WAF - VServer config problem

Question

Hi! 
 Recently I want to configure a VIP with SSL termination on my Sophos Firewall 20 running as a VM. I have the SSL cert imported (+CA - there was no Let's encrypt E5 CA so I added it). 
 I want to start from something really simple - Outside LAN to a server in DMZ:

FW Port Outside: 192.168.1.10/24

FW Port DMZ: 192.168.3.1/24

DMZ Server is Ubuntu (192.168.3.11/24) with Nextcloud enabled on docker.

The RServer on Ubuntu is hosted with https://nextcloud.home:8081 and it works fine from my LAN. 
 Next I created Web server (sometimes named Real Server, so the backend one) as follows: Note : I tried with Real Server IP address and with FQDN: nextcloud.home - it doesn't work either

Then I added a new FW (WAF) rule to my website I want to make public: https://drive.acme.com

There are no exceptions and this is me Advanced section: 
 Note : I tried without Intrusion prevention - this doesn't work either

And the imported cert - seems imported ok (as I mentioned - I've had to add Lets ecnrypt E5 CA. After that this cert has been marked green by FW) 
 I have port translation set correctly, traffic reach the FW when I check with tcpdump on that FW, but I'm getting being Reset: 
 tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes 21:31:33.679916 PortB, IN: IP (tos 0x0, ttl 54, id 2832, offset 0, flags [DF], proto TCP (6), length 60) 95.214.217.185.7870 > drive.acme.com.https: Flags [S], cksum 0x4c3d (correct), seq 1834074896, win 65535, options [mss 1444,sackOK,TS val 2360288004 ecr 0,nop,wscale 9], length 0 21:31:33.681008 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40) drive.acme.com.https > 95.214.217.185.7870: Flags [R.], cksum 0x63b2 (correct), seq 0, ack 1834074897, win 0, length 0 21:31:34.723853 PortB, IN: IP (tos 0x0, ttl 54, id 61211, offset 0, flags [DF], proto TCP (6), length 60) 95.214.217.185.44264 > drive.acme.com.https: Flags [S], cksum 0x441f (correct), seq 3694053907, win 65535, options [mss 1444,sackOK,TS val 2360289047 ecr 0,nop,wscale 9], length 0 21:31:34.724728 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40) drive.acme.com.https > 95.214.217.185.44264: Flags [R.], cksum 0x5fa7 (correct), seq 0, ack 3694053908, win 0, length 0 
 I tried to check some logs - especially reverseproxy.log but nothing pops up there when I request for the webpage from Internet 
 Summarizing:

I know the traffic does reach my FW with correct port (so DNS and port forwarding is ok.).

I have the WAF rule done as well as internal web server + cert imported

My internal web server does work ok. from my LAN

What is wrong with my config then?

LuCar Toni · Accepted Answer

Try the drop packet capture on the firewall console. 
 drppkt is the command. 
 And check the packet capture on the webadmin for the same, if you see consumed traffic.

FFin · Answer

When you can access your server internally via https://nextcloud.home:8081 you should go from Type "Plaintext (HHTP)" to HTTPS for Real Webserver Settings in Waf.
And add to your NextCloud config.php on Webserver:
'trusted_proxies'> ['internal IP of Sophos here'],

Shadow82 · Answer

I think I found it! Thanks for hint with WebGUI Packet capture, cause it gives you info which rules are in use. 
 
 This put me back on track. I must say - I'm dumb, cause about 3 weeks before I tried to enable NextCloud AiO which had port 11000 as default listen port for it service. 
 I forgot that I mangled initially - trying to do DNAT, which I failed and left the topic for some time. 
 Recently I got back to it with more correct approach - WAF + Web server, but I haven't clean up the old DNAT rules. 
 After deleting NAT rule # 3 everything works fine!!! :) 
 
 Thanks - I learned something about Sophos FW TShoot - with drppkt & webgui tcpdump :)

WAF - VServer config problem

Top Replies