Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

WAF - VServer config problem

Hi!

Recently I want to configure a VIP with SSL termination on my Sophos Firewall 20 running as a VM. I have the SSL cert imported (+CA - there was no Let's encrypt E5 CA so I added it).

I want to start from something really simple - Outside LAN to a server in DMZ:

  • FW Port Outside: 192.168.1.10/24

  • FW Port DMZ: 192.168.3.1/24

  • DMZ Server is Ubuntu (192.168.3.11/24) with Nextcloud enabled on docker.

The RServer on Ubuntu is hosted with https://nextcloud.home:8081 and it works fine from my LAN.

Next I created Web server (sometimes named Real Server, so the backend one) as follows:
Note: I tried with Real Server IP address and with FQDN: nextcloud.home - it doesn't work either

Then I added a new FW (WAF) rule to my website I want to make public: https://drive.acme.com

There are no exceptions and this is me Advanced section:

Note: I tried without Intrusion prevention - this doesn't work either

And the imported cert - seems imported ok (as I mentioned - I've had to add Lets ecnrypt E5 CA. After that this cert has been marked green by FW)

I have port translation set correctly, traffic reach the FW when I check with tcpdump on that FW, but I'm getting being Reset:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
21:31:33.679916 PortB, IN: IP (tos 0x0, ttl 54, id 2832, offset 0, flags [DF], proto TCP (6), length 60)
95.214.217.185.7870 > drive.acme.com.https: Flags [S], cksum 0x4c3d (correct), seq 1834074896, win 65535, options [mss 1444,sackOK,TS val 2360288004 ecr 0,nop,wscale 9], length 0
21:31:33.681008 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
drive.acme.com.https > 95.214.217.185.7870: Flags [R.], cksum 0x63b2 (correct), seq 0, ack 1834074897, win 0, length 0
21:31:34.723853 PortB, IN: IP (tos 0x0, ttl 54, id 61211, offset 0, flags [DF], proto TCP (6), length 60)
95.214.217.185.44264 > drive.acme.com.https: Flags [S], cksum 0x441f (correct), seq 3694053907, win 65535, options [mss 1444,sackOK,TS val 2360289047 ecr 0,nop,wscale 9], length 0
21:31:34.724728 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
drive.acme.com.https > 95.214.217.185.44264: Flags [R.], cksum 0x5fa7 (correct), seq 0, ack 3694053908, win 0, length 0

I tried to check some logs - especially reverseproxy.log but nothing pops up there when I request for the webpage from Internet

Summarizing:

  • I know the traffic does reach my FW with correct port (so DNS and port forwarding is ok.).

  • I have the WAF rule done as well as internal web server + cert imported

  • My internal web server does work ok. from my LAN

What is wrong with my config then?



Needed to reacorrect https to http once again due to abuse policy.
[edited by: Shadow82 at 11:39 AM (GMT -8) on 12 Nov 2024]
Parents Reply
  • Thanks for hints. 
    Now I see that requests from LAN are ok. but requests from Internet are being dropped on FW and this is observed with tcpdump only. I don't see any rule hit, log entries and I need a bit more time with drppkt - but as for now I tried to grep with TCP or 443 and nothing is being returned when I request from Internet.

    Only TCPDump TCP RST after the handshake is done

Children
  • If drppkt is not dropping / logging, this is an indicator, that something else is accepting this. 

    Double check: Ports used for SSLVPN, VPN Portal, User Portal in Webadmin. 

    __________________________________________________________________________________________________________________

  • I will. I can add for the moment, that this is quite fresh install with just few FW rules accepting Chrome Remote Desktop, FTP, SMB for the server we speak about.

    No any fancy stuff there (yet) :)

  • I think I found it! Thanks for hint with WebGUI Packet capture, cause it gives you info which rules are in use.

    This put me back on track. I must say - I'm dumb, cause about 3 weeks before I tried to enable NextCloud AiO which had port 11000 as default listen port for it service.

    I forgot that I mangled initially - trying to do DNAT, which I failed and left the topic for some time.

    Recently I got back to it with more correct approach - WAF + Web server, but I haven't clean up the old DNAT rules.

    After deleting NAT rule # 3 everything works fine!!! :)

    Thanks - I learned something about Sophos FW TShoot - with drppkt & webgui tcpdump :)