This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.355-1 - WAF Access Control in Site Path Routing doesn't honor DNS host objects

The option to create a DNS host object in the Access Control portion of Site Path Routing for a Virtual server doesn't appear to work anymore.

When troubleshooting this issue, if I create a static Host object and add it to the Allowed access control field within the site path routing it works as expected.  However if I have a Dynamic DNS based DNS host object that UTM has successfully and accurately resolved to that same static address, I am greeted with a 403 forbidden message after removing the static host object from the list.

This used to work in previous versions.



This thread was automatically locked due to age.
  • Hi,

    I checked and it works fine for me.

    Are you sure that the DNS host object is correctly resolved? You need to have reverse DNS resolution which means to be able to map the IP address to the host name.

    Sabine

  • You're right, that does sound like a new anomaly.  If you have paid support, please submit a bug report.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Howdy, did you ever get this resolved?  We are running into this.  Currently running 9.355-1

  • Any updates in here??? I need also "Access Control" -> "Allow" DynDNS Clients :-( ....

    Is there a workarround (modifying config or so??)

     

    regards

  • My guess is that your issue might be different.  What happens when you try this?  Show us a picture of the Edit of the Network object with 'Advanced' open for the Client.  Also, the related line from the WAF log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Good Morning BAlfson,

    Here is the networkobject (DNS Host):

    And this is what happens:

    2019:02:14-07:36:56 sophos-utm httpd[25303]: [authz_host:error] [pid 25303:tid 4085123952] [client 88.79.XXX.XX:47070] AH01753: access check of 'ipad.dyndns.mydomain.net' to /myfolder failed, reason: unable to get the remote host name


    2019:02:14-07:36:56 sophos-utm httpd[25303]: [authz_host:error] [pid 25303:tid 4085123952] [client 88.79.XXX.XX:47070] AH01753: access check of 'iphone.dyndns.mydomain.net' to /myfolder failed, reason: unable to get the remote host name


    2019:02:14-07:36:56 sophos-utm httpd[25303]: [authz_host:error] [pid 25303:tid 4085123952] [client 88.79.XXX.XX:47070] AH01753: access check of 'notebook.dyndns.mydomain.net' to /myfolder failed, reason: unable to get the remote host name


    2019:02:14-07:36:56 sophos-utm httpd[25303]: [authz_core:error] [pid 25303:tid 4085123952] [client 88.79.XXX.XX:47070] AH01630: client denied by server configuration: proxy:balancer://926b35600727712b48edd1a60e22cd78/myfolder


    2019:02:14-07:36:56 sophos-utm httpd: id="0299" srcip="88.79.XXX.XX" localip="134.101.XXX.XX" size="215" user="-" host="88.79.XXX.XX" method="PROPFIND" statuscode="403" reason="auth" extra="access denied" exceptions="SkipURLHardening" time="887566" url="/myfolder" server="webdav.mydomain.net" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XGUMh8CoFAEAAGLXyAkAAAA3"

     

    But at this moment my DNS Host Object ( iphone.dyndns.mydomain.net) has the correct IP (88.79.XXX.XX)

     

    It's frustrating... ^^

  • I saw this issue in another thread yesterday after my post above.  My response in the later post was that it's a bug because the documentation says that it should work.  Hopefully, the Sophos guy I PMd about this will have gotten a bug ID started.  Anyone with paid support that's seeing this should open a case with Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA