WAF - [form_hardening:error]

Question

Hello all,

I am running Sophos UTM for a long time now and i am experiencing recently a problem with WAF (i believe). I have a Nextcloud server behind this Sophos i have been using it without problems for some years now. Suddenly though, when i access the Nextcloud page from outside (so through the sophos webserver), i get no login fields, while accessing it internally from my LAN, all is good.

Checking the WAF logs, i can see [form_hardening:error] No form context found when parsing <input> tag , error.

2023:09:26-13:18:49 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3832343360] (22)Invalid argument: [client 86.124.125.191:58660] No form context found when parsing <input> tag
2023:09:26-13:18:49 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3832343360] (22)Invalid argument: [client 86.124.125.191:58660] No form context found when parsing <input> tag
2023:09:26-13:18:49 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3832343360] (22)Invalid argument: [client 86.124.125.191:58660] No form context found when parsing <input> tag
2023:09:26-13:18:49 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3832343360] (22)Invalid argument: [client 86.124.125.191:58660] No form context found when parsing <input> tag
2023:09:26-13:18:49 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3832343360] (22)Invalid argument: [client 86.124.125.191:58660] No form context found when parsing <input> tag
2023:09:26-13:18:49 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3832343360] (22)Invalid argument: [client 86.124.125.191:58660] No form context found when parsing <input> tag
2023:09:26-13:18:49 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3832343360] (22)Invalid argument: [client 86.124.125.191:58660] No form context found when parsing <input> tag
2023:09:26-13:18:49 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3832343360] (22)Invalid argument: [client 86.124.125.191:58660] No form context found when parsing <input> tag
2023:09:26-13:18:49 robfw1 httpd: id="0299" srcip="86.124.125.191" localip="79.115.175.113" size="4649" user="-" host="86.124.125.191" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="83162" url="/index.php/login" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_sameSiteCookielax=true; ocsdvx0o4czd=q8nm73lat0ts4jmkr5igfe80cs; ocqqq4bnplq7=cfvomtegi1epbnd2gc23fpt353; nc_sameSiteCookiestrict=true; oc_sessionPassphrase=9kc1bRScz7AU3JoAHwfOM5%2B6UD0sIwEN1gOFHw5F6kT3Yy6iy7UOG5ARhv7fdTCjiLSqnoeDfPKrk18wQhGo1pOc6vUuQujMynwhfT%2FXDA7zywP8QdmuC5qLk91mZfZI" set-cookie="ocqqq4bnplq7=cfvomtegi1epbnd2gc23fpt353; path=/; secure; HttpOnly; SameSite=Lax, HASH_ocqqq4bnplq7=9A7C672BAB503995D8AF76B19FEC30B8C7C7A8C8; path=/; secure; HttpOnly; HASH_SameSite=CBB3FF42DB056F81A0AC398AD1889D12B79E4FEC" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZRKwCVR4-Qy_yTd7VlbN0QAAACM"
2023:09:26-13:18:49 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3832343360] [client 86.124.125.191:58660] Form validation failed: Received unhardened form data
2023:09:26-13:18:49 robfw1 httpd: id="0299" srcip="86.124.125.191" localip="79.115.175.113" size="253" user="-" host="86.124.125.191" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="32269" url="/index.php/apps/theming/manifest" server="cloud-jder.ddns.net" port="443" query="?v=b6589fc6" referer="-" cookie="nc_sameSiteCookielax=true; ocsdvx0o4czd=q8nm73lat0ts4jmkr5igfe80cs; ocqqq4bnplq7=cfvomtegi1epbnd2gc23fpt353; nc_sameSiteCookiestrict=true; oc_sessionPassphrase=9kc1bRScz7AU3JoAHwfOM5%2B6UD0sIwEN1gOFHw5F6kT3Yy6iy7UOG5ARhv7fdTCjiLSqnoeDfPKrk18wQhGo1pOc6vUuQujMynwhfT%2FXDA7zywP8QdmuC5qLk91mZfZI; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZRKwCVR4-Qy_yTd7VlbN0gAAACM"
2023:09:26-13:18:50 robfw1 httpd[4425]: [form_hardening:error] [pid 4425:tid 3823950656] [client 86.124.125.191:58661] Form validation failed: Received unhardened form data
2023:09:26-13:18:50 robfw1 httpd: id="0299" srcip="86.124.125.191" localip="79.115.175.113" size="203" user="-" host="86.124.125.191" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="30843" url="/index.php/apps/unsplash/api/login.css" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="__Host-nc_sameSiteCookiestrict=true; nc_sameSiteCookielax=true; ocsdvx0o4czd=q8nm73lat0ts4jmkr5igfe80cs; ocqqq4bnplq7=cfvomtegi1epbnd2gc23fpt353; nc_sameSiteCookiestrict=true; oc_sessionPassphrase=9kc1bRScz7AU3JoAHwfOM5%2B6UD0sIwEN1gOFHw5F6kT3Yy6iy7UOG5ARhv7fdTCjiLSqnoeDfPKrk18wQhGo1pOc6vUuQujMynwhfT%2FXDA7zywP8QdmuC5qLk91mZfZI; __Host-nc_sameSiteCookielax=true" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZRKwClR4-Qy_yTd7VlbN0wAAACU"
2023:09:26-13:18:50 robfw1 httpd: id="0299" srcip="86.124.125.191" localip="79.115.175.113" size="1411" user="-" host="86.124.125.191" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="40865" url="/index.php/core/js/oc.js" server="cloud-jder.ddns.net" port="443" query="?v=f196aa56" referer="-" cookie="__Host-nc_sameSiteCookiestrict=true; nc_sameSiteCookielax=true; ocsdvx0o4czd=q8nm73lat0ts4jmkr5igfe80cs; ocqqq4bnplq7=cfvomtegi1epbnd2gc23fpt353; nc_sameSiteCookiestrict=true; oc_sessionPassphrase=9kc1bRScz7AU3JoAHwfOM5%2B6UD0sIwEN1gOFHw5F6kT3Yy6iy7UOG5ARhv7fdTCjiLSqnoeDfPKrk18wQhGo1pOc6vUuQujMynwhfT%2FXDA7zywP8QdmuC5qLk91mZfZI; __Host-nc_sameSiteCookielax=true" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZRKwClR4-Qy_yTd7VlbN1AAAACQ"

I have not done modifications to the Nextcloud, nor to the Sophos, so i really don't understand what is happening. I tried to play with Firewall profiles in the Webserver config (tried basic, advanced, none at all, monitor mode, etc) but still same problem. I also deployed a new , from scratch Nextcloud server, but the issue persists.

I am running version 9.716-2

Any help would be highly appreciated. Thank you.

This thread was automatically locked due to age.

Raphael Alganes · Answer

Hello panicos , 
 Thanks for reaching out to Sophos Community. 
 Could you try to create a new exception for form hardening that applies to the URL identified in the reverseproxy.log. Then enable exception "Never change HTML during URL Hardening or Form Hardening&ldquo; 
 Regards,

panicos · Answer

I managed to find the problem:

I had that one ticked and disabling it restores the functionality. Does this mean the current version changed the functionality somehow of this feature, because i used it ticked before ? 
 Different topic: now that i made it working i tried to apply the form and URL hardening but it is impossible. I made many exceptions based on the logs of the WAF and i can't make it work properly. either there are some icons that don't load, or features or submenu pages entirely. I played with a lot of exceptions, with wildcards, shorter, longer, etc. Only using /* makes it work , but that is basically disabling the hardening at all (or enabling a hardening which does nothing). 
 
 thx