Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 30 subscribers
  • Views 4688 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preserve or retain client IP through WAF

djb-sophos

Hello,

I've done some searching on here and many posts I find are 5-10 years old and/or the original poster never came back to confirm whatever was suggested fixed their issue or not. And, for reasons beyond me, these threads are locked so you cannot even chime in to ask if what they did fixed it or not, so here I am.

We just set up WAF and now client IPs are all showing the IP of the Sophos Firewall. How can we preserve or retain the original client IP? We have a few scenarios where something on our web app is revealed to them based on their IP, but now all traffic is showing coming from the LAN IP of the Sophos.

I found one suggestion to make sure "Pass host header" is checked, and other suggestions to use X-Forwarded-For in IIS. Does anyone know what exactly needs to be done? I'm asking here before I simply click the Pass host Header checkbox and/or do the X-Forwarded-For thing, to get some feedback first.

Thanks!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    Ummmm... No mouth

    Thanks for the input. So with WAF enabled there is no way to get the client's IP? Seems a little opposite -- with WAF you can be protected, but then all your traffic is anonymous?

  • 0 in reply to djb-sophos

    The question is the use case about what you actually try to do. Because most likely if you have a application hosted behind a WAF, you move the reporting from the App to the WAF service. Same for ZTNA for example. You want to extend your Reports and compliance reports and most/some apps are not capable of giving those data, therefore you use a WAF and its reports. 

  • 0 in reply to LuCar Toni

    WAF does indeed support X-Forwarded-For.

    I have 17 WAF Policies right now, on all of them all applications are able to get the real ipv4 though the header.

    You can spin up a Nginx instance and enable logging to check It; Here's an example:

    10.0.0.10 - - [27/Oct/2021:19:00:22 -0300] "GET / HTTP/1.1" 200 30279 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"

log_format main '$http_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent"' ;

  • 0 in reply to Prism

    I guess we're going to have to open a case with Sophos on this one. Other than the two settings I've already done, I'm kind of at a loss what to do next.