This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bypass WAF for specific URL

I have a few HTTPS sites successfully published through my UTM Firewall (mostly Exchange Admin Console/Outlook Web Access).

I'm now trying to set up another application, using a different domain name, but the Web Application Firewall log is reporting the following error:

[proxy_http:error] [pid 35268:tid 4122188656] (-102)Unknown error 4294967194: [client <external client IP>:50024] AH01095: prefetch request body failed to <Application server IP in DMZ>:443 (<Application server IP in DMZ>) from <external client IP> ()

I've created firewall rule to allow the traffic (with logging enabled), but nothing is showing up in the firewall logs.

Is there any way I can configure UTM not to scan traffic bound for this particular domain/URL, and just pass it straight through? Obviously, I can't create a NAT rule, as it will break the other HTTPS sites currently working through the UTM.

Or, is there some way I can disable this 'prefetch' attempt that UTM is attempting?

Many thanks

This thread was automatically locked due to age.

0 BAlfson over 8 years ago in reply to Gary Burch

You shouldn't need an Exception, Gary. Just start with ::No profile:: selected. I suspect the issue is with your Virtual Server configuration. Is there anything interesting in the Web Application Firewall log?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Gary Burch over 8 years ago in reply to BAlfson

Hi Bob,

I've changed the firewall profile to ::No profile:: and tested again, same results as before.

There are two lines logged in the web application firewall whenever I attempt to access this service - they're in my post above on 21 Feb 2017 4:51 PM.

If I disable the interface on the Server in the DMZ where I want UTM to forward this traffic to, I get different errors in the logs to indicate that it can't connect to it. From the client end, it appears exactly the same as when the server is running though.

I know that the actual server is working, as I can connect a device (the same client I'm testing from) onto the same subnet as the server, and it connects without issues.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 8 years ago in reply to Gary Burch

It sounds like the only solution is to change the port used for that access or to use an Additional IP so that a DNAT is possible.

Cheers - bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Gary Burch over 8 years ago in reply to BAlfson

Unfortunately, neither of these options are possible.

Many thanks for the input.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 8 years ago in reply to Gary Burch

What does Sophos Support say about this, Gary?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Gary Burch over 8 years ago in reply to BAlfson

I'm running a home license, so I don't think I'm able to raise tickets with Sophos Support.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 8 years ago in reply to Gary Burch

You're right, Gary, you can't. At this point, you need to get an additional IP from your ISP.

An alternative would be to find a friend that will accept inbound HTTP traffic and Full NAT it over to you on a different port. You can then capture the packets with a DNAT. Your friend has to use a Full NAT though because the response back from your web server must come from his IP.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel