Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1581 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting WAF to work

RChadwick
I'm not sure if my setup is working or not, but from what I can tell it's not. I do see things in the log, but it doesn't mention what's being accessed. Also, as a test, I configured google.com as a real server, to see if my website would be redirected to Google (It wasn't).
This is what I did:
(If I didn't mention it, I left it at defaults)

New Real Webserver

Host: mywebname.com



New virtual Webserver
domains:
mywebname.com
mywebname.com

Interface: External

Real Webservers: The real one I configured

Firewall: No Profile

---------------------------------
The Web Application Firewall Live Log has this:

2013:05:14-11:08:24 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="57" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2525" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:09:40 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="57" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="423" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:09:41 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="57" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="263" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:09:43 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="57" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="288" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:09:44 abc reverseproxy: [Tue May 14 11:09:44 2013] [notice] SIGHUP received. Attempting to restart
 
2013:05:14-11:09:45 abc reverseproxy: [Tue May 14 11:09:45 2013] [notice] Apache/2.2.22 (Unix) proxy_html/3.1.2 mod_ssl/2.2.22 OpenSSL/1.0.0k configured -- resuming normal operations
 
2013:05:14-11:12:28 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="114" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2436" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:12:41 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="114" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="398" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:12:41 abc reverseproxy: [Tue May 14 11:12:41 2013] [notice] SIGHUP received. Attempting to restart
 
2013:05:14-11:12:43 abc reverseproxy: [Tue May 14 11:12:43 2013] [notice] Apache/2.2.22 (Unix) proxy_html/3.1.2 mod_ssl/2.2.22 OpenSSL/1.0.0k configured -- resuming normal operations
 
2013:05:14-11:12:43 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="115" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2411" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:13:13 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="115" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2452" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:13:13 abc reverseproxy: [Tue May 14 11:13:13 2013] [notice] SIGUSR1 received. Doing graceful restart
 
2013:05:14-11:13:15 abc reverseproxy: [Tue May 14 11:13:15 2013] [notice] Apache/2.2.22 (Unix) proxy_html/3.1.2 mod_ssl/2.2.22 OpenSSL/1.0.0k configured -- resuming normal operations
 
2013:05:14-11:13:15 abc reverseproxy: [Tue May 14 11:13:15 2013] [warn] long lost child came home! (pid 14905)
 
2013:05:14-11:13:15 abc reverseproxy: [Tue May 14 11:13:15 2013] [warn] long lost child came home! (pid 14907)
 
2013:05:14-11:13:15 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="114" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2973" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:13:35 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="114" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2047" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:13:35 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="114" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="453" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:13:38 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="114" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="313" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:14:25 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="114" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="562" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:14:33 abc reverseproxy: [Tue May 14 11:14:33 2013] [notice] SIGHUP received. Attempting to restart
 
2013:05:14-11:14:34 abc reverseproxy: [Tue May 14 11:14:34 2013] [notice] Apache/2.2.22 (Unix) proxy_html/3.1.2 mod_ssl/2.2.22 OpenSSL/1.0.0k configured -- resuming normal operations
 
2013:05:14-11:14:34 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="109" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="3344" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:14:34 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="109" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2187" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:15:29 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="109" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2399" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:16:13 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="109" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="452" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:16:23 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="109" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="311" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:16:23 abc reverseproxy: [Tue May 14 11:16:23 2013] [notice] SIGHUP received. Attempting to restart
 
2013:05:14-11:16:24 abc reverseproxy: [Tue May 14 11:16:24 2013] [notice] Apache/2.2.22 (Unix) proxy_html/3.1.2 mod_ssl/2.2.22 OpenSSL/1.0.0k configured -- resuming normal operations
 
2013:05:14-11:16:24 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="103" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="5981" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:16:54 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="103" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2094" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:16:54 abc reverseproxy: [Tue May 14 11:16:54 2013] [notice] SIGUSR1 received. Doing graceful restart
 
2013:05:14-11:16:56 abc reverseproxy: [Tue May 14 11:16:56 2013] [notice] Apache/2.2.22 (Unix) proxy_html/3.1.2 mod_ssl/2.2.22 OpenSSL/1.0.0k configured -- resuming normal operations
 
2013:05:14-11:16:56 abc reverseproxy: [Tue May 14 11:16:56 2013] [warn] long lost child came home! (pid 16441)
 
2013:05:14-11:16:56 abc reverseproxy: [Tue May 14 11:16:56 2013] [warn] long lost child came home! (pid 16444)
 
2013:05:14-11:16:56 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="115" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2491" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:17:13 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="115" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="2369" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:17:46 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="115" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="451" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:17:46 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="115" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="311" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
 
2013:05:14-11:30:30 abc reverseproxy: srcip="127.0.0.1" localip="127.0.0.1" size="115" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" time="903" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-" 
--------------------------------------------------------------------

Is this right? Is the configuration right?
Thanks.


This thread was automatically locked due to age.
  • 0
    In the Virtual Server, just use FQDNs - no "http//"

    If you want to test WAF from an internal device, use the Internal interface in the Virtual Server and set up DNS to point the FQDN at the IP of "Internal (Address)."  Since you likely have Web Filtering enabled, you'll also want to change the port of the Virtual Server to something other than 80 or 8080.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Thanks for the response.
    I didn't use any http:// in any of the virtual or real server configs. Just as shown (name obviously changed [:)] )
    I should have mentioned I'm testing this remotely. Web filtering is disabled.
  • 0
    I've been playing with this more, purposefully misconfiguring the real server, virtual server, and Site Path Routing. No matter what I do, I can still access the website without issue. So, I have two questions:

    1) Is there a proper way to test the WAF? Ideally, a firewall profile that blocks everything would let me know at least that my configuration is mostly right.

    2) I currently have a DNAT configured to open port 80 for the webserver, and a Full NAT configured so I can access the webserver from the LAN. Do I need to change or remove these?

    Thanks again.
  • 0
    Yes, you've run into what I call Rule #2:

    In general, a packet arriving at an interface is handled only by one of the following, in order:
    DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.


    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?