This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF and GeoIP

Hello all,

I set up a web server (IIS 7.5) in a separate DMZ and added Piwik (version 1.10.1) with GeoIP to our home page.

If DNATed/routed into the DMZ I get real client IP addresses for GeoIP in Piwik, but if I use WAF instead I only get the IP address of the UTM in the DMZ as the IP address of the client requesting the web page(s).

This is the WAF config...
one virtual server : Plain (HTTP), port 80, pass host header, non-standard firewall profile [see below]
one real server : Plain (HTTP), port 80
firewall profile : mode=reject, SQL injection filter, XSS filter, use both AV engines for up- and download, block clients with bad reputation
no exceptions
standard site path routing to "/"

In both configurations the web page shows up without any problems, but using WAF I only get hits from the UTMs DMZ IP address even though the WAF log displays all relevant IP addresses correctly. UTM 220 is running 9.004-34 in HA cluster mode.

Any idea how to pass on the correct client IP address to the web server or how to implement GeoIP behind WAF?

Thank you so much for you help in advance!

This thread was automatically locked due to age.

0 BrucekConvergent over 11 years ago

No idea, but it's one of the things that I've asked for (you can probably find a feature request for this at feature.astaro.com) ... as it makes the anti-hammer features of many web platforms useless (banning a brute force authentication attack from an attacker IP, if using WAF, effectively kills all access to the site as the IP banned = the ip all traffic appears to come from). I think it's in the works (or at least I hope it is).

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Hi, see
https://community.sophos.com/products/unified-threat-management/astaroorg/f/57/t/50029

Maybe IIS has a function or addon to use this header as well.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Bembel over 11 years ago in reply to BarryG

Thanks guys, while browsing the Astaro feature requests I found the answer myself - one of the Apache users wrote a comment on using a different flag that WAF is already providing to the web server and searching the Piwik FAQ instantly brings up the solution:

http://piwik.org/faq/how-to-install/#faq_98

In my case (IIS, simple http) just add

proxy_client_headers[] = HTTP_X_FORWARDED_FOR

to Piwik's config/config.ini.php

Thank you so much for your quick answers!

Cheers,

Bembel
Cancel
Vote Up 0 Vote Down

Cancel