Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 395 views
  • Users 0 members are here
Options
Suggested

WAF - VServer config problem

Shadow82

Hi!

Recently I want to configure a VIP with SSL termination on my Sophos Firewall 20 running as a VM. I have the SSL cert imported (+CA - there was no Let's encrypt E5 CA so I added it).

I want to start from something really simple - Outside LAN to a server in DMZ:

  • FW Port Outside: 192.168.1.10/24

  • FW Port DMZ: 192.168.3.1/24

  • DMZ Server is Ubuntu (192.168.3.11/24) with Nextcloud enabled on docker.

The RServer on Ubuntu is hosted with https://nextcloud.home:8081 and it works fine from my LAN.

Next I created Web server (sometimes named Real Server, so the backend one) as follows:
Note: I tried with Real Server IP address and with FQDN: nextcloud.home - it doesn't work either

Then I added a new FW (WAF) rule to my website I want to make public: https://drive.acme.com

There are no exceptions and this is me Advanced section:

Note: I tried without Intrusion prevention - this doesn't work either

And the imported cert - seems imported ok (as I mentioned - I've had to add Lets ecnrypt E5 CA. After that this cert has been marked green by FW)

I have port translation set correctly, traffic reach the FW when I check with tcpdump on that FW, but I'm getting being Reset:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
21:31:33.679916 PortB, IN: IP (tos 0x0, ttl 54, id 2832, offset 0, flags [DF], proto TCP (6), length 60)
95.214.217.185.7870 > drive.acme.com.https: Flags [S], cksum 0x4c3d (correct), seq 1834074896, win 65535, options [mss 1444,sackOK,TS val 2360288004 ecr 0,nop,wscale 9], length 0
21:31:33.681008 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
drive.acme.com.https > 95.214.217.185.7870: Flags [R.], cksum 0x63b2 (correct), seq 0, ack 1834074897, win 0, length 0
21:31:34.723853 PortB, IN: IP (tos 0x0, ttl 54, id 61211, offset 0, flags [DF], proto TCP (6), length 60)
95.214.217.185.44264 > drive.acme.com.https: Flags [S], cksum 0x441f (correct), seq 3694053907, win 65535, options [mss 1444,sackOK,TS val 2360289047 ecr 0,nop,wscale 9], length 0
21:31:34.724728 PortB, OUT: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
drive.acme.com.https > 95.214.217.185.44264: Flags [R.], cksum 0x5fa7 (correct), seq 0, ack 3694053908, win 0, length 0

I tried to check some logs - especially reverseproxy.log but nothing pops up there when I request for the webpage from Internet

Summarizing:

  • I know the traffic does reach my FW with correct port (so DNS and port forwarding is ok.).

  • I have the WAF rule done as well as internal web server + cert imported

  • My internal web server does work ok. from my LAN

What is wrong with my config then?



Needed to reacorrect https to http once again due to abuse policy.
[edited by: Shadow82 at 11:39 AM (GMT -8) on 12 Nov 2024]
Parents Reply
  • 0 in reply to FFin

    Problem solved. I've had "legacy" DNAT rule that has been hit when traffic was from Internet. User Lucar Toni has driven me into packet capture which showed me that hit was taking place.

    I totally forgot about it.

    After removing the rule, everything is working fine.

    Thanks for support!

    P.s.

    If I should mark this thread some more than "this is the answer", tell me. I'll do it

Children
No Data
Unfiltered HTML