This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PROBLEM Sopos UTM AH00026: found %2f (encoded '/')

Hello Everyone

Any way to fix this problem from Sophos UTM GUI?
We want to publish our webapplication but we are facing some problems with "/" decoding.

Was this Problem solved before?


2020:06:22-15:13:58 firewall-1 httpd[29313]: [core:notice] [pid 29313:tid 3750837104] [client xxxxxxx] AH00026: found %2f (encoded '/') in URI (decoded='/core/rest/secure/media/storeFileContent/test/TestP.ruletree'), returning 404


Our SOPHOS Firewall SG310 UTM 9 (Firmware version: 9.702-1)

This thread was automatically locked due to age.
  • Hallo Lukas and welcome to the UTM Community!

    I'm confused about your question.  First, this is the forum for the UTM Manager Application - a separate app that is used to manage multiple UTMs.  Next, you talk about publishing a web application, but you show us a line from the HTTP Daemon log which only records actions taken by the code when someone accesses WebAdmin or the User Portal.

    I'll move this thread to the Web Server Security forum.  Please show us a picture of the error you're seeing.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I recognize this is a message from the Web Application Firewall log.

    It means that it has detected what appears to be a web URL trying to play tricks, because the request includes a slash which is entered as a hex sequence rather than a slash character.

    The WAF blocked the request.   Status code 404 was returned to the user, which means "Forbidden"

    If you are sure that you need this to be allowed, you will need to figure out which rule is involved.   You are looking for a long entry containing a token of the form [id 999999].  Then you add that rule ID to the exceptions list.   Perhaps the token is in part of this message that you did not include, or perhaps it is in an adjacent message.   WAF messages can stretch across multiple log entries.

    Most of the UTM WAF configuration options have the effect of enabling or disabling an entire category of rules.   So another way to experiment is to turn off WAF options until you find the one  that blocks the request when enabled, and allows it when disabled.   Just remember that you have disabled a category by this method, not just one rule.

    If you cannot find the right way to override, you will need to get Sophos support involved.