Sophos XGS: How to configure WAF feature on Sophos XGS

Overview

The article guides how to configure the Web Application Protection feature on Sophos XGS firewall. With WAF, Sophos firewall will represent the direct communication with clients outsite the Internet instead of Web server like when NAT. This will help protect the Web server from external attacks while ensuring stable web traffic

Diagram

Configuration steps

  • Configure Ubuntu web server with IP local 172.18.18.50/24
  • Configure WAF feature on Sophos XGS to public ubuntu web server
  • Access to the web server from outside
  • Result

How to configure

Configure Ubuntu web server with IP local 172.18.18.50/24 has domain is www.test.com

Configure WAF feature on Sophos XGS to public Ubuntu web server

  • Create host ubuntu web server on Sophos XGS
  • Go to SYSTEM -> Choose Hosts and services -> Choose IP host -> Click Add
  • Enter name
  • In IP version: Choose IPv4
  • In Type: Choose IP
  • In IP address: Enter IP address of Ubuntu web server
  • Click Save
  • Create web server on Sophos XGS
  • Go to PROTECT -> Choose Web server -> Choose Web servers -> Click Add
  • Enter name
  • In Host: Choose host Ubuntu web server created before
  • In Type: Choose Plaintext (HTTP) because the web server has no SSL certificate (Choose Encrypted (HTTPS) if the web server has SSL certificate
  • In Port: Keep default port
  • Enable Keep alive
  • Click Save
  • Go to PROTECT -> Choose Rules and policies -> Choose Firewall rules -> Click Add firewall rule -> Choose New firewall rule
  • Enter name
  • In Rule position: Choose Top
  • In Rule group: Choose None
  • In Action: Choose Protect with web server protection
  • In Hosted address: Choose WAN port that the external client will access to
  • In Listening port: Choose 80 if web server has no SSL certificate, choose HTTPS with port 443 if web server has SSL certificate
  • If you choose HTTPS: Choose SSL certificate which was created before (see import instructions below) **
  • In Domains: Enter web domain
  • In Web server: Choose web server that created before
  • In Advanced: Choose the security features that you want to protect for the web server
  • Choose Pass host header if you want to keep request from client to web server
  • Choose Rewrite HTML if the web server’s public domain is not the same as web server’s local domain name
  • Choose Disable compression support if you want the traffic will not be compressed when accessing the web server
  • Click Save

** Instructions to add SSL certificate of web server if available

  • Download SSL certificate already on Ubuntu web server to your computer
  • Go to SYSTEM -> Choose Certificates -> Choose Certificates -> Click Add
  • Upload 2 files certificate file and key file
  • Click Save

Make access to the web server from outside

This is my lab environment and the domain test.com is not registered, you need to edit the hosts file on the external machine that wants to access the web server

  • To edit hosts file on Windows 10, go to folder C:\Windows\System32\drivers\etc
  • Copy file hosts to the desktop and open the hosts file with notepad-> Then add the following line -> Click Save
  • Then copy the edited hosts file on the desktop to paste it over the old hosts file in the folder C:\Windows\System32\drivers\etc
  • Then make access to the domain test.com

Result

  • Check access
  • Check traffic on Sophos XGS
  • Check log on Sophos XGS

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.