Question about moving server from DNAT to WAF and source address of incoming packets.

may I warm up this thread by asking you kindly if passing the original source adress is possible with v19?

Sophos Firewall v19 – Xstream SD-WAN - Announcements - SFOS v19 Early Access Program - Sophos Community

Hi lki: Unfortunately no and the reason that's how the WAF works. WAF is a reverse-proxy server by nature. so when any outside request comes to XG over WAF, XG will initiate a new request to a mapped server and due to that, you may only get the actual source IP  by tracking of "X-Forwarded-For" header on the end server.

Hi lki: Unfortunately no and the reason that's how the WAF works. WAF is a reverse-proxy server by nature. so when any outside request comes to XG over WAF, XG will initiate a new request to a mapped server and due to that, you may only get the actual source IP  by tracking of "X-Forwarded-For" header on the end server.

Hi Vishal_R. Many thanks for your reply. So the X-Fowarded-For header should be set on the side, where the WAF rule is mapped to, right?

Hi lki: Yes correct:

Reference snapshot and Doc help section which gives information on same.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/WebServerProtection/WAF/Rules/WAFRuleAdd/index.html

Perfect - I already mentioned that hint on the help section for WAF. For me it was unclear if this is configured on the WAF itself or on the destination, the traffic is forwarded to.

Your help is much appreciated!

Hello Vishal_R, Hello Iki.

This is exactly what I already wrote 2months ago.

So for backend applications it is required to configure the WAF to pass the host header (in SG and XG) and the backend application has to do the job to evaluate the header fields accordingly.

Regards.

T

Hi ThomW, wasn't clear for me, but now I see that using 'pass host header' on WAF rule + configuring header field on destination is necessary.

Hi Iki.

Great. If you want to examine that in your backend web server logs it is normallyy required to change the web server log format. You will find a lot for that for e.q. apache or nginx in the web.

HtH.

Thom