Hello everyone!  Oddball thing here. Just updated to 9.353-4 but unsure if that's the issue.  Multiple Apache virtual servers.  Multiple subdomains configured in pub DNS and on UTM to funnel traffic to these servers.  Everything has worked well.  No issues.  THEN...I was trying to install an SSL cert created on one of these servers onto the UTM.  I've done this before, so no big deal right?!?!  Wrong.  Internal on my network, can browse http(s) to the web server with no issues.  I go outside and try to browse either http or https and receive:

Forbidden

You don't have permission to access / on this server.

Now, in the Web Server Protection logs, I see the below (I hid my true domain names).

2016:01:27-11:23:17 firewall reverseproxy: [Wed Jan 27 11:23:17.263710 2016] [url_hardening:error] [pid 14587:tid 3829250928] [client 208.75.144.8:19797] Hostname in HTTP request (myserver.mydomain.com) does not match the server name (someotherserver.mydomain.com)

2016:01:27-11:23:17 firewall reverseproxy: id="0299" srcip="208.x.x.x" localip="173.x.x.x" size="209" user="-" host="208.x.x.x" method="GET" statuscode="403" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="629" url="/" server="someotherserver.mydomain.com" referer="-" cookie="-" set-cookie="dvdhofjizv_cookie=;Max-Age=0;path=/;httponly"

So what you see is in red above is the server input into IE/Chrome but it's "not match the server name" of another server I have in my Web Server Protection list.  Now here is the fun part, I can try to browse some other invalid DNS name that points to my Sophos UTM, and the 'someotherserver.mydomain.com' will change to another server host name.  Unrelated to what is being put into IE/Chrome.

Here's the kicker.  I deleted both the Real Webserver and Virtual Webserver in Sophous UTM of the MYSERVER.MYDOMAIN.COM after disabling them, and I can STILL replicate this issue if I try to hit the external int address of my UTM browsing for that host FQDN.

It's almost as if there is a stuck header or something.  And this is killing me.  Also, I have completely powered down the internal Apache host for myserver.mydomain.com during all of this testing.  I've also removed all certificates for this FQDN....same thing.

Would love to hear thoughts on this!