Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 8431 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One of our websites will simply will not function behind the UTM's web application firewall.

scottsisco

Hi Everyone,

I need some pointers on how to troubleshoot this issue.  I have successfully moved all of my agencies websites behind our UTM's WAF except one.  I have created a custom filewall profile for the site where I have disabled everything and it is still not functioning properly.  With that said, when using the UTM's standard firewall in combination with NAT the website works without any issues.

The problems I am having;

1) There is no issue navigating to the site. However, once there it takes in excess of 2 minutes to load a page.

2) When attempting to log into the website it constantly says wrong password. However, if I move it back to the standard UTM firewall there are no issues with logging in.

WAF Logs:

2016:03:21-11:11:16 utm reverseproxy: id="0299" srcip="172.56.42.139" localip="216.254.58.220" size="244" user="-" host="172.56.42.139" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="674800" url="/chasers" server="REF_RevFroTestweb" referer="https://test-web.desc.org/" cookie="DESC_SESSION_Chasers=13cmkckb6415dea5l71pisnbb5" set-cookie="-"
2016:03:21-11:11:21 utm reverseproxy: id="0299" srcip="172.56.42.139" localip="216.254.58.220" size="1552" user="-" host="172.56.42.139" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="5381107" url="/chasers/" server="REF_RevFroTestweb" referer="https://test-web.desc.org/" cookie="DESC_SESSION_Chasers=13cmkckb6415dea5l71pisnbb5" set-cookie="-"


This thread was automatically locked due to age.
Parents
  • 0

    statuscode="301" - Why is your web server saying that the URI has been permanently moved?

    statuscode="200" [...] time="5381107" - A successful access, but very slow.  Is this web server hosting any other sites?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    I'm going to try my hardest to answer your questions and provide a little more context. The site itself is a clone of a production website. I started out trying to put the production website behind the WAF, but it quickly became apparent it was not working. The cloned site is identical to our production website except with a different domain name and IP address. My plan is once I find a fix for the cloned site to port the fix to the production website. The website running on the server is the only website on the server. It connects back to a database in our internal network used for authentication and other website related queries. We currently have 4 websites, including the cloned site, using a  wildcard ssl cert (not sure if that info helps). The only websites that do not work are the clone and it's production equivalent.

    When both the production website and cloned website  are configured using NAT to map its external IP  to its internal IP in conjuration with the UTM's regular firewall for protection we have no issues. It seems something specific to the WAF. 

    Thanks!

    Scott

  • 0 in reply to scottsisco

    Scott, are you saying that the attempt with the production site was on a web server where it was the unique site?  Do you know why the test site responds that that URI has moved permanently?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I am saying that yes.  :) There are no other websites on that server. I am not sure what you mean by the second question, sorry. :(

    The production website is a virtual machine living on a hypervisor.  I made a one to one copy of the production website by cloning it in vmware. At that point both websites were identical. I then changed the cloned vm's external IP address to one of the unused IPs my agency owns. I then assigned a unique DNS name to that IP address with our global DNS provider. I then set the cloned website up the identical way our production website was configured in our UTM. I worked with our database engineer to make sure that the cloned website functioned the way it was supposed to with our backend database. 

    At this point I have a copy of our production website that is functionally only different in IP and global DNS name. It behaves the same exact way behind the WAF as our production website and functions without any issues when using NAT to navigate through the UTM while using the standard firewall.

Reply
  • 0 in reply to BAlfson

    I am saying that yes.  :) There are no other websites on that server. I am not sure what you mean by the second question, sorry. :(

    The production website is a virtual machine living on a hypervisor.  I made a one to one copy of the production website by cloning it in vmware. At that point both websites were identical. I then changed the cloned vm's external IP address to one of the unused IPs my agency owns. I then assigned a unique DNS name to that IP address with our global DNS provider. I then set the cloned website up the identical way our production website was configured in our UTM. I worked with our database engineer to make sure that the cloned website functioned the way it was supposed to with our backend database. 

    At this point I have a copy of our production website that is functionally only different in IP and global DNS name. It behaves the same exact way behind the WAF as our production website and functions without any issues when using NAT to navigate through the UTM while using the standard firewall.

Children
No Data
Unfiltered HTML