Professional Documents
Culture Documents
With WAF rules, you can protect web applications from attacks and data leakage by filtering
HTTP traffic.
You configure a WAF rule for an IP address assigned to a network interface, port, and one
or more domain names. Sophos Firewall matches traffic based on the IP address assigned
to the interface.
For HTTPS traffic, it uses Server Name Indication (SNI) to determine the server that
corresponds to the hostname in the client request.
Name Description
Available options:
Top
Bottom
Rule group Specify the rule group to which you want to add the firewall rule. You
can also create a new rule group by using Create new from the list.
Exchange Autodiscover
Exchange Outlook Anywhere
Exchange General
Microsoft Lync
Microsoft Remote Desktop Gateway 2008 and R2
Microsoft Remote Desktop Web 2008 and R2
Microsoft Sharepoint 2010 and 2013
Name Description
Hosted Select the public IP address assigned to an interface through which users
address access the internal server or host. The WAF rule is bound to the IP address
assigned to the interface.
You can use the public IP address assigned to the interface or use an alias to
bind the required public IP address.
When a client establishes a connection and accesses the web server, the web
server obtains the interface address of the web application firewall (WAF)
and not the client’s IP address. The HTTP header X-Forwarded-For carries the
client’s IP address.
Listening Enter the port number on which to reach the hosted web server. The defaults
port are port 80 for HTTP and port 443 for HTTPS.
You can use the same port (for example, 443) for SSL VPN and WAF. In
this case, SSL VPN works on any IP address except the IP address (Hosted
address) configured for WAF.
WAF can't share the same port as the user portal. The default user portal port
is 443.
You can't use some ports as these are reserved by the firewall for system
services. For details, see Reserved ports.
HTTPS If you turn this on, the hosted server is accessible through HTTPS and not
Name Description
through HTTP.
Domains Enter the FQDN configured for the web server, for example, shop.example.com.
You can use the wildcard *. at the start of a domain name only.
Example: *.company.com
5. Specify the details of the Protected servers. You can specify the web servers,
authentication method, and allowed and blocked client networks. If you select
path-specific routing, in addition to these settings, you can bind sessions to
servers, specify the primary and backup servers, and use the WebSocket
protocol.
Note
If you select multiple web servers, requests are balanced between the
webservers.
If you don't want to configure path-specific routing, specify the Web
servers and Access permissions.
Name Description
Web server Select the web servers from the Web server list. Alternatively, you
can create new ones. You can see the selected web servers
under Selected web servers.
Allowed client Specify the IP addresses and networks that can connect to the hosted
networks web server.
Blocked client Specify the IP addresses and networks to block from connecting to
networks the hosted web server.
Note
Sophos Firewall doesn't evaluate requests based on the order of path listing. It
applies the paths, starting with the longest path and ending with the default path
route. The default path is used only if a more specific path doesn't match the
request.
Some instances in which you can specify path-specific routing are as follows:
Name Description
Default path Select the edit button and select a web server for the default path.
(path /) Requests that don't match a listed path are sent to the default route. If
you delete the default route, Sophos Firewall denies requests that don't
Name Description
Web server Select the web servers from the Web server list. Alternatively, you can
create new ones. You can see the selected web servers under Selected
web servers.
Allowed client Specify the IP addresses and networks that can connect to the hosted
networks web server. Sophos Firewall only implements the protection for IP host
type IP and Network. Don't specify an IP range or IP list.
Blocked client Specify the IP addresses and networks to block from connecting to the
networks hosted web server.
Sticky session Turn it on to bind a session to a web server. Sophos Firewall forwards a
cookie cookie to the user’s browser, enabling it to route requests from the
browser to the same web server.
If the server isn't available, the cookie is updated, and the session is
switched to another web server.
Hot-standby Turn it on to send all requests to the first selected web server. The other
mode web servers remain as backup servers and are used if the first server
fails.
When the main server starts functioning again, the sessions are
switched back to it. If you select Sticky session cookie, the session
Name Description
WebSocket Turn it on to allow applications hosted on the specified site path to use
passthrough the WebSocket protocol.
Since RFC standards don't specify the protocol's data format, checks
can't be implemented and WebSocket traffic is allowed without
protection.
Name Description
Paths Specify the paths for which you want to create an exception. You can use
wildcards in the paths. Example: /products/*/images/*
Operation Select the Boolean operation for paths and source networks.
Sources Specify the IP addresses, range, list, or networks from which the traffic
originates.
Cookie signing Skips check for cookie tampering. Cookie signing mitigates attempts to
obtain private session data and engage in fraudulent activity by tampering
with cookies. When the web server sets a cookie, a second cookie is added
to the first cookie containing a hash built from the primary cookie's name
and value and a secret known only to Sophos Firewall. If a request can't
provide the correct cookie pair, the cookie is dropped.
Static URL Allows rewritten links for the specified paths and source networks.
hardening
Static URL hardening prevents users from manually constructing deep
links that lead to unauthorized access. When a client requests a website,
all static URLs of the website are signed using a procedure similar to
cookie signing. In addition, the response from the web server is analyzed
regarding which links can be validly requested next.
Name Description
When you turn on static URL hardening, the entries for URL paths
become case-sensitive. For example, if you add the path /rule.html and
users enter /Rule.html, Sophos Firewall reports that the signature can't be
found.
Form Skips checks for web form rewriting. To prevent tampering with forms,
hardening Sophos Firewall saves the original structure of a web form and signs it. If
the structure has changed when the form is submitted, Sophos Firewall
rejects the request.
Antivirus Skips anti-virus scanning for requests from the specified source networks
and to the paths that you specify.
Block clients Skips checks for clients that have a bad reputation according to real-time
with bad blackhole lists (RBLs) and GeoIP information.
reputation
Name Description
9. Specify the Advanced settings.
Name Description
Disable When clients request compressed data, Sophos Firewall sends data in
compression compressed form.
support
Select this setting to turn off compression if web pages appear incorrectly
or if users experience content-encoding errors. Sophos Firewall then
requests uncompressed data from web servers and sends it to the client
irrespective of the request’s encoding parameter.
Name Description
Rewrite Select to rewrite the links of returned web pages to retain link validity.
HTML
Example: If a web server's hostname is yourcompany.local, but the hosted
web server’s hostname is yourcompany.com, absolute links like [a
href="http://yourcompany.local/"] are broken if the link is not rewritten to [a
href="http://yourcompany.com/"] before delivery to the client.
We recommend that you use the option with Microsoft Outlook web
access or SharePoint portal server.
HTML rewriting affects all files with HTTP content type text/* or *xml*.
* is a wildcard. To prevent corruption during HTML rewriting, make sure
that other file types (example: binary files) have the correct HTTP
content type.
Pass host Select to forward the host header requested by the client to the web
header server.
You can use this to match the requested hostname with the web server
when you've hosted more than one website on a server.
10. Click Save. When you save a new or edited web server protection rule, Sophos
Firewall restarts all web server rules. Live connections using any of these rules
will be lost and need to be re-established.
You can see the WAF rule you created in the Firewall rules table.