We're running Sophos UTM 9.x in AWS and enabled Proxy Protocol support in the WAF. We've also enabled proxy protocol support in the HAproxy instances sitting in front of the UTM. We can see the source IP addresses in the WAF log but not in the Firewall log. We were expecting the source IP address would also be visible in the Firewall log since we have already enabled proxy protocol support. What steps are we missing? Thank you.
Hi and welcome to the UTM Community!
That's not how UTM works. You can begin to learn the way WebAdmin and the configuration daemon work by absorbing #2 in Rulz (last updated 2019-04-17). Also see Doug Foster's take on some of the Rulz: READ ME FIRST: UTM Architecture.
Cheers - Bob
Thanks for the info! A very nice read, indeed. My next question would be: where do we block the IP addresses that we don't want processed (or blocked) by the WAF?
In 'Webserver Protection >> Firewall Profiles', select 'Block clients with bad reputation' for the applicable Firewall Profile. If there are specific IPs that you want to block, use a blackhole DNAT as suggested in #2 in Rulz.
Hi Bob, thanks for this! Since Sophos is behind an HAProxy instance, would the DNAT rule work? I tested by creating this DNAT rule:In the network group "Malicious IPs," I added the public IP address of my current connection and in the target destination, the /16 network where the target instances are. I did a test cURL to the public endpoint, which passes through the WAF (and supposedly the DNAT) and the connection still works. What am I doing wrong?
In order for WebAdmin and the Configuration Daemon to create the right iptables code, the 'Going to:' box must be filled with a group of "(Address)" objects, not just regular Host definitions. See #4 in Rulz.
The public IP of your current connection shouldn't be in the "Malicious IPs" group, but there's probably no effect caused by it being there.
Hi Bob, thanks for your time. The reason why I added the public IP of my current connection to the "Malicious IPs" group is for testing the DNAT rule. Anyways, I found a resource I can do the tests from and have removed the public IP of my current connection from the "Malicious IPs" group.I changed the NAT rule and changed the "Going to:" box with a group (which contains the network where the target instances are). However, the result is still the same -- I can still access the endpoint from my test connection. Is it because Sophos is sitting in front of an HAProxy instance? Proxy protocol doesn't seem to have an effect in the DNAT rule.
[test instance] --> [haproxy] --> [sophos] --> [internal network]
Please show a picture of the Edit of the Network Group.
Hi Bob, here you go
You can try this way-
Navigate to Tools > Options >, then select the Advanced tab. On the Network tab (usually selected by default), click Settings. The Connection Settings dialog box shows whether the browser is configured to connect to a proxy server. Make a note of the proxy settings.
I hope this will help
Sorry, is this in the Sophos GUI or the browser? The issue is with Sophos being able to "see" the source IP address coming in from one of its interfaces if it's sitting behind a proxy server, in this instance an HAProxy server, and then doing actions (e.g. allow, deny) in DNAT or some other mechanism.