Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 1694 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF domains will not be covered?

Paul Schwegler

Perhaps I am missing something simple here, but after setting up WAF for an internal HTTPS server, I am getting the following message when I try to save the rule:

Following domain(s) will not be covered by selected HTTPS certificate

"remote.domainname.com".
1. remote.domainname.com

actual domain removed for privacy of course...

Anyways, I am not sure why the firewall will not use the cert to cover this domain. I generated a CSR with the firewall, got the cert from my provider, uploaded it, and it took it. The provider did provide to me a .crt that I opened and exported as a .cer using windows cert wizard, but that shouldn't matter, right? Also, I know that the WAF needs to have the .key file, but since I generated the CSR with the firewall, it has that already and didn't ask for it when I uploaded the cert. 

Also, I checked to make sure that my old DNAT rules do not have 443 included since I understand that I cannot have more than one firewall rule referencing that port. There are other DNAT rules still in place for non-web ports that this application accepts traffic on. 

Finally, I have set up the user portal to use a port other than 443, so I don't think there is a conflict there. 

The firewall is an XG210 running SFOS 18.0.4 MR-4



This thread was automatically locked due to age.

Top Replies

  • FormerMember
    FormerMember +1

    Hey Paul,  Thanks for reaching out to Sophos Community

    If you use HTTPS (443) in the WAF rule and add the certificate, Then the WAF rule will only allow you to add the domains which are defined in either CN (Common Name) of the certificate or the SAN (Subject Alternative Name). 

    If you generated the CSR with CN 'domainname.com' and nothing in SAN, then the certificate is only valid for 'domainname.com' and not for any other subdomains (remote.domainname.com, mail.domainname.com etc..)

    You'll either need to define SAN or use a wildcard domainname (*.domainname.com).

    Jump to answer
  • 0 in reply to LuCar Toni

    I think I found the root of the issue. I still have migrated NAT rules in place, plus some rules made by the server access assistant that are forwarding external traffic to my internal server. I have found that if I disable those rules, the WAF rule seems to still forward traffic to the internal server, but something still isn't right. 

    Is it necessary to have a NAT rule to forward traffic in conjunction with the WAF rule, or should I only have a WAF rule?