Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 30 subscribers
  • Views 4681 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preserve or retain client IP through WAF

djb-sophos

Hello,

I've done some searching on here and many posts I find are 5-10 years old and/or the original poster never came back to confirm whatever was suggested fixed their issue or not. And, for reasons beyond me, these threads are locked so you cannot even chime in to ask if what they did fixed it or not, so here I am.

We just set up WAF and now client IPs are all showing the IP of the Sophos Firewall. How can we preserve or retain the original client IP? We have a few scenarios where something on our web app is revealed to them based on their IP, but now all traffic is showing coming from the LAN IP of the Sophos.

I found one suggestion to make sure "Pass host header" is checked, and other suggestions to use X-Forwarded-For in IIS. Does anyone know what exactly needs to be done? I'm asking here before I simply click the Pass host Header checkbox and/or do the X-Forwarded-For thing, to get some feedback first.

Thanks!



This thread was automatically locked due to age.
  • +1

    It's good to enable the "Pass host header" since lots of applications won't work without it, the WAF will send the real IPv4 of the client independent of this configuration through the X-Forwarded-For HTTP Header.

    Depending on the scenario there are multiple ways to preserve the real IPv4, but all of them depends on what application or reverse proxy you're currently running behind It. Most of them will use the explicit HTTP Header by default.

    But on some other setups, this can be different. As an example, my setup currently looks like this: WAF => Nginx => Web Application.

    Since I want for Nginx to send the real IPv4 that came from WAF to the web app, I've added this snippet in my server config . (And some other Headers to fix certain issues.)

    # Get Real IPv4 behind WAF.
real_ip_header X-Forwarded-For;
set_real_ip_from 10.10.10.1;

# Use HTTP 1.1 since Default is HTTP 1.0.
proxy_http_version 1.1;

# Necessary Headers for Proxy.
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

# Dont Redirect.
proxy_redirect off;

# Dont Buffer.
proxy_buffering off;
proxy_request_buffering off;

    Anyways, what exactly are you running behind the WAF?

  • 0 in reply to Prism

    Thanks for the detailed reply ! I did just enable Pass Host Header, but based on your reply I'm not certain if that is enough or not. I asked someone to check the logs and see if it's now showing public IPs vs the Sophos LAN IP. I think the fact you said WAF will send it regardless means there's still some work to do. We just have a basic .net site for a data analytics website running in IIS 10.

  • 0 in reply to djb-sophos

    Then you can follow the same article you just linked on your thread, that should be enough.

    techcommunity.microsoft.com/.../873115

  • 0 in reply to Prism

    Thanks. I have "Pass host header" checked, and I just added the X-Forwarded-For custom field in IIS 10 logging. I am still seeing the IP address of the Sophos instead of the client IP. Do I need to do anything else on the Sophos to enable X-Forwarded-For?

  • 0 in reply to LuCar Toni

    Ummmm... No mouth

    Thanks for the input. So with WAF enabled there is no way to get the client's IP? Seems a little opposite -- with WAF you can be protected, but then all your traffic is anonymous?

  • 0 in reply to djb-sophos

    The question is the use case about what you actually try to do. Because most likely if you have a application hosted behind a WAF, you move the reporting from the App to the WAF service. Same for ZTNA for example. You want to extend your Reports and compliance reports and most/some apps are not capable of giving those data, therefore you use a WAF and its reports. 

  • 0 in reply to LuCar Toni

    WAF does indeed support X-Forwarded-For.

    I have 17 WAF Policies right now, on all of them all applications are able to get the real ipv4 though the header.

    You can spin up a Nginx instance and enable logging to check It; Here's an example:

    10.0.0.10 - - [27/Oct/2021:19:00:22 -0300] "GET / HTTP/1.1" 200 30279 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"

log_format main '$http_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent"' ;

  • 0 in reply to Prism

    I guess we're going to have to open a case with Sophos on this one. Other than the two settings I've already done, I'm kind of at a loss what to do next. 

  • 0

    We have opened a case with Sophos. I will post more when I find out more. This just seems very odd to me that it isn't more straight-forward. Very basic example: imagine a site running google analytics on it for years, then the customer implements a Sophos WAF. Suddenly all google analytics data is irrelevant because all traffic now appears to originate from the firewall, not the public client. I must be missing something, and I hope Sophos can help!