Waf Issue

Question

Dear Team 
 
 I have webapp server which working with https protocol when i use waf protection on it all the logs in the server is appears to come from the firewall interface ip 
 not from the client ip how can i solve this issue to make the firewall forward the packet without replace the client ip with the firewall interface ip

FormerMember · Accepted Answer

Hi Hesham Mahmoud1 
 Thank you for reaching out to the Community! 
 Please select "Pass Host Header" in WAF rule to transmit the host header of the original request to your application. 
 Thanks,

Vishal_R · Answer

Hi Hesham Mahmoud1 WAF is reverse proxy in a nature which means from external world traffic will come to XG and XG-WAF will initiate a session to LAN or DMZ server. Due to this XG WAF is changing the source IP when traffic is forwarded to the protected web server, rather than showing the original client IP. This is by design and how WAF works. 
 Please refer below help guide for reference: 
 http://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/WebServerProtectionRule.html 
 Under &ldquo;Description&rdquo; of &ldquo;Hosted address&rdquo; below information has been documented: When a client establishes a connection and accesses the web server, the web server does not obtain the client&rsquo;s real IP address. The server obtains the address of the interface used by the web application firewall (WAF) because the connection is made through the WAF. The client&rsquo;s real IP address is available in the HTTP header. If you would like to track the original source IP then you may check "X-Forwarded-For (XFF) header" information and there original source IP details you may get. 
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For