Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 1513 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos WAF understand

lauwiks Cutman

Good morning all .
I have a behavior that I cannot understand with the WAF function or maybe I did not understand how the WAF works.

On my XG I opened ports 443 and 80 to a web server.
Until then, no problem.

Following a change in the firewall rule in my company (impossible to use non-standard ports other than 80 and 443).
So impossible to use port forwarding to another server

I decided to set up the WAF.

I created a WAF rule with a certificate for HTTPS.

My problem is that this rule only works if I deactivate my firewall and my NAT rule for my WEB server

To do my tests I took care to put the WAF rule before my rule for my WEB server

Did I get it wrong somewhere or just didn't understand the principle of WAF?

thank you in advance
I hope I was clear enough

Sophos xg 18.0.5 MR-5



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to dirkkotte

    Hello ,
    thank you for your reply .
    But I don't see how putting a black hole will solve my problem?

  • 0 in reply to lauwiks Cutman

    Hello,

    you can't have both at the same time: a WAF-rule and a DNAT rule for internal servers.

    If using WAF, you grab the ports 80 and 443 and then decide with the URL-reference from the calling user-agent where to pass this request to.

    You cannot have a DNAT-rule in place for the same ports on that same IP-address.

  • 0 in reply to jprusch

    I understand what you are saying.
    What I cannot explain to myself is why the WAF rule does not work when it is before the DNAT rule.
    This is mostly what I want to understand

  • 0 in reply to lauwiks Cutman

    Its the XG Firewall setup, which causes your issue.

    The architecture of WAF and NAT come from a unified perspective. In V17.5, NAT was embedded into firewall (Called Business application rule). Therefore a NAT decouple, like in V18.0 still has some tights into this setup, as WAF is still a firewall rule and a NAT rule in one place. But as NAT is decoupled, the system internal NAT rule for WAF is the last one the rule set, you cannot move a DNAT rule below this threshold. Its a limitation within the architecture, which is not resolved yet. But the use case of those NAT rules is not clear to me. Why do you want to have a NAT Rule below the WAF ? This rule, generally speaking, will never be applied. 

  • 0 in reply to LuCar Toni

    Hello Lucar Toni.
    Thank you for your answer and your explanation.
    So this is a bug that is not one we are going to say.
    It's not that I need a NAT rule under a WAF rule.
    It's just that during my test of the WAF rule I left my WAF and firewall rules active.
    So I didn't understand why my WAF rule wasn't working.
    Now I have an explanation.

    On the other hand I do not see the possibility of putting a geographic restriction in the WAF rule.
    Because by default on the incoming service I prefer to limit myself to France.

  • 0 in reply to lauwiks Cutman

    You can do this geo blocking by using a NAT with unwanted countries and a blackhole destination. 

  • 0 in reply to LuCar Toni

    Hello LuCar Toni,
    Last question .
    How to access Sophos XG with a WAF rule.
    I have tried several things but it doesn't work.
    thank you in advance