Sophos SG-Series, WAF, url_hardening: error

Hello there, 

Thanks for reaching out to Sophos Community and hope you are well. 

Could you try enabling the exception "Never change HTML during URLHardening or FormHardening“ under Web Server Protection > Firewall Profiles > Exceptions

Kindly let us know how it goes. Many thanks for your time and patience and thank you for choosing Sophos.

Cheers,

Thanks for your answer.
Your suggestion needs furher configuration:


I´m not sure what to configure there. Is it like this https://www.company.com/entry-URL ?

Hello there,

Yes to be able to use this option you will need to create a new exception for form hardening that applies to the URL identified in the reverseproxy.log. you can verify URL on advance shell /var/log/reverseproxy.log 

Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Unfortunately it doesn´t solve the problem

Hello there, 

Good day. May you share your current configuration for this exception? 

Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Entry URL is https://test.company.com/ and will be forwarded to test.company.com/.../s=xxxxxxxxxxxxxxxxxxxx

The Website opens and seems ok. Then we try to use an scheduler on this site and get url_hardening:error with:
- No signature found in Referer: https://test.company.com/abc/index.php/xxxxxxxxxxxxxxxxxxxxxxx
- Form validation failed: Received unhardened form data Received unhardened form data Referer: https://test.company.com/abc/index.php/xxxxxxxxxxxxxxxxxxxxxxx where xxxxxx is dynamic

Result is: Forbidden, You don´t have permission to access this ressource

Hello there,

Good day and thanks for your patience on this, Could you add/check Form Hardening on 'Skip these checks' section? As to be able to use this option you will need to create a new exception for form hardening that applies to the URL identified in the reverseproxy.log >  to check the URL kindly use command on Shell tail -f /var/log/reverseproxy.log | grep "form_hardening:error"

If this above doesn't work could you share logs of tail -f /var/log/reversproxy.log during the access to the site to see if there's any other error information we could see. 

Many thanks for your time and patience and thank you for choosing Sophos. 

Cheers,

Hello there,

Good day and thanks for your patience on this, Could you add/check Form Hardening on 'Skip these checks' section? As to be able to use this option you will need to create a new exception for form hardening that applies to the URL identified in the reverseproxy.log >  to check the URL kindly use command on Shell tail -f /var/log/reverseproxy.log | grep "form_hardening:error"

If this above doesn't work could you share logs of tail -f /var/log/reversproxy.log during the access to the site to see if there's any other error information we could see. 

Many thanks for your time and patience and thank you for choosing Sophos. 

Cheers,

2023:04:18-07:47:39 srv90076-2 httpd[29629]: [url_hardening:error] [pid 29629:tid 3813518144] [client ip-address:59995] No signature found, URI: test.company.com/.../index.php, referer: https://test.company.com/abc/index.php?test=&pfad=Kurse&modus=buchung&kursangebotID=745&kursID=6778

2023:04:18-07:47:39 srv90076-2 httpd: id="0299" srcip="ip-address" localip="ip-address" size="199" user="-" host="ip-address" method="POST" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="16170" url="/abc/index.php" server="test.company.com" port="443" query="?test=&pfad=Kurse&modus=buchung&kursangebotID=745&kursID=6778&action=insert&buchID=1681796826-6778" referer="">test.company.com/.../index.php cookie="PHPSESSID=r149918me7gr6li1m0lohr635c" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZD4u-5MiHWDaJgnrVSj2sAAAAFc"

Hello there, 

Many thanks for your patience on this and for sending these following details. 

Could you make an exception and url path for the said site using a wildcard: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/WebServProtFirewallProfilesExceptions.htm 

And could you also check "Accept Unhardened Form Data"

Kindly let us know how it goes. Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

no change - same error messages

Hello there,

Good day and thanks for your patience. 

If none of the above steps would work. May I recommed you to open a support case for this to be further investigated. You may also refer to this community post to detail steps that we have already did. You may also share caseID with us via DM or by replying to this thread. 

Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

We tested again and found a solution for [url_hardening:error] No signature found
For entry URL we defined /abc/index.php and for Exception /abc/*

But it doens´t solve the problem that I don´t know what causes these error and what the is the risk with configured exception.

Any idea?

Hello,

Good day hope you are well

Thanks for your patience on this. As recommended above, please open a support case for this to have further investigated by an engineer and you may also refer to this community post, for you not to explain every details of the issue and the troubleshooting steps that has already been done. Kindly share with us via DM or by replying to this thread the would be generated caseID so we can track progress on our end. 

Many thanks for your time and patience and thank you for choosing Sophos.

Cheers,