Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 1608 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF domains will not be covered?

Paul Schwegler

Perhaps I am missing something simple here, but after setting up WAF for an internal HTTPS server, I am getting the following message when I try to save the rule:

Following domain(s) will not be covered by selected HTTPS certificate

"remote.domainname.com".
1. remote.domainname.com

actual domain removed for privacy of course...

Anyways, I am not sure why the firewall will not use the cert to cover this domain. I generated a CSR with the firewall, got the cert from my provider, uploaded it, and it took it. The provider did provide to me a .crt that I opened and exported as a .cer using windows cert wizard, but that shouldn't matter, right? Also, I know that the WAF needs to have the .key file, but since I generated the CSR with the firewall, it has that already and didn't ask for it when I uploaded the cert. 

Also, I checked to make sure that my old DNAT rules do not have 443 included since I understand that I cannot have more than one firewall rule referencing that port. There are other DNAT rules still in place for non-web ports that this application accepts traffic on. 

Finally, I have set up the user portal to use a port other than 443, so I don't think there is a conflict there. 

The firewall is an XG210 running SFOS 18.0.4 MR-4



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hey Paul,  Thanks for reaching out to Sophos Community

    If you use HTTPS (443) in the WAF rule and add the certificate, Then the WAF rule will only allow you to add the domains which are defined in either CN (Common Name) of the certificate or the SAN (Subject Alternative Name). 

    If you generated the CSR with CN 'domainname.com' and nothing in SAN, then the certificate is only valid for 'domainname.com' and not for any other subdomains (remote.domainname.com, mail.domainname.com etc..)

    You'll either need to define SAN or use a wildcard domainname (*.domainname.com).

  • 0 in reply to FormerMember

    The CSR and my certificate both had a subject alternative name as remote.companyname.com The certificate provider also adds in www.remote.companyname.com for compatibility reasons I guess but neither the firewall or any visitors use the www version.

    My previous responses with explanations and screenshots should prove to you what I'm claiming.n

    Any other ideas? I really don't want to have to get on the phone with sophos support for three or four hours or more.

Reply
  • 0 in reply to FormerMember

    The CSR and my certificate both had a subject alternative name as remote.companyname.com The certificate provider also adds in www.remote.companyname.com for compatibility reasons I guess but neither the firewall or any visitors use the www version.

    My previous responses with explanations and screenshots should prove to you what I'm claiming.n

    Any other ideas? I really don't want to have to get on the phone with sophos support for three or four hours or more.

Children
  • 0 in reply to Paul Schwegler

    Same thing is happening with me.

    I have a certificate with two subjects, the WAF always gives an error saying the second SAN isn't covered by the certificate. (Only shows one.)

    But If I create an WAF rule with It and bypass the warning, the certificate will be used as expected. (Without any errors for the end user, but the firewall will still scream at you.)

    Can you try to create the WAF Rule with the certificate and bypass the warning? After it, report back here in the thread.

  • 0 in reply to Prism

    Thing is, the firewall is not giving me an error any longer when I save the rule. for all intents and purposes, the WAF rule is working since I can reach my internal server and there are no other rules that would be forwarding 443 to my server. The only issue is, the cert that my browser gets is the cert from the server itself and not the cert in the waf. I can tell by the issue dates because the SANs are the same (remote.companyname.com). This makes me think that the rule may be forwarding traffic but not actually doing any protection. 

  • 0 in reply to Paul Schwegler

    Check the reverseproxy.log or logviewer, if you see any WAF traffic. 

  • 0 in reply to LuCar Toni

    I think I found the root of the issue. I still have migrated NAT rules in place, plus some rules made by the server access assistant that are forwarding external traffic to my internal server. I have found that if I disable those rules, the WAF rule seems to still forward traffic to the internal server, but something still isn't right. 

    Is it necessary to have a NAT rule to forward traffic in conjunction with the WAF rule, or should I only have a WAF rule?