Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 1543 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web application Firewall - WAF policies limitation to 60 rules?

G9500

Hi,

I'm using a virtual appliance of Sophos XG 18.5.1 (2c4g)

I configured 60 WAF policies, but now I'm blocked by a limitation.

Error message: 60 WAF policies are already enables. This policy will be created but it will not be enabled. Are you sure you want to continue?"

  • Is it possible to remove this hidden limitation?
  • Is there a document with more information about this limitation?
  • What is the limitation for each version?
  • Is there a hidden limitation on other functionalities?


This thread was automatically locked due to age.
  • +1
    G9500 said:
    Is it possible to remove this hidden limitation?

    No.

    G9500 said:
    Is there a document with more information about this limitation?

    There isn't.

    There's nothing on the Docs about this, you will only find other people here in the community questioning this; There's also a Feature Request from 2017 in Sophos Ideas, but they never got an answer on it.

    G9500 said:
    What is the limitation for each version?

    60 WAF Policies, on all software and hardware appliances. (Upgrading your software appliances to a bigger one won't change this limitation.)

  • 0 in reply to Prism

    Hi Prism,

    Thank you very much for your answer.

    The only 2 limitations that i was made aware of when purchasing : 1) cpu 2) memory. The account manager at Sophos never said anything about a WAF rule limitation. If i would have known this in advance i would have never purchased this solution.

    I'm really annoyed with this situation, I'm even more annoyed that Sophos staff won't communicate about the issue.

    Hard to accept that a vendor forces limitations that are not documented, not communicated, not mentioned on the license, not mentioned on the agreement, ... .

    I did not buy the 2 core 4gb version, I've purchased the 2 core 4 gb 60 waf rule version.

    I keep asking myself; is this the only functionality that is secretly limited or are there others limitations where i will bump into in a few months.

    Strangely Sophos did send me a quote for an upgrade to a higher version of the appliance (3x the price). 

    Quote:

    "It is possible to expand this by purchasing an upgrade on the basic licenses and also expanding the subscriptions to the new model."

    I've asked my license partner to confirm the limitation issue with Sophos (to make sure it's solved with the upgrade and to know the limitation of the upgraded version).

    to be continued...

    Regards,

     

  • +1

    There is an updated doc:

    https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/WebServer/index.html 

     

    You can create any number of WAF rules, but only 60 rules can be active simultaneously.

  • 0 in reply to G9500

    Yes - Seems like this note was removed in some migration process and now added again. 

    PS: Just some thoughts about your setup. 60+ Webserver is a big junk of Applications. What do you try to achieve? What are those applications? 

    Because there is a new kid on the horizon called ZTNA, which could potentially replace your WAF and give you more "features" and a better integration. 

    ZTNA is a tool to implement internal tools to users. It is all about having a Agent or Agentless (HTTPS) applications for internal applications to "known users". So it does not replace a reverseproxy with malware scanning for a public website, but it likely replace a reverseproxy with FORM authentication. 

    So are you going to implement the SFOS appliance for public servers or internal applications? I wrote some more thoughts about this new product here: https://community.sophos.com/utm-firewall/f/vpn-site-to-site-and-remote-access/130933/road-warriors---l2tp-over-ipsec-capabilities-for-split-dns-and-split-tunnelling-routing-mac-windows-built-in