Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

WAF - VServer config problem

Hi!

Recently I want to configure a VIP with SSL termination on my Sophos Firewall 20 running as a VM. I have the SSL cert imported (+CA - there was no Let's encrypt E5 CA so I added it).

I want to start from something really simple - Outside LAN to a server in DMZ:

  • FW Port Outside: 192.168.1.10/24

  • FW Port DMZ: 192.168.3.1/24

  • DMZ Server is Ubuntu (192.168.3.11/24) with Nextcloud enabled on docker.

The RServer on Ubuntu is hosted with https://nextcloud.home:8081 and it works fine from my LAN.

Next I created Web server (sometimes named Real Server, so the backend one) as follows:
Note: I tried with Real Server IP address and with FQDN: nextcloud.home - it doesn't work either

Then I added a new FW (WAF) rule to my website I want to make public: https://drive.acme.com

There are no exceptions and this is me Advanced section:

Note: I tried without Intrusion prevention - this doesn't work either

And the imported cert - seems imported ok (as I mentioned - I've had to add Lets ecnrypt E5 CA. After that this cert has been marked green by FW)

I have port translation set correctly, traffic reach the FW when I check with tcpdump on that FW, but I'm getting being Reset:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
21:31:33.679916 PortB, IN: IP (tos 0x0, ttl 54, id 2832, offset 0, flags [DF], proto TCP (6), length 60)
95.214.217.185.7870 > drive.acme.com.https: Flags [S], cksum 0x4c3d (correct), seq 1834074896, win 65535, options [mss 1444,sackOK,TS val 2360288004 ecr 0,nop,wscale 9], length 0
21:31:33.681008 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
drive.acme.com.https > 95.214.217.185.7870: Flags [R.], cksum 0x63b2 (correct), seq 0, ack 1834074897, win 0, length 0
21:31:34.723853 PortB, IN: IP (tos 0x0, ttl 54, id 61211, offset 0, flags [DF], proto TCP (6), length 60)
95.214.217.185.44264 > drive.acme.com.https: Flags [S], cksum 0x441f (correct), seq 3694053907, win 65535, options [mss 1444,sackOK,TS val 2360289047 ecr 0,nop,wscale 9], length 0
21:31:34.724728 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
drive.acme.com.https > 95.214.217.185.44264: Flags [R.], cksum 0x5fa7 (correct), seq 0, ack 3694053908, win 0, length 0

I tried to check some logs - especially reverseproxy.log but nothing pops up there when I request for the webpage from Internet

Summarizing:

  • I know the traffic does reach my FW with correct port (so DNS and port forwarding is ok.).

  • I have the WAF rule done as well as internal web server + cert imported

  • My internal web server does work ok. from my LAN

What is wrong with my config then?



Needed to reacorrect https to http once again due to abuse policy.
[edited by: Shadow82 at 11:39 AM (GMT -8) on 12 Nov 2024]
  • When you can access your server internally via  https://nextcloud.home:8081 you should go from Type "Plaintext (HHTP)" to HTTPS for Real Webserver Settings in Waf.
    And add to your NextCloud config.php on Webserver:
    'trusted_proxies'> ['internal IP of Sophos here'],

  • There are none logs when I try to connect from Internet. Only TCP RST from FW.

    Fun fact - if I connect from my LAN to the url (LAN has DNS entry for https://drive.acme.com ==> 192.168.1.10). From LAN it works, so we might say the WAF rules config on FW is ok. but the traffic coming from Internet is being dropped and I don't know why

    Request from LAN to https://drive.acme.com - ok.

    SFVH_VM01_SFOS 20.0.2 MR-2-Build378# tcpdump host 192.168.1.69 and port 443 -nn
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    11:19:38.190468 PortB, IN: IP 192.168.1.69.26962 > 192.168.1.10.443: Flags [F.], seq 580342173, ack 3022210096, win 2053, length 0
    11:19:38.190505 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26962: Flags [.], ack 1, win 411, length 0
    11:19:38.190515 PortB, IN: IP 192.168.1.69.26962 > 192.168.1.10.443: Flags [R.], seq 1, ack 1, win 0, length 0
    11:19:38.190519 PortB, IN: IP 192.168.1.69.26963 > 192.168.1.10.443: Flags [F.], seq 3367240768, ack 916219605, win 1022, length 0
    11:19:38.190527 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26963: Flags [.], ack 1, win 434, length 0
    11:19:38.190531 PortB, IN: IP 192.168.1.69.26963 > 192.168.1.10.443: Flags [R.], seq 1, ack 1, win 0, length 0
    11:19:38.190696 PortB, IN: IP 192.168.1.69.26961 > 192.168.1.10.443: Flags [F.], seq 425507548, ack 4175423194, win 1026, length 0
    11:19:38.190697 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [S], seq 153100110, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    11:19:38.190707 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26961: Flags [.], ack 1, win 616, length 0
    11:19:38.190712 PortB, IN: IP 192.168.1.69.26961 > 192.168.1.10.443: Flags [R.], seq 1, ack 1, win 0, length 0
    11:19:38.190734 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [S.], seq 816268867, ack 153100111, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    11:19:38.190986 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [S], seq 545524837, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    11:19:38.191004 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [S.], seq 979956694, ack 545524838, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    11:19:38.191580 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [.], ack 1, win 1026, length 0
    11:19:38.191836 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [.], seq 1:1461, ack 1, win 1026, length 1460
    11:19:38.191844 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], ack 1461, win 251, length 0
    11:19:38.191851 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [P.], seq 1461:1825, ack 1, win 1026, length 364
    11:19:38.191853 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], ack 1825, win 274, length 0
    11:19:38.192089 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [.], ack 1, win 1026, length 0
    11:19:38.192177 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [P.], seq 1:157, ack 1825, win 274, length 156
    11:19:38.192356 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [.], seq 1:1461, ack 1, win 1026, length 1460
    11:19:38.192361 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [.], ack 1461, win 251, length 0
    11:19:38.192369 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [P.], seq 1461:1761, ack 1, win 1026, length 300
    11:19:38.192370 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [.], ack 1761, win 274, length 0
    11:19:38.192490 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [P.], seq 1:157, ack 1761, win 274, length 156
    11:19:38.193137 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [P.], seq 1825:1876, ack 157, win 1025, length 51
    11:19:38.193142 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [P.], seq 1876:2979, ack 157, win 1025, length 1103
    11:19:38.193150 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], ack 2979, win 297, length 0
    11:19:38.193400 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [P.], seq 1761:1812, ack 157, win 1025, length 51
    11:19:38.231266 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 157:1617, ack 2979, win 297, length 1460
    11:19:38.231279 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 1617:3077, ack 2979, win 297, length 1460
    11:19:38.231285 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 3077:4537, ack 2979, win 297, length 1460
    11:19:38.231290 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 4537:5997, ack 2979, win 297, length 1460
    11:19:38.231295 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 5997:7457, ack 2979, win 297, length 1460
    11:19:38.231300 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [P.], seq 7457:8378, ack 2979, win 297, length 921
    11:19:38.231328 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [P.], seq 8378:8850, ack 2979, win 297, length 472
    11:19:38.232527 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [.], ack 8850, win 1026, length 0
    11:19:38.239746 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [.], ack 1812, win 274, length 0
    11:19:40.963822 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [P.], seq 2979:3933, ack 8850, win 8195, length 954
    11:19:40.984071 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 8850:10310, ack 3933, win 320, length 1460
    11:19:40.984095 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 10310:11770, ack 3933, win 320, length 1460
    11:19:40.984103 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 11770:13230, ack 3933, win 320, length 1460
    11:19:40.984108 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 13230:14690, ack 3933, win 320, length 1460
    11:19:40.984114 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [P.], seq 14690:15374, ack 3933, win 320, length 684
    11:19:40.985355 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [.], ack 15374, win 8195, length 0

    Request from Internet to https://drive.acme.com - RST

    11:17:33.994862 PortB, IN: IP 31.61.248.85.24739 > 192.168.1.10.443: Flags [S], seq 76282307, win 65535, options [mss 1220,nop,wscale 4,sackOK,TS val 534791239 ecr 0], length 0
    11:17:33.996043 PortB, OUT: IP 192.168.1.10.443 > 31.61.248.85.24739: Flags [R.], seq 0, ack 76282308, win 0, length 0
    11:17:34.034853 PortB, IN: IP 31.61.248.85.1213 > 192.168.1.10.443: Flags [S], seq 2687500049, win 65535, options [mss 1220,nop,wscale 4,sackOK,TS val 534791278 ecr 0], length 0
    11:17:34.035632 PortB, OUT: IP 192.168.1.10.443 > 31.61.248.85.1213: Flags [R.], seq 0, ack 2687500050, win 0, length 0

    Port forwarding looks good but FW drops if it sees request from pbulic IP (?)

  • You said, the real server is using HTTPS, so you should select HTTPS as the real server as well. 

    Do you have any kind of reverseproxy.log entries? This is the first step to check, if the WAF is actually used or something else blocked it. 

    __________________________________________________________________________________________________________________

  • Try the drop packet capture on the firewall console.

    drppkt is the command.

    And check the packet capture on the webadmin for the same, if you see consumed traffic. 

    __________________________________________________________________________________________________________________

  • Maybe you should filter with a Pipe. 

    drppkt | grep 443 

    __________________________________________________________________________________________________________________

  • thats my type'o. sorry for that.

    real server use https://nextcloud.home:8081

    I corrected it and my post has been marked as abusive. I appealed. Admins said - ok. and the post came back uncorrected.
    So I corrected it again. The post was marked as abusive. I appealed. Admins said - ok. and the post came back uncorrected.

    ... :-)

  • Community is very senstive setup due the attacks and phishing attemps. Try to avoid URLs in that form. 

    __________________________________________________________________________________________________________________

  • Thanks for hints. 
    Now I see that requests from LAN are ok. but requests from Internet are being dropped on FW and this is observed with tcpdump only. I don't see any rule hit, log entries and I need a bit more time with drppkt - but as for now I tried to grep with TCP or 443 and nothing is being returned when I request from Internet.

    Only TCPDump TCP RST after the handshake is done

  • If drppkt is not dropping / logging, this is an indicator, that something else is accepting this. 

    Double check: Ports used for SSLVPN, VPN Portal, User Portal in Webadmin. 

    __________________________________________________________________________________________________________________