This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.355-1 - WAF Access Control in Site Path Routing doesn't honor DNS host objects

The option to create a DNS host object in the Access Control portion of Site Path Routing for a Virtual server doesn't appear to work anymore.

When troubleshooting this issue, if I create a static Host object and add it to the Allowed access control field within the site path routing it works as expected.  However if I have a Dynamic DNS based DNS host object that UTM has successfully and accurately resolved to that same static address, I am greeted with a 403 forbidden message after removing the static host object from the list.

This used to work in previous versions.



This thread was automatically locked due to age.
Parents
  • Any updates in here??? I need also "Access Control" -> "Allow" DynDNS Clients :-( ....

    Is there a workarround (modifying config or so??)

     

    regards

  • My guess is that your issue might be different.  What happens when you try this?  Show us a picture of the Edit of the Network object with 'Advanced' open for the Client.  Also, the related line from the WAF log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • My guess is that your issue might be different.  What happens when you try this?  Show us a picture of the Edit of the Network object with 'Advanced' open for the Client.  Also, the related line from the WAF log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Good Morning BAlfson,

    Here is the networkobject (DNS Host):

    And this is what happens:

    2019:02:14-07:36:56 sophos-utm httpd[25303]: [authz_host:error] [pid 25303:tid 4085123952] [client 88.79.XXX.XX:47070] AH01753: access check of 'ipad.dyndns.mydomain.net' to /myfolder failed, reason: unable to get the remote host name


    2019:02:14-07:36:56 sophos-utm httpd[25303]: [authz_host:error] [pid 25303:tid 4085123952] [client 88.79.XXX.XX:47070] AH01753: access check of 'iphone.dyndns.mydomain.net' to /myfolder failed, reason: unable to get the remote host name


    2019:02:14-07:36:56 sophos-utm httpd[25303]: [authz_host:error] [pid 25303:tid 4085123952] [client 88.79.XXX.XX:47070] AH01753: access check of 'notebook.dyndns.mydomain.net' to /myfolder failed, reason: unable to get the remote host name


    2019:02:14-07:36:56 sophos-utm httpd[25303]: [authz_core:error] [pid 25303:tid 4085123952] [client 88.79.XXX.XX:47070] AH01630: client denied by server configuration: proxy:balancer://926b35600727712b48edd1a60e22cd78/myfolder


    2019:02:14-07:36:56 sophos-utm httpd: id="0299" srcip="88.79.XXX.XX" localip="134.101.XXX.XX" size="215" user="-" host="88.79.XXX.XX" method="PROPFIND" statuscode="403" reason="auth" extra="access denied" exceptions="SkipURLHardening" time="887566" url="/myfolder" server="webdav.mydomain.net" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XGUMh8CoFAEAAGLXyAkAAAA3"

     

    But at this moment my DNS Host Object ( iphone.dyndns.mydomain.net) has the correct IP (88.79.XXX.XX)

     

    It's frustrating... ^^

  • I saw this issue in another thread yesterday after my post above.  My response in the later post was that it's a bug because the documentation says that it should work.  Hopefully, the Sophos guy I PMd about this will have gotten a bug ID started.  Anyone with paid support that's seeing this should open a case with Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA