Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 3140 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF issue

AreshAreshi

Hi,

We are having a really strange problem with one of our web servers. We have a SG310 fully patched. 2 days ago when open a URL that point to one of the websites behind UTM a chinese website get opened and in the addres bar we see still the URL of our site but contant is in chinese. This website is published to internet by WAF. when the site internaly open we see the right contant when use the URL from internet get the wrong website.

We did use a DNAT instead of WAF and we see the correct website. the WAF is configured correctly and was working for 3 years without any problem. the WAF logs shows nothing wrong

What is going on? is the UTM get hacked? if this is MIMA DNS attack why we can open the url when using the DNAT?

 

Any suggestion?



This thread was automatically locked due to age.
Parents
  • 0

    I am guessing that the WAF references the real webserver with a DNS host object, and that your DNA resolution is returning an incorrect result.  The reasons for such a problem are all worrisome.

    Since DNAT works, there seems no reason to suspect a routing problem.

  • 0 in reply to DouglasFoster

    Thank you  both for reply,

     

    I dont think that there is a problem with the WAF configuration coz this WAF rule was almost 3 years ago configured and and until 2 days ago was working. the WAF use a real webserver with network object that point to the real web server IP address.

    How should we go about troubleshooting this issue?

    Thanks.

Reply
  • 0 in reply to DouglasFoster

    Thank you  both for reply,

     

    I dont think that there is a problem with the WAF configuration coz this WAF rule was almost 3 years ago configured and and until 2 days ago was working. the WAF use a real webserver with network object that point to the real web server IP address.

    How should we go about troubleshooting this issue?

    Thanks.

Children
No Data
Unfiltered HTML