden responses I'm getting from my internal LAN computer.  Why would the WAF be returning 403 for internal client requests?  I can't figure out what I've done wrong with the configuration in the new Sophos Firewall unit.

Thanks in advance for any help!

Added TAGs
[edited by: Erick Jan at 7:55 AM (GMT -7) on 25 Apr 2024]
  • So wanted to come back and post the solution to my WAF problem here, and my frustration with this new SFOS UI.

    I ended up speaking with a Sophos Support Engineer, and through our testing we discovered that the checkbox "Block connections from IP's with an unknown country origin" was blocking my internal client requests.  This makes absolutely no sense to me, as Internal LAN IP ranges (such as 192.168. or 172.16. ) should not be part of the Country Blocking feature... why would anyone even consider that their internal LAN IP range would be checked against Country Blocking rules?  I now have to have this checkbox turned off, otherwise my internal LAN clients cannot connect to WAF-protected web services via the public domain name.  (and for WAN security reasons, I wish I could have this checkbox turned on)

    So if anyone else is experiencing trouble with internal clients accessing WAF-protected services using public IP resolution from a domain name, double-check that you don't have the "Block connections from IP's with an unknown country origin" checkbox enabled in on the WAF configuration page!

  • Hi  ,

    can you please send me a PM with some example IP addresses that got caught by the GeoIP check?

    Thank you,


Reply Children
No Data