Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 795 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF rule works while disabled - strange behaviour

oldgoodname

Hi Guys,

I'm using XG with the newest firmware (18.0.4-MR4) and I have a onlyoffice workspace test installation behind it. When I open onlyoffice via private IP or FQDN, it automatically redirects from http to https. So I think it's working as it should be. So I tried to make that available via a WAF rule on the XG. I think I configured it the right way and the access via public IP works fine.

Yesterday I wanted to disable the WAF rule and that works fine as well, BUT when I now try to open onlyoffice via the FQDN from internet, it now opens onlyoffice via HTTP. I also tried HTTPS, but thats not working.

So my question is, why onlyoffice is accessible via internet, even when WAF rule and the automatically added NAT rule are disabled? I have 3 other rules configured, one for internet access (from lan to wan only), one for VPN and one WAF rule for Nextcloud. In the Webserver-Log it shows accepted connections for firewall rule with ID 4, which is the disabled WAF rule.

I also disabled the WAF rule for nextcloud, which works as expected. Nextcloud wasn't accessible via http or https and the log shows a drop for the connection. The only difference between the two rules is, that nextcloud additionally has IPS and protection rule as well as http redirect with a let's encrypt cert.

Any help would be appreciated!

Thanks and best regards



This thread was automatically locked due to age.
Parents
  • 0

    Hello oldgoodname,

    Thank you for contacting the Sophos Community.

    Are you seeing anything under the reverseproxy.log when you disable the WAF?

    # /log/reverseproxy.log

    After the changes of HTTP and HTTPS did you try accessing via Incognito, it might be that your browser is doing the redirection due to the cache.

    Check if you have any additional NAT rule, (DNAT) that is allowing access from the outside. 

    Regards,

  • 0 in reply to emmosophos

    Hello Emmanuel,

    Thanks for your answer. I checked the reverseproxy.log and there is kind of the same entry as in the Web-Server-Porotection log from GUI. So I think it's the same? Here is one entry, while WAF rule was disabled:

     srcip="xxx.xxx.xxx.xxx" localip="xxx.xxx.xxx.xxx" user="-" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" duration="44046" url="/skins/default/images/logo/favicon_general.ico" server="portal.domain.tld" referer="">portal.domain.tld/Auth.aspx" cookie="ASP.NET_SessionId=151C14CB96ED4836660D55DD" set-cookie="-" recvbytes="432" sentbytes="14507" protocol="HTTP/1.1" ctype="image/x-icon" uagent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" querystring="?t=637524332276851490" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="4"

    As you can see, I tried to open portal.domain.tld from outside the network, and it opened http://portal.domain.tld/Auth.aspx successfully. From inside the local network, http will automatically redirect to https. The WAF rule was only configured for http access because I first have to import the let's encrypt cert. So I think it's working as it should, but only when WAF rule is enabled, but it's not! The rule with ID=4 is disabled.

    The are 2 NAT rules, one is called "Default SNAT IPv4", which I think, is an old masquarading rule for Internet access. It is disabled. The second one is called fw#1_migrated_NAT_rule, which I think is the currently used masquarading rule for internet access. So there is no DNAT rule.

    For me it looks like there is kind of a bug, which shows the WAF rule as disabled in the GUI, but for the firewall itself, it's enabled. Is it possible to check that via ssh?

    I tried it from my notebook, mobile phone and company notebook, where I never have opened any URL from my domain before. So no cache on my notebook.

    Thanks and best regards

Reply
  • 0 in reply to emmosophos

    Hello Emmanuel,

    Thanks for your answer. I checked the reverseproxy.log and there is kind of the same entry as in the Web-Server-Porotection log from GUI. So I think it's the same? Here is one entry, while WAF rule was disabled:

     srcip="xxx.xxx.xxx.xxx" localip="xxx.xxx.xxx.xxx" user="-" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" duration="44046" url="/skins/default/images/logo/favicon_general.ico" server="portal.domain.tld" referer="">portal.domain.tld/Auth.aspx" cookie="ASP.NET_SessionId=151C14CB96ED4836660D55DD" set-cookie="-" recvbytes="432" sentbytes="14507" protocol="HTTP/1.1" ctype="image/x-icon" uagent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" querystring="?t=637524332276851490" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="4"

    As you can see, I tried to open portal.domain.tld from outside the network, and it opened http://portal.domain.tld/Auth.aspx successfully. From inside the local network, http will automatically redirect to https. The WAF rule was only configured for http access because I first have to import the let's encrypt cert. So I think it's working as it should, but only when WAF rule is enabled, but it's not! The rule with ID=4 is disabled.

    The are 2 NAT rules, one is called "Default SNAT IPv4", which I think, is an old masquarading rule for Internet access. It is disabled. The second one is called fw#1_migrated_NAT_rule, which I think is the currently used masquarading rule for internet access. So there is no DNAT rule.

    For me it looks like there is kind of a bug, which shows the WAF rule as disabled in the GUI, but for the firewall itself, it's enabled. Is it possible to check that via ssh?

    I tried it from my notebook, mobile phone and company notebook, where I never have opened any URL from my domain before. So no cache on my notebook.

    Thanks and best regards

Children
  • 0 in reply to oldgoodname

    If you disable the rule and reload the waf on the webadmin, does it affect the WAF? service waf:restart -ds nosync

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    I haven't restarted anything. I wanted to analyze the problem, in case it's a bug, so it can be solved in a furture release. But now I tried your solution, but the website stil opens while WAF rule is deactivated.

    I restarted the whole firewall and after that I got a "Forbidden" message. I enabled and disabled the rule again and now the websites shows again while WAF rule is disabled.

    The only thing I forgot to tell you guys is, that I copied the rule from the nextcloud WAF rule.

    The last thing I can try is to delete the rule an create it from scratch (not copy it from another WAF rule). That maybe will solve the problem for me, but if it is a bug, it will persist.

    Thanks and best regards

  • 0 in reply to oldgoodname

    Are you a home user? If not, you should open a support case to get this analyzed. 

  • 0 in reply to LuCar Toni

    Yes, I am a home user. At the company, we still us UTM so I can not reproduce it there.

    Last thing i can do is to delete the rule and make a new one, which is not copied form another WAF rule. I think then it would work. If you have no further hints to check things, I will try that.

  • 0 in reply to oldgoodname

    Now I enabled the portal.domain.tld WAF rule and i recognized the following:

    When I use the website ssllabs.com to check things about my config, there it says, for my website portal.domain.tld are 2 certs present (nextcloud.domain.tld and portal.domain.tld) and the browser must support SNI to choose the right one. The strange thing is, that for nextcloud.portal.tld there are just one cert present. So now I am wondering, why for nextcloud.domain.tld are not 2 certs present. The configuration is the same for both webservers on the firewall.

    Both are two seperated linux servers with different IPs, but the public IP is the same.

    Any thoughts, if that points to the problem?

    Thanks and best regards