This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

400 Bad Request

For some reason it just started to happen randomly that any web application that sits behind our UTM and Web Application Firewall, we get random 400 Bad Requests. We have updated Apache on all the web front ends and still we are plagued with 400 bad requests. We have even gone as far as turning off the Firewall profiles that were enabled on the web application and still we keep getting random 400 bad requests. Any help with this issue would be great.

This thread was automatically locked due to age.

0 Hallowach2 over 10 years ago

Can you please post some loglines showing the issue und tell us the utm version.

Regards
Manfred
0 zacheryt757 over 10 years ago

UTM Version - 9.209-8

We have removed the correct URL and IP address for security purposes.

Below is a normal good request and the 400 bad request

2015:01:16-10:29:31 fw reverseproxy: id="0299" srcip="x.x.x.x" localip="10.0.0.5" size="189" user="-" host="x.x.x.x" method="GET" statuscode="400" reason="-" extra="-" exceptions="-" time="2018" url="/store/products/8" server="example.com" referer="example.com/store" cookie="ROUTEID.cd107d9706d71153bafd4ab15f1c6b5d=.node1; ROUTEID.0e9f56dedc1c6a43ee0c263a6d1b336b=.node1; __utmt=1; __utma=34134816.405407737.1421095328.1421249128.1421421486.5; __utmb=34134816.4.10.1421421486; __utmc=34134816; __utmz=34134816.1421095328.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SSESS5fd53685b51367d93056df1c68d826fe=bPQZBTWQ3a-_5RA0p9pPscZvZArwiAJXOi0_1xCfVNE; has_js=1" set-cookie="-"

2015:01:16-10:33:20 fw reverseproxy: id="0299" srcip="x.x.x.x" localip="10.0.0.5" size="10846" user="-" host="x.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1586200" url="/store/products/8" server="example.com" referer="-" cookie="ROUTEID.cd107d9706d71153bafd4ab15f1c6b5d=.node1; ROUTEID.0e9f56dedc1c6a43ee0c263a6d1b336b=.node1; __utmt=1; __utma=34134816.405407737.1421095328.1421249128.1421421486.5; __utmb=34134816.4.10.1421421486; __utmc=34134816; __utmz=34134816.1421095328.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SSESS5fd53685b51367d93056df1c68d826fe=bPQZBTWQ3a-_5RA0p9pPscZvZArwiAJXOi0_1xCfVNE; has_js=1" set-cookie="-"
0 BAlfson over 10 years ago

Those are lines from the reverseproxy log. Please show the corresponding lines from the Web Filtering log.

Cheers - Bob

Sorry for any short responses. Posted from my iPhone.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
0 Scott_Klassen over 10 years ago

@Bob: I get the feeling that the requests are coming from internal clients, then he's having the request loop-back through WAF to his internal server. If this is the case, is the server at least on a different interface (DMZ)?

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down
0 zacheryt757 over 10 years ago

Those are the log lines from the Web Application Firewall logs. Also the requests are coming from external clients. I have removed the IP address from the srcip, but can tell you that all the requests are coming from external clients into the Web Application Firewall and being directed to internal web servers. Any help on this would be greatly appreciated.

Zack
Cancel
Vote Up 0 Vote Down
0 Michael Dunn over 10 years ago

Hi Zachery,

This forum is for the http proxy for internal clients going out.

Your issue is for external clients coming in using WAF.
The forum you want can be found here:
https://community.sophos.com/products/unified-threat-management/astaroorg/f/57
Cancel
Vote Up 0 Vote Down
0 Scott_Klassen over 10 years ago

Moved to proper forum

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down
0 BAlfson over 10 years ago

Zack, a belated welcome to the User BB!

In the 'Advanced' section of the 'Virtual Server', have you selected 'Rewrite HTML' and/or 'Pass Host Header'?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA