Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 7414 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IP Camera not working in WAF

PatrickHener
Hi folks,

I got a little problem and I hope you can possibly help me.
I have a wansview NCM630-W camera in my network and I am having troubles to get it working with the Webserverprotection.

If I access it via NAT everything is working fine. But when I try to access it via WAF it won't "login".

The camera itself is secured via Basic Auth.

So I created a virtual server https://domainname:8443 which points to the real server ip:80 of the camera.
There is an reverse authentication with "form" and backend mode "none".
So I am asked for the cameras credentials after authenticating with the reverse proxy.

I wiresharked and dumped the whole communication seeing differences in NAT and WAF. I Will paste it so you can see the difference and hopefully someone knows how to resolve the problem:

First GET Package in Wireshark of NAT 
GET /cgi-bin/hi3510/param.cgi?cmd=getuserinfo HTTP/1.1\r\n



Full request URI: domainname.de:2103/.../param.cgi


Wireshark same GET of WAF 
GET / HTTP/1.1\r\n

Full request URI: http://domainname.de:80/



and 



GET /cgi-bin/hi3510/getidentify.cgi HTTP/1.1\r\n

Full request URI: domainname.de/.../getidentify.cgi


ReverseProxy.log 
2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="225" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="45703" url="/web/admin.html" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5498" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="43828" url="/web/mainpage.html" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="213" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="40294" url="/web/blank.html" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="204" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="46931" url="/web/cgi-bin/hi3510/param.cgi" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="1189" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="42037" url="/web/js/public.js" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="249" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="36212" url="/web/js/language.js" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="8849" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="42801" url="/web/language/deutsch.js" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="224" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="57278" url="/web/images/v_lt.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="65" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="73130" url="/web/images/h_bg.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="3348" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="75551" url="/web/images/logo1.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="222" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="84148" url="/web/images/v_rt.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="82" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="93505" url="/web/images/v_bgt.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:51 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5105" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="36356" url="/web/images/112.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5159" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="47694" url="/web/images/113.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5025" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="54416" url="/web/images/111.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="947" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="45744" url="/web/images/x1.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="1323" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="57837" url="/web/images/x4.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="1147" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="42314" url="/web/images/x9.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="1009" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="34941" url="/web/images/topl.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="2517" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="35188" url="/web/images/up.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="995" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="35364" url="/web/images/topr.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="3178" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="43944" url="/web/images/left.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="1083" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="46856" url="/web/images/center.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="1047" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="40883" url="/web/images/stop.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="2881" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="54704" url="/web/images/right.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="1589" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="36333" url="/web/images/downl.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="3044" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="37443" url="/web/images/down.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="1307" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="37733" url="/web/images/downr.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5814" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="46021" url="/web/images/set.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5885" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="40356" url="/web/images/call.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5367" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="37135" url="/web/images/hpatrol_up.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5414" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="45307" url="/web/images/vpatrol_up.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5569" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="62998" url="/web/images/snap.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5732" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="51910" url="/web/images/rec.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="5287" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="38448" url="/web/images/sd.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="6119" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="34760" url="/web/images/play.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="83" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="59570" url="/web/images/h_bgr.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="224" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="36172" url="/web/images/v_ld.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:52 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="82" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="38435" url="/web/images/v_bg.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:53 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="225" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="41522" url="/web/images/v_rd.gif" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:53 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="4505" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="45397" url="/web/images/syset.png" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:54 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="32233" user="admin" host="195.243.110.2" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="829499" url="/web/images/cbg.jpg" server="domainname.de" referer="domainname.de:8443/.../;httponly;secure"

2015:06:18-12:39:55 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="362" user="-" host="195.243.110.2" method="GET" statuscode="400" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="472" url="/" server="domainname.de" referer="-" cookie="-" set-cookie="-"

2015:06:18-12:39:56 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="362" user="-" host="195.243.110.2" method="GET" statuscode="400" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="455" url="/" server="domainname.de" referer="-" cookie="-" set-cookie="-"

2015:06:18-12:39:57 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="362" user="-" host="195.243.110.2" method="GET" statuscode="400" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="422" url="/" server="domainname.de" referer="-" cookie="-" set-cookie="-"

2015:06:18-12:39:58 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="362" user="-" host="195.243.110.2" method="GET" statuscode="400" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="576" url="/" server="domainname.de" referer="-" cookie="-" set-cookie="-"

2015:06:18-12:40:00 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="362" user="-" host="195.243.110.2" method="GET" statuscode="400" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="537" url="/" server="domainname.de" referer="-" cookie="-" set-cookie="-"

2015:06:18-12:40:01 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="362" user="-" host="195.243.110.2" method="GET" statuscode="400" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="3965" url="/" server="domainname.de" referer="-" cookie="-" set-cookie="-"

2015:06:18-12:40:02 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="362" user="-" host="195.243.110.2" method="GET" statuscode="400" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="543" url="/" server="domainname.de" referer="-" cookie="-" set-cookie="-"

2015:06:18-12:40:03 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="362" user="-" host="195.243.110.2" method="GET" statuscode="400" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="476" url="/" server="domainname.de" referer="-" cookie="-" set-cookie="-"

2015:06:18-12:40:05 domainname reverseproxy: id="0299" srcip="195.243.110.2" localip="78.43.192.183" size="362" user="-" host="195.243.110.2" method="GET" statuscode="400" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="377" url="/" server="domainname.de" referer="-" cookie="-" set-cookie="-"


It seems like the WAF is rewriting the source to domainname:80 which might be incorrect whereas the NAT is not rewriting at all. So if the request still goes to 2103 there will be an answer of the IP CAM. If it is going to domainname:80 it will be directed to my other webserver in my network and there will be no answer.

Has anybody an idea how I may resolve that problem. If you need further information I will provide them.

Thanks in advance,
Patrick


This thread was automatically locked due to age.
Parents
  • 0
    Can you give the camera an FQDN that's different from the web server?  I guess that when the UTM sees a port 80 request for the same FQDN, that is sent to the webserver.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    That is in fact a pretty good idea, despite the fact that my domain doesn't have subdomains per contract. So there is no chance to do that [:@]
  • 0 in reply to PatrickHener
    A little update. I think we are getting close. I upgraded my domain contract so i have now the subdomain webcam.domainname.de. I then configured a new virtual Webserver listening to webcam.domainname.de and sending the requests directly to the Wansview Cam.

    Now I see the following Packages, but login still Fails:

    Package 1: 
    GET / HTTP/1.1\r\n

    Full request URI: webcam.domainname.de:80/


    Package 2: 
    HTTP/1.1 301 Moved Permanently\r\n

    

    

    301 Moved Permanently

    

    Moved Permanently
    

    The document has moved here.


    Package 3: 
    GET /cgi-bin/hi3510/getidentify.cgi HTTP/1.1

    Full request URI: webcam.domainname.de/.../getidentify.cgi


    Package 4: 
    HTTP/1.1 301 Moved Permanently\r\n

    

    

    301 Moved Permanently

    

    Moved Permanently
    

    The document has moved here.


    And then it repeats..

    Browsing to:"webcam.domainname.de:443/.../getidentify.cgi" results in what I would expect: 
    var productid="C5F0S7Z0N1P0L0V0"; var vendorid="smarteye"; 


    That's what the nat method would reply.
    So why doesn't that work with the waf feature? Doesn't make any sense.

    So if anybody knows something just shoot.

    Thanks in advance,
    Patrick
  • 0 in reply to PatrickHener
    Another Update: Using HTTPS & Redirect as virtual server method results in 403 Forbidden again. Because at 
    http://webcam.domainname.de
     there is nothing hosted right now.

    So how the hell should I manage to get that working?

    Thanks in advance,
    Patrick
Reply Children
No Data
Unfiltered HTML