Sophos WAF understand

Question

Good morning all . I have a behavior that I cannot understand with the WAF function or maybe I did not understand how the WAF works. 
 On my XG I opened ports 443 and 80 to a web server. Until then, no problem. 
 Following a change in the firewall rule in my company (impossible to use non-standard ports other than 80 and 443). So impossible to use port forwarding to another server 
 I decided to set up the WAF. 
 I created a WAF rule with a certificate for HTTPS. 
 My problem is that this rule only works if I deactivate my firewall and my NAT rule for my WEB server 
 To do my tests I took care to put the WAF rule before my rule for my WEB server 
 Did I get it wrong somewhere or just didn't understand the principle of WAF? 
 thank you in advance I hope I was clear enough 
 
 Sophos xg 18.0.5 MR-5

jprusch · Answer

Hello, 
 you can't have both at the same time: a WAF-rule and a DNAT rule for internal servers. 
 If using WAF, you grab the ports 80 and 443 and then decide with the URL-reference from the calling user-agent where to pass this request to. 
 You cannot have a DNAT-rule in place for the same ports on that same IP-address.

LuCar Toni · Answer

Its the XG Firewall setup, which causes your issue. 
 The architecture of WAF and NAT come from a unified perspective. In V17.5, NAT was embedded into firewall (Called Business application rule). Therefore a NAT decouple, like in V18.0 still has some tights into this setup, as WAF is still a firewall rule and a NAT rule in one place. But as NAT is decoupled, the system internal NAT rule for WAF is the last one the rule set, you cannot move a DNAT rule below this threshold. Its a limitation within the architecture, which is not resolved yet. But the use case of those NAT rules is not clear to me. Why do you want to have a NAT Rule below the WAF ? This rule, generally speaking, will never be applied.

Sophos WAF understand

Top Replies