How can I find rule ID (like [id "981176"]) in Sophos XG - web server publishing to add it to bypass at Web server - Protection policies?
When using Sophos SG it was in logs.
For Sophos XG there is article https://community.sophos.com/kb/en-us/122833 and ID has to be in logs: [id "981176"] [msg "Inbound Anomaly Score Exceeded
When I open Log viewer from Sophos XG webconsole -Detailed view - module Web server protection
and log seems like this (without ID number):
messageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="MYURL" src_ip="mypublicIP" local_ip="my-XG-IP-address" protocol="HTTP/1.1" url="/RDWeb/Pages/en-US/login.aspx" query_string="" cookie="_ga=GA1.2.553296830.1454709251; _gcl_au=1.1.2086021688.1580460192" referer="myURL" method="POST" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 6, SQLi=1, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded" content_type="text/html" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0" host="mypublicIP" response_time="4656" bytes_sent="429" bytes_received="1055" fw_rule_id="76"
There is not ID like 981176.
I am using XG230 (SFOS 17.5.9 MR-9)
Thanks
Martin
This thread was automatically locked due to age.
