This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - a couple of learning points (learnt the hard way)

Last year, I replaced some clustered Cisco ASA 5510's with some clustered SG310's.

There was a fair amount of work to do as you simply could not export the rules and the terminology was a bit different. Nonetheless, the SG310's went in smoothly and we've been in the adhoc process of adding more and more functionality to users that the UTM's offer.

Part of this is WAF which we are using to retire the last ASA 5510 out as this is solely being used as a clientless SSL vpn (using java)

So I've been coming back to this a bit at a time as we discovered issues that took a little thinking about. The main root of our problems was DNS although you probably wouldn't have thought it was this looking at the errors.

The two big mistakes I made was:

1. Apply request routing for DNS for our external domain. As it was a new concept to us, we applied this from the UTM to all of our internal domain namespaces which was ok at the time for us to do due to the way our DNS was previously setup. We now have it setup so internal clients > internal dns servers > UTM. The UTM is the only device to perform recursive requests to the web.
The big mistake at the time was to apply DNS request routing  to our external domain from the UTM.

Our internal network is like any other eg 6 DNS servers with the internal domain and the external domain as well so that any external clients trying to get to serverA.mydomain.com would be able to use the internal ip address when they were inside the network and use the external public ip address when they were outside the network.

By getting the UTM to request route to the external DNS namespace on our internal DNS servers, the UTM was resolving serverA.mydomain.com to the internal ip address when it should have been resolving it to the external public ip address.

This had a massive detrimental effect on WAF. It was getting confused with the FQDN's. This wasn't noticed until we attempted to implement WAF

So, think very carefully when applying request routing on DNS and never "request route" the external domain name which you want WAF to use.

2. The 2nd issue was again a DNS issue and the mistake here was to add additional external hostnames to a host entry/definition on the UTM. So the UTM would see our internal  web server as an internal private ip but resolve the hostnames of the internal as well as the external hostname. Again, this caused confusion for the poor old WAF which by now, didn't know whether it was coming or going.

Bottom line is when using WAF (or the UTM) is to make sure it doesn't get confused with internal hostnames and external hostnames. So if you have an external FQDN pointing to an internal server, make sure that the UTM can only resolve the external FQDN to the external public ip and the internal server FQDN to the internal private ip. If it can resolve the external to the internal and vice versa, it will get confused and offer up mixed results that sometime work and sometimes don't.

Hopefully this will help somebody in the future and I think the moral of the story is:

The UTM offers a whole host of functionality but please be 100% sure as to what they mean before applying them otherwise you could end up with unpredictable behavior.



This thread was automatically locked due to age.
  • "Would the UTM allow that? ie external access back on itself?"

    See Accessing Internal or DMZ Webserver from Internal Network.

    It's not that the firewall doesn't allow internal users to make a request via a DNAT, it's that the response goes directly back to the requester's local IP and is discarded because it didn't come from the IP to which it sent the request.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • thanks Giovani

    yes my mistake.  I had miss remembered and I actually read the warning about javascript in the Static URL Hardening help section.  I'll retest using Rewrite HTML I think.

    And yes I did think about creating definitions on UTM resolving the websites that I'm reverse proxying to their public IPs but I'll have to check with our AD GP guys to make sure the Proxy Exceptions policy is up to date.  I think we're running out of characters in that policy  :)

    thanks for your help  :)

     

  • OK a bit of progress.

    I spoke to my web devs and enabled Rewrite HTML and also Rewrite cookies and it looks as if this resolved the issue.  Web dev confirmed no IPs in the browser content and I saw the following in the UTM WAF logs (sanitised)

    reverseproxy: [Tue Apr 11 10:09:40.513196 2017] [proxy_http:error] [pid :] ()End of file found: [client 149.###:###:###:46450] AH01102: error reading status line from remote server WEBSITE_IP:443, referer: https://WEBSITE_URL/sites/all/themes/css/h.css?on3ztz

    reverseproxy: srcip="149.###:###:###" localip="UTM_VIRTUAL_SERVER_IP" size="0" user="-" host="149.###:###:###" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="3538" url="/sites/all/themes/images/PoT.gif" server="WEBSITE_URL referer="https://WEBSITE_URL/sites/all/themes/css/h.css?on3ztz" cookie="has_js=1; _ga=############" set-cookie="-"

    Looks as if the webserver IP is sent with the css file URL which fails and then UTM rewrites it with the website domain which works but I admit that's just my uninformed interpretation of the WAF log entries

    Note I didn't create any definitions on UTM resolving the website domain to the public IP.

    thanks for your help Giovani