This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to get WAF working correctly

So I have gone through and set up my Domain with a sub domain pointing to my WAN IP address. Set up my web server on the Sophos as well as the WAF rule with my HTTPS cert. The problem I am having is the WAF rule seems to work internal of the domain but will not allow any outside connections. I have double checked and tried various things. What am I missing?

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 6 years ago

There could be couple of issues here.

WAF is a basic reverse proxy.

https://en.wikipedia.org/wiki/Reverse_proxy

So the interface of XG needs to be addressed by the WAN client in the Internet.

Is the DNS record correct? Do you use DNS to access it? Is Xg directly connected in the internet or something in front?
Cancel
Vote Up 0 Vote Down

Cancel
0 Grant Thorpe over 6 years ago in reply to LuCar Toni

So when I do a NSlookup on the internal network it shows correct IP address for wan. The A record for my domain also seems to point correctly to the WAN IP. The Sophos XG is connected to my modem in bridge mode. If I set a site up with DNAT instead of WAF they appear to work just fine from the FQDN.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to Grant Thorpe

And the WAF works internally? This sounds wired.

There is a KBA for WAF troubleshooting: https://community.sophos.com/kb/en-us/124574

Maybe this helps?
Cancel
Vote Up 0 Vote Down

Cancel
0 Grant Thorpe over 6 years ago in reply to LuCar Toni

Went through the trouble shooting the other day. Yes works internally If I point my A record to a different IP it stops working internally so I know the DNS is resolving correctly. and the test from the XG appliance also show it resolving. its almost like its only allowing LAN to connect and nothing else. the wan trys to load the site but eventually just throws up a connection error. I have watched the logs but it shows no outside connections just the internal ones, therefore IIS logs are also not showing since I cant get through the the XG.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Grant Thorpe over 6 years ago in reply to LuCar Toni

Went through the trouble shooting the other day. Yes works internally If I point my A record to a different IP it stops working internally so I know the DNS is resolving correctly. and the test from the XG appliance also show it resolving. its almost like its only allowing LAN to connect and nothing else. the wan trys to load the site but eventually just throws up a connection error. I have watched the logs but it shows no outside connections just the internal ones, therefore IIS logs are also not showing since I cant get through the the XG.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 6 years ago in reply to Grant Thorpe

Can you perform a Dump on your WAN Interface port 443?

community.sophos.com/.../how-to-tcpdump-on-xg
Cancel
Vote Up 0 Vote Down

Cancel
0 Grant Thorpe over 6 years ago in reply to LuCar Toni

Well I got it working. Somehow I had an OLD DNAT record for a different service that ended up getting port 443 put into the allowed services. When I would try adding anything with waf it would then somehow freak out and not work. Once I removed port 443 or port 80 from the DNAT, WAF would work just fine.

Thanks for trying to help! now onto a new post for my new problems!
Cancel
Vote Up 0 Vote Down

Cancel