Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Sophos XG 18 WAF Setup - Wiki/FAQ useless

Good evening,

I come from the SG group and wanted to convert to XG. Currently I am doing all this as a home project.
Apparently not all features of the SG have been migrated to XG or have been converted to XG in a very complicated way.

WAF was one of them.I can't find an option for this in the firewall and the pages of the Sophos Wiki and FAQ show completely different ways, which have apparently already disappeared.

https://support.sophos.com/support/s/article/KB-000036712?language=en_US ???


I have a lot of external domains that are running on the WAN port.
I used to control which server and which port delivers the page via WAF.

> subdomain1.domain.tld (of course 443 with automatic redirection of 80)
> Internal web server 10.10.10.10 Port 12345

Or also several domains to a Linux web server, which then receives the requested domain and delivers the appropriate page.

Let's Encrypt seems to have disappeared by the way.

Are there up-to-date documents available?

Greetings, Patrick

Parents
  • Hi Patrick,

    Please be aware that I am not a Sophos employee, but I can help you out a bit with my knowledge as an ex Sophos partner.

    Compared to the XG, the SG is actually still a bit ahead of the XG in the area of WAF, although the XG has meanwhile shown off with various other features, which we should not worry about here. The WAF of the XG has been rebuilt a bit but rather can't really be compared to the SG anymore.

    Let's Encrypt seems to have disappeared by the way.

    To take the most important thing first: There is no official update for Let's Encrypt support for years and no partner or customer understands why. It's sad why a feature that is so important to so many customers has slipped back in the development pipeline. Probably because several other features still need to be improved and Let's Encrypt is a completely new feature that needs to be developed for XG. No idea. I refer to this: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/13368852-let-s-encrypt-integration

    About the WAF in general, I can provide you with these resources:

    In general you start by adding your web servers at Protect > Web Servers. There you can specify the port the internal web server is listening to.

    Then you continue setting up a firewall rule for the WAF. Just click on "Add firewall rule" to create a new one. In the screenshot below you can see that I created for each subdomain or public available resource one WAF rule. 

    In the rule itself you can set stuff like:

    • Listening port 
    • All domains the XG should listen to and then forward requests to the specified web servers 
    • Protected servers (the web servers you've setup in the first step)
    • Protection rules to harden web servers through Sophos XG

    If you're also interested in load balancing you can enable it by setting up a DNAT rule in the NAT rules section for the corresponding web server.

    Let me know if you have further questions about WAF on Sophos XG. Please also consider to contact your Sophos partner if you have specific questions about the WAF and the migration to Sophos XG. Especially if you have to protect many web servers, a professional discussion and an analysis of your requirements is essential. 

    Have a nice weekend!

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

  • Thank you for giving feedback! Glad that your problem got partially solved Wink

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

Reply
  • Thank you for giving feedback! Glad that your problem got partially solved Wink

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

Children
No Data