https://community.sophos.com/sophos-xg-firewall/f/discussions/148040/waf-with-the-webserver-hosted-in-azureHello, we have a VPN-tunnel from our XG330 (SFOS 20.0.2 MR-2) to Azure and want to host a web application in azure. The VPN Tunnel was done via the configuration file and is route based, with the xfrm interfaces being in the169.254.0.0/30 subneten-USTelligent Community 12https://community.sophos.com/thread/549269?ContentTypeID=1Tue, 03 Dec 2024 09:00:16 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:7d591eb4-c9c3-4a88-8797-327d814daf27Dominik Friedl<p>Thank you for the info! We will see if we can make it work with routing on the Azure side. Unfortunately, policy-based is no option for us. We have tried this before and had a lot of troubles with the tunnel disconnecting.</p><div style="clear:both;"></div>https://community.sophos.com/thread/549130?ContentTypeID=1Wed, 27 Nov 2024 14:42:42 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:1c17266a-7bde-4366-82de-847d03e587e1Sreenivasulu Naidu<p>Hi <a href="/members/dominik-friedl">Dominik Friedl</a>&nbsp;, I have verified WAF over Policy based IPsec VPN on XGS---Azure&nbsp;setup, it works for me..I see LAN port&#39;s ip is being used for&nbsp;system generated TCP packet from SFOS and the web server page is loaded on the client&nbsp;requesting&nbsp;web page.</p><div style="clear:both;"></div>https://community.sophos.com/thread/549115?ContentTypeID=1Wed, 27 Nov 2024 07:21:13 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:addbb840-6fa3-4f70-adb1-6745c29f3b6cSreenivasulu Naidu<p>Hi @<a href="/members/dominik-friedl">Dominik Friedl</a>, sys-traffic-nat on cli of SFOS will not help placing waf traffic with the&nbsp;configured ip; in case of waf&nbsp;with route based vpn, the source ip will always be the xfrm ip. Please try if your use case with Azure works with policy based VPN, this uses one of the LAN ports ip while placing waf traffic into IPsec tunnel.</p> <p>If the usage of route based vpn is a must, then please check with Azure on the routing part.</p> <p>Also, if it is fine to use without WAF rule, equivalent functionality can be achieved by using SANT and DANT rules on SFOS.</p><div style="clear:both;"></div>https://community.sophos.com/thread/549077?ContentTypeID=1Tue, 26 Nov 2024 08:28:59 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:050801e9-48e1-4297-84e8-88c7de63b531Dominik Friedl<p>Hi,</p> <p>I have screenshots attached from the tests. 10.25.0.100 is the webserver.</p> <p>First test was a ping with the SNAT for system-generated traffic:</p> <p></p> <p><img alt=" " src="/resized-image/__size/1280x960/__key/communityserver-discussions-components-files/126/6646.showAdvancedFirewall.png" /><img alt=" " src="/resized-image/__size/1280x960/__key/communityserver-discussions-components-files/126/pingOnFirewall.png" /></p> <p><img alt=" " src="/resized-image/__size/1280x960/__key/communityserver-discussions-components-files/126/pcapPingOnFirewall.png" /><img alt=" " src="/resized-image/__size/1280x960/__key/communityserver-discussions-components-files/126/tcpdumpPingOnFirewall.png" /></p> <p></p> <p>Then I tried to access the WAF from my client:</p> <p><img alt=" " src="/resized-image/__size/1280x960/__key/communityserver-discussions-components-files/126/tcpdumpAccessWAF.png" /></p> <p><img alt=" " src="/resized-image/__size/1280x960/__key/communityserver-discussions-components-files/126/pcapAccessWAF.png" /></p> <p>&nbsp;<a href="https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/126356/sophos-firewall-configuring-an-ipsec-vpn-gateway-connection-to-azure">Sophos Firewall: Configuring an IPsec VPN Gateway Connection to Azure</a>&nbsp;</p> <p></p> <p>I used this instruction to setup my VPN Tunnel.</p><div style="clear:both;"></div>https://community.sophos.com/thread/548863?ContentTypeID=1Wed, 20 Nov 2024 17:04:17 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:babc35f9-2dd7-400b-bb4c-be03655c7b55Hardik_R<p>Hi <a href="/members/dominik-friedl">Dominik Friedl</a>&nbsp;<br /><br />you are&nbsp;following the right way however TCPDUMP &amp; GUI packet capture(Diagnostics &gt; Packet capture) output for below 2 situations will help to understand more on packet flow :&nbsp;tcpdump -nei any host &lt;web server IP&gt;</p> <p>1. When you ping the webserver directly from the firewall.<br />2. When you try to access web server using WAF</p> <p>Also&nbsp;Which IP you have used in SNAT for system-generated traffic? and after configuring this, are you getting ping reply?</p><div style="clear:both;"></div>