Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 11650 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

URL Hardening Questions

tomtomtom
I have set up WAF in the following way:

1. virtual webserver:

Domains: domain.com
Real Web Servers: Lotus Domino Server
Firewall Profile: Advanced Protection (with URL hardening)

2. real webserver:

name: Lotus Domino Server
host: an internal host (external access via DNAT)

3. firewall profiles:

Advanced with URL hardening.


For testing purposes I have entered only "www.domain.com" in URL hardening.

I tried to open "domain.com/otherthings" directly and this still works. I thought URL hardening would disable the direct access to URLs not entered in the "Entry URL"-list

Do I missunderstand URL hardening or is it the DNAT which does not work with WAF?


This thread was automatically locked due to age.
  • 0
    Brian, please email Sophos Support to look at this thread.  Either the support engineer didn't understand the question or needs to see this and learn a new trick. [[;)]]

    Scott, the same traffic selectors should make the Firewall rules apply to the INPUT chain also.  I assume that the reason the Firewall rules appeared to be non-functional was because the "invisible" rules for proxies and VPNs are processed before the manual rules are.  After having recited the basic rule over 1,000 times here, you'd think I'd remember it myself! [[;)]]

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Scott, the same traffic selectors should make the Firewall rules apply to the INPUT chain also. I assume that the reason the Firewall rules appeared to be non-functional was because the "invisible" rules for proxies and VPNs are processed before the manual rules are.
    Correct, the rules created by WAF are processed before the manual rules would be and DNAT rules take precedence over the WAF rules.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Unfiltered HTML