Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 1919 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF and SSL offloading

l0rdraiden

I have a nginx web server, Sophos XG and websites goes through cloudflare.

I am trying to configure the WAF so I tried 2 different things with the same result

One was to create the certificate as explained here https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/129866/automated-certificate-renewals-with-waf-and-cloudflare

The problem is, with what certificate and key should I configure my nginx server? none?

Then I tried to generate the certificate in cloudflare I get the cert and the key and I upload both to Sophos and I use that in an application rule and and use the same cert and key in the nginx web server so the nginx is publising the web with that cert, and the traffic Sophos - Nginx is encrypted.

I don't have NAT rules or anything else related to this


The point is, does the WAF inspect the SSL traffic? does it decrypt the traffic and encrypt it again?

I run tests here, https://labs.cloudbric.com/wafer and I see the WAF is working and blocking attacks but it doesn't matter what cert I use, I mean if I use a cert different from what nginx is using the waf still works and block the attacks, so I guess is not decrypting the traffic in any case. How can I be sure is working as intended?



This thread was automatically locked due to age.
Parents
  • +1

    So, your setup right now is Cloudflare => Sophos Firewall (WAF) => Nginx?

    Since the user is connecting to Cloudflare (And Cloudflare is handling TLS), only the WAF (Firewall) will need to do TLS, for the Cloudflare => Sophos Firewall connection - within your network there's no need to deploy TLS on Nginx itself for two reasons:

    1. You already terminating the TLS on the Firewall for the inspection, and since traffic is already inside your network doing TLS again to Nginx would be redundant. (Or a bit useless.) *
    2. And even then, if the Firewall connects to Nginx over TLS, the Firewall itself won't be able to apply any IPS protection (Only the standards WAF protections), since it only works with plain-text HTTP traffic.

    TL;DR: don't do TLS on Nginx, let the WAF handle the encryption.

    *(Unless you don't trust your own network.)

    EDIT: Also, if you're not doing strict TLS on Cloudflare, you can create a new certificate within the Firewall with a high expiry date and use it for the Cloudflare => WAF connection. (So you don't have to worry about the certificate expiring.)

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Reply
  • +1

    So, your setup right now is Cloudflare => Sophos Firewall (WAF) => Nginx?

    Since the user is connecting to Cloudflare (And Cloudflare is handling TLS), only the WAF (Firewall) will need to do TLS, for the Cloudflare => Sophos Firewall connection - within your network there's no need to deploy TLS on Nginx itself for two reasons:

    1. You already terminating the TLS on the Firewall for the inspection, and since traffic is already inside your network doing TLS again to Nginx would be redundant. (Or a bit useless.) *
    2. And even then, if the Firewall connects to Nginx over TLS, the Firewall itself won't be able to apply any IPS protection (Only the standards WAF protections), since it only works with plain-text HTTP traffic.

    TL;DR: don't do TLS on Nginx, let the WAF handle the encryption.

    *(Unless you don't trust your own network.)

    EDIT: Also, if you're not doing strict TLS on Cloudflare, you can create a new certificate within the Firewall with a high expiry date and use it for the Cloudflare => WAF connection. (So you don't have to worry about the certificate expiring.)

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Children
  • 0 in reply to Prism

    Thanks, now I understand it better Slight smile

    Why do you say the IPS won't work? Inside the WAF rule there is an IPS option to enable it, Is there a way to make the IPS work as well? Even if it's only HTTP traffic must do something.

    If I would want to effectively use the IPS do I need to create a standard fw rule configure SSL inspection and enable IPS in that rule?

    There is a huge problem with the WAF and the home license, in order to whitelist an ID you need to go to the advanced shell and see the logs and now I am not able to see the ID and whitelist them.

    In any case Cloudflare lets you generate certs for 15 year.

  • 0 in reply to l0rdraiden

    You can only apply IPS on WAF if the Firewall is connecting to the internal web server through plain-text HTTP. (Not HTTPS)

    Why? I don't know, but you can test this by yourself by creating two WAF Policies, one with the Web Server through HTTP and another through HTTPS, then trigger the IPS by trying to access "domain(.)com/../../etc/passwd".

    If you get a "Proxy Error", It means IPS managed to block the connection. (You can check the log viewer afterwards.)

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Thanks, I guess you have saved me a lot of time troubleshooting.

    Right now WAF feels half backed I can't even use client certificates for authentication or TLS 1.3

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?