Sophos XG 18 WAF Setup - Wiki/FAQ useless

Good evening,

I come from the SG group and wanted to convert to XG. Currently I am doing all this as a home project.
Apparently not all features of the SG have been migrated to XG or have been converted to XG in a very complicated way.

WAF was one of them.I can't find an option for this in the firewall and the pages of the Sophos Wiki and FAQ show completely different ways, which have apparently already disappeared.

https://support.sophos.com/support/s/article/KB-000036712?language=en_US ???


I have a lot of external domains that are running on the WAN port.
I used to control which server and which port delivers the page via WAF.

> subdomain1.domain.tld (of course 443 with automatic redirection of 80)
> Internal web server 10.10.10.10 Port 12345

Or also several domains to a Linux web server, which then receives the requested domain and delivers the appropriate page.

Let's Encrypt seems to have disappeared by the way.

Are there up-to-date documents available?

Greetings, Patrick

  • the waf is broken, the performance is crap, as far as I can tell they haven't touched the code since release, more or less like the VPN which runs an obsolete version of openvpn

  • Hi Patrick,

    Please be aware that I am not a Sophos employee, but I can help you out a bit with my knowledge as an ex Sophos partner.

    Compared to the XG, the SG is actually still a bit ahead of the XG in the area of WAF, although the XG has meanwhile shown off with various other features, which we should not worry about here. The WAF of the XG has been rebuilt a bit but rather can't really be compared to the SG anymore.

    Let's Encrypt seems to have disappeared by the way.

    To take the most important thing first: There is no official update for Let's Encrypt support for years and no partner or customer understands why. It's sad why a feature that is so important to so many customers has slipped back in the development pipeline. Probably because several other features still need to be improved and Let's Encrypt is a completely new feature that needs to be developed for XG. No idea. I refer to this: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/13368852-let-s-encrypt-integration

    About the WAF in general, I can provide you with these resources:

    In general you start by adding your web servers at Protect > Web Servers. There you can specify the port the internal web server is listening to.

    Then you continue setting up a firewall rule for the WAF. Just click on "Add firewall rule" to create a new one. In the screenshot below you can see that I created for each subdomain or public available resource one WAF rule. 

    In the rule itself you can set stuff like:

    • Listening port 
    • All domains the XG should listen to and then forward requests to the specified web servers 
    • Protected servers (the web servers you've setup in the first step)
    • Protection rules to harden web servers through Sophos XG

    If you're also interested in load balancing you can enable it by setting up a DNAT rule in the NAT rules section for the corresponding web server.

    Let me know if you have further questions about WAF on Sophos XG. Please also consider to contact your Sophos partner if you have specific questions about the WAF and the migration to Sophos XG. Especially if you have to protect many web servers, a professional discussion and an analysis of your requirements is essential. 

    Have a nice weekend!

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

  • PS: The WAF in the KB is for V17.5. Here is the DOC for V18: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/WAFProtectWebServerAgainstAttacks.html

    This pages moved to Firewall rules. 

    About Lets Encrypt. As already stated, this is not implemented into XG yet. You could automate this integration via script, if you want to. See: https://community.sophos.com/xg-firewall/f/discussions/108931/letsencrypt-how-to-in-xg

    Its about where to use those certificates. As we move more and more to the home offices, we should try to smaller the attack surfaces on such products. So disabling some of those services for WAN seems a good idea anyway. For example Webadmin/SSH should be disabled. User Portal, if you do not use it. Only because you use a public signed certificate (LE), does not mean, somebody can use your facilities to try to attack those. Just some thoughts about this. 

    __________________________________________________________________________________________________________________

  • Okay that the function has moved is nice to know.
    But the LetsEncrypt topic is not finished :-)
    Is the function WILL BE implemented soon, or will it not be? If it still comes, the security argument is also not fitting ^^.
    In general I noticed that the UX from SG to XG has decreased quite a lot. But unfortunately we have to live with that.

  • Thank you for giving feedback! Glad that your problem got partially solved Wink

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link