Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Good evening,I come from the SG group and wanted to convert to XG. Currently I am doing all this as a home project.Apparently not all features of the SG have been migrated to XG or have been converted to XG in a very complicated way.WAF was one of them.I can't find an option for this in the firewall and the pages of the Sophos Wiki and FAQ show completely different ways, which have apparently already disappeared.
I have a lot of external domains that are running on the WAN port.I used to control which server and which port delivers the page via WAF.> subdomain1.domain.tld (of course 443 with automatic redirection of 80)> Internal web server 10.10.10.10 Port 12345Or also several domains to a Linux web server, which then receives the requested domain and delivers the appropriate page.Let's Encrypt seems to have disappeared by the way.
Are there up-to-date documents available?
PS: The WAF in the KB is for V17.5. Here is the DOC for V18: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/WAFProtectWebServerAgainstAttacks.ht…
Please be aware that I am not a Sophos employee, but I can help you out a bit with my knowledge as an ex Sophos partner.
Compared to the XG, the SG is actually still a bit ahead of the XG in the area of WAF, although the XG has meanwhile shown off with various other features, which we should not worry about here. The WAF of the XG has been rebuilt a bit but rather can't really be compared to the SG anymore.
Indimundur said:Let's Encrypt seems to have disappeared by the way.
To take the most important thing first: There is no official update for Let's Encrypt support for years and no partner or customer understands why. It's sad why a feature that is so important to so many customers has slipped back in the development pipeline. Probably because several other features still need to be improved and Let's Encrypt is a completely new feature that needs to be developed for XG. No idea. I refer to this: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/13368852-let-s-encrypt-integration
About the WAF in general, I can provide you with these resources:
In general you start by adding your web servers at Protect > Web Servers. There you can specify the port the internal web server is listening to.
Then you continue setting up a firewall rule for the WAF. Just click on "Add firewall rule" to create a new one. In the screenshot below you can see that I created for each subdomain or public available resource one WAF rule.
In the rule itself you can set stuff like:
If you're also interested in load balancing you can enable it by setting up a DNAT rule in the NAT rules section for the corresponding web server.
Let me know if you have further questions about WAF on Sophos XG. Please also consider to contact your Sophos partner if you have specific questions about the WAF and the migration to Sophos XG. Especially if you have to protect many web servers, a professional discussion and an analysis of your requirements is essential.
Have a nice weekend!
IntrususSophos Certified Engineer | Sophos Certified Technician
private lab: XG firewall with SFOS 18.0.3 MR-3Intercept X Advanced (for Server) with EDR EAP latest If a post solves your question use the 'Verify Answer' link
I want to thank you too!
Thank you for giving feedback! Glad that your problem got partially solved