Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 992 views
  • Users 0 members are here
Options
Suggested

WAF - VServer config problem

Shadow82

Hi!

Recently I want to configure a VIP with SSL termination on my Sophos Firewall 20 running as a VM. I have the SSL cert imported (+CA - there was no Let's encrypt E5 CA so I added it).

I want to start from something really simple - Outside LAN to a server in DMZ:

  • FW Port Outside: 192.168.1.10/24

  • FW Port DMZ: 192.168.3.1/24

  • DMZ Server is Ubuntu (192.168.3.11/24) with Nextcloud enabled on docker.

The RServer on Ubuntu is hosted with https://nextcloud.home:8081 and it works fine from my LAN.

Next I created Web server (sometimes named Real Server, so the backend one) as follows:
Note: I tried with Real Server IP address and with FQDN: nextcloud.home - it doesn't work either

Then I added a new FW (WAF) rule to my website I want to make public: https://drive.acme.com

There are no exceptions and this is me Advanced section:

Note: I tried without Intrusion prevention - this doesn't work either

And the imported cert - seems imported ok (as I mentioned - I've had to add Lets ecnrypt E5 CA. After that this cert has been marked green by FW)

I have port translation set correctly, traffic reach the FW when I check with tcpdump on that FW, but I'm getting being Reset:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
21:31:33.679916 PortB, IN: IP (tos 0x0, ttl 54, id 2832, offset 0, flags [DF], proto TCP (6), length 60)
95.214.217.185.7870 > drive.acme.com.https: Flags [S], cksum 0x4c3d (correct), seq 1834074896, win 65535, options [mss 1444,sackOK,TS val 2360288004 ecr 0,nop,wscale 9], length 0
21:31:33.681008 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
drive.acme.com.https > 95.214.217.185.7870: Flags [R.], cksum 0x63b2 (correct), seq 0, ack 1834074897, win 0, length 0
21:31:34.723853 PortB, IN: IP (tos 0x0, ttl 54, id 61211, offset 0, flags [DF], proto TCP (6), length 60)
95.214.217.185.44264 > drive.acme.com.https: Flags [S], cksum 0x441f (correct), seq 3694053907, win 65535, options [mss 1444,sackOK,TS val 2360289047 ecr 0,nop,wscale 9], length 0
21:31:34.724728 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
drive.acme.com.https > 95.214.217.185.44264: Flags [R.], cksum 0x5fa7 (correct), seq 0, ack 3694053908, win 0, length 0

I tried to check some logs - especially reverseproxy.log but nothing pops up there when I request for the webpage from Internet

Summarizing:

  • I know the traffic does reach my FW with correct port (so DNS and port forwarding is ok.).

  • I have the WAF rule done as well as internal web server + cert imported

  • My internal web server does work ok. from my LAN

What is wrong with my config then?



Needed to reacorrect https to http once again due to abuse policy.
[edited by: Shadow82 at 11:39 AM (GMT -8) on 12 Nov 2024]
Parents Reply
  • 0 in reply to LuCar Toni

    Thanks for hints. 
    Now I see that requests from LAN are ok. but requests from Internet are being dropped on FW and this is observed with tcpdump only. I don't see any rule hit, log entries and I need a bit more time with drppkt - but as for now I tried to grep with TCP or 443 and nothing is being returned when I request from Internet.

    Only TCPDump TCP RST after the handshake is done

Children
Unfiltered HTML