Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 813 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG loopback rule for WAF with "external" URL

dja

Hi,

I'm trying to set up the web application firewall for an internal webserver.
But the tricky part: I had to use the external URL for this. And that's exactly my problem.

The WAF log says:

[Tue Apr 05 13:42:19.261160 2022] [proxy:error] [pid 31869:tid 140564917860096] (111)Connection refused: AH00957: HTTPS: attempt to connect to IP-OF-URL:443 (URL) failed

Here is my Firewall rule:

And my NAT rule:

I also tried to change "Translated source to MASQ" inside the NAT rule. Without success.

The problem seems to be, that the firewall can't access the URL itself?
External and internal users can use the webserver directly (over the Firewall rule, without the WAF) without any problems.

Hoping anybody of you had any idea. Bulb
Many thanks!

Best regards,
Daniel



This thread was automatically locked due to age.
  • 0

    Does no one have any idea? Disappointed

    Best regards,
    Daniel

  • 0 in reply to dja

    I actually could not follow your problem. What do you mean? Can you show us a network flow plan? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Not really. But I will try to find other words:

    Actually, I have a webservice that is made available with a simple DNAT rule (see above).
    Internal IP for example: 10.0.0.1
    External URL for example: mygreatwebservice.com

    Now I want a new URL to make the same webservice available with WAF in front of it.
    Normally I would let the WAF connect to 10.0.0.1 and everything is great.

    But I need the WAF to connect to mygreatwebservice.com instead. And there it says "Connection refused".

    Best regards,
    Daniel

  • 0 in reply to dja

    DNAT will always have precedence before WAF. So you cannot grab some Port 443/80 Traffic with WAF and then redirect it via NAT. 

    NAT will always grab the traffic. 

    You cannot Point the WAF to a DNAT. That is not possible. 

    So you would have to disable the NAT and use WAF instead. No need for a Loopback or NAT. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Even if I don't want to use the same external IPs?

    For the WAF I have assigned a completely new external IP, which is not yet used in any DNAT rule.

    Best regards,
    Daniel

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?