This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Proxy protocol support and Firewall

We're running Sophos UTM 9.x in AWS and enabled Proxy Protocol support in the WAF. We've also enabled proxy protocol support in the HAproxy instances sitting in front of the UTM. We can see the source IP addresses in the WAF log but not in the Firewall log. We were expecting the source IP address would also be visible in the Firewall log since we have already enabled proxy protocol support. What steps are we missing? Thank you.



This thread was automatically locked due to age.
Parents
  • You can try this way-

    Navigate to Tools > Options >, then select the Advanced tab. On the Network tab (usually selected by default), click Settings. The Connection Settings dialog box shows whether the browser is configured to connect to a proxy server. Make a note of the proxy settings.

    I hope this will help

    best Regards

  • Sorry, is this in the Sophos GUI or the browser? The issue is with Sophos being able to "see" the source IP address coming in from one of its interfaces if it's sitting behind a proxy server, in this instance an HAProxy server, and then doing actions (e.g. allow, deny) in DNAT or some other mechanism.

  • I don't see an "(Address)" object anywhere.  Check #4 in the Rulz link above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I modified the group in question and used the Host address and tested, it still doesn't work. When you say "[Address]" object, do you mean Host type? Thanks!

  • I mean that the DNAT won't work with a regular host object.  There is a way to make it work, but that wouldn't fit in with the "culture" here and would reduce your ability to get help.  See #4 in the Rulz link in my first post above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, I apologize for the confusion. I'm relatively new to Sophos UTM and still understanding basic concepts. I've modified the network group with some interface addresses:

    I tested it and the request still went through.

  • Unless one of those (Address) objects is the one on the interface with a default gateway and is your connection to the Internet, that won't work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, one of those interfaces has a default gateway but unfortunately the gateway it's pointing to is not alive.

Reply Children
No Data