Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 3 subscribers
  • Views 124194 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bypass WAF for specific URL

Gary Burch

I have a few HTTPS sites successfully published through my UTM Firewall (mostly Exchange Admin Console/Outlook Web Access).

I'm now trying to set up another application, using a different domain name, but the Web Application Firewall log is reporting the following error:

[proxy_http:error] [pid 35268:tid 4122188656] (-102)Unknown error 4294967194: [client <external client IP>:50024] AH01095: prefetch request body failed to <Application server IP in DMZ>:443 (<Application server IP in DMZ>) from <external client IP> ()

I've created firewall rule to allow the traffic (with logging enabled), but nothing is showing up in the firewall logs.

Is there any way I can configure UTM not to scan traffic bound for this particular domain/URL, and just pass it straight through?  Obviously, I can't create a NAT rule, as it will break the other HTTPS sites currently working through the UTM.

Or, is there some way I can disable this 'prefetch' attempt that UTM is attempting?

 

Many thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi Gary, 

    show us few more log lines from the reverseproxy.log. Alongside, how about configuring exception for "web request matching this path" and selecting both advance tab options. Does that help?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for a quick response.

    Whenever I attempt to connect to this URL, the following two lines are logged in the reverseproxy.log:

    reverseproxy: [Tue Feb 21 16:41:28.897685 2017] [proxy_http:error] [pid 35268:tid 3903978352] (-102)Unknown error 4294967194: [client <External Client IP>:50126] AH01095: prefetch request body failed to <Server DMZ IP>:443 (<Server DMZ IP>) from <External Client IP> ()


    reverseproxy: id="0299" srcip="<External Client IP>" localip="<UTM External IP>" size="384" user="-" host="<External Client IP>" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken, SkipCookieSigning, SkipThreatsFilter" time="123430" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="<public FQDN>" referer="-" cookie="-" set-cookie="-"

    I've gone through a few variations of the exception (under Webserver Protection -> Web Application Firewall -> Exceptions), it's current configuration is:

    Web clients coming from these source networks:  Any IPv4

    Skip these checks:  All except for 'Block clients with bad reputation'

    Skip these categories:  All

    Advanced:  'Never change HTML during Static URL Hardening or Form Hardening' and 'Accept unhardened form data' both checked.

  • 0 in reply to Gary Burch

    Hi Gary,

    How about configuring DNAT for these applications which need to be exempted from WAF?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Wouldn't that affect the other HTTPS sites published through the UTM as well?  Or, can I use a FQDN as the "Going to" condition?

  • 0 in reply to Gary Burch

    I've confirmed that, I created a DNAT rule with a protocol of HTTPS, a source of Any IPv4, and a destination of the FQDN for this application with the firewall's external address as it's IP.  When in place, it causes other inbound HTTPS traffic through the firewall to fail.

     

    Or, did I miss something in the configuration of the DNAT Rule?

Reply
  • 0 in reply to Gary Burch

    I've confirmed that, I created a DNAT rule with a protocol of HTTPS, a source of Any IPv4, and a destination of the FQDN for this application with the firewall's external address as it's IP.  When in place, it causes other inbound HTTPS traffic through the firewall to fail.

     

    Or, did I miss something in the configuration of the DNAT Rule?

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML