Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 3 subscribers
  • Views 124191 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bypass WAF for specific URL

Gary Burch

I have a few HTTPS sites successfully published through my UTM Firewall (mostly Exchange Admin Console/Outlook Web Access).

I'm now trying to set up another application, using a different domain name, but the Web Application Firewall log is reporting the following error:

[proxy_http:error] [pid 35268:tid 4122188656] (-102)Unknown error 4294967194: [client <external client IP>:50024] AH01095: prefetch request body failed to <Application server IP in DMZ>:443 (<Application server IP in DMZ>) from <external client IP> ()

I've created firewall rule to allow the traffic (with logging enabled), but nothing is showing up in the firewall logs.

Is there any way I can configure UTM not to scan traffic bound for this particular domain/URL, and just pass it straight through?  Obviously, I can't create a NAT rule, as it will break the other HTTPS sites currently working through the UTM.

Or, is there some way I can disable this 'prefetch' attempt that UTM is attempting?

 

Many thanks



This thread was automatically locked due to age.
  • 0

    Hi Gary, 

    show us few more log lines from the reverseproxy.log. Alongside, how about configuring exception for "web request matching this path" and selecting both advance tab options. Does that help?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for a quick response.

    Whenever I attempt to connect to this URL, the following two lines are logged in the reverseproxy.log:

    reverseproxy: [Tue Feb 21 16:41:28.897685 2017] [proxy_http:error] [pid 35268:tid 3903978352] (-102)Unknown error 4294967194: [client <External Client IP>:50126] AH01095: prefetch request body failed to <Server DMZ IP>:443 (<Server DMZ IP>) from <External Client IP> ()


    reverseproxy: id="0299" srcip="<External Client IP>" localip="<UTM External IP>" size="384" user="-" host="<External Client IP>" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken, SkipCookieSigning, SkipThreatsFilter" time="123430" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="<public FQDN>" referer="-" cookie="-" set-cookie="-"

    I've gone through a few variations of the exception (under Webserver Protection -> Web Application Firewall -> Exceptions), it's current configuration is:

    Web clients coming from these source networks:  Any IPv4

    Skip these checks:  All except for 'Block clients with bad reputation'

    Skip these categories:  All

    Advanced:  'Never change HTML during Static URL Hardening or Form Hardening' and 'Accept unhardened form data' both checked.

  • 0 in reply to Gary Burch

    Hi Gary,

    How about configuring DNAT for these applications which need to be exempted from WAF?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Wouldn't that affect the other HTTPS sites published through the UTM as well?  Or, can I use a FQDN as the "Going to" condition?

  • 0 in reply to Gary Burch

    I've confirmed that, I created a DNAT rule with a protocol of HTTPS, a source of Any IPv4, and a destination of the FQDN for this application with the firewall's external address as it's IP.  When in place, it causes other inbound HTTPS traffic through the firewall to fail.

     

    Or, did I miss something in the configuration of the DNAT Rule?

  • 0 in reply to sachingurung

    Hi Gary,

    Yes, DNAT will affect another HTTPs traffics and the going to condition will not work with the FQDN. An additional WAN IP address to host the application which is not hosted through WAF can do the job. Alongside, looking at the log line: 

    reverseproxy: id="0299" srcip="<External Client IP>" localip="<UTM External IP>" size="384" user="-" host="<External Client IP>" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken, SkipCookieSigning, SkipThreatsFilter" time="123430" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="<public FQDN>" referer="-" cookie="-" set-cookie="-"

    • reason: If the request was not intercepted by WAF, this field contains the value "-". Hence, the request is passed.
    • statuscode=413: If the client sends an invalid Content-Length header, the clients receives a HTTP 413 answer with the content of a HTTP 413 answer (Request Entity Too Large). 

    I don't think the UTM WAF proxy is blocking the requests but, can you show me the pictures of the configurations and the exception policy. Make sure all the tabs are extended in the screenshot.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I'm not able to get screenshots at the moment, I'll have to add them later on.

    That's interesting, I have tested by moving the same client machine onto the same DMZ Subnet as the server, which worked as expected.  By a process of elimination this suggests the UTM is what's blocking the traffic.  Is there another part of UTM which could be blocking the connection?  Is there anywhere I can configure the UTM to allow traffic with an invalid content-length header sent to this server?

  • 0 in reply to Gary Burch

    Gary, have you tried creating a separate Virtual Server to have access to this FQDN pass through with no Filter in place?  If that works, then you can add protections until the access fails.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

    Many thanks for your feedback, I'm afraid I haven't been able to look at this for a few days.

    There is a separate Virtual Server under Webserver protection -> Web Application Firewall -> Virtual Webservers, with the certificate attached for this FQDN.  Is that what you're referring to?  This Virtual Webserver is using a firewall profile in 'Monitor' mode, with all the options unchecked under 'Hardening & Signing' and 'Filtering'

    Have I missed somewhere where I can configure the filtering to be bypassed?

     

    Many thanks

  • 0 in reply to sachingurung

    Please see below screenshot.  Does this help at all?

     

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML