Add a web server protection (WAF) rule

With WAF rules, you can protect web applications from attacks and data leakage by filtering
HTTP traffic.

You configure a WAF rule for an IP address assigned to a network interface, port, and one
or more domain names. Sophos Firewall matches traffic based on the IP address assigned
to the interface.

For HTTPS traffic, it uses Server Name Indication (SNI) to determine the server that
corresponds to the hostname in the client request.

1. Go to Rules and policies > Firewall, select IPv4 and click Add firewall rule.

2. Rules are turned on by default. You can turn off a rule if you don’t want to apply
its matching criteria.
3. Enter the general details.

Name Description

Rule name Enter a name.

Rule position Specify the position of the rule.

Available options:

 Top
 Bottom

Rule group Specify the rule group to which you want to add the firewall rule. You
can also create a new rule group by using Create new from the list.

If you select Automatic, the firewall rule is added to an existing group

based on the first match with the rule type and source-destination
zones.

Action Select Protect with web server protection.

Preconfigured Select a template to apply:

template
 None: Specify the web server protection details.
 Name Description

 Exchange Autodiscover
 Exchange Outlook Anywhere
 Exchange General
 Microsoft Lync
 Microsoft Remote Desktop Gateway 2008 and R2
 Microsoft Remote Desktop Web 2008 and R2
 Microsoft Sharepoint 2010 and 2013

4. Enter the Hosted server details.

Name Description

Hosted Select the public IP address assigned to an interface through which users
address access the internal server or host. The WAF rule is bound to the IP address
assigned to the interface.

You can use the public IP address assigned to the interface or use an alias to
bind the required public IP address.

When a client establishes a connection and accesses the web server, the web
server obtains the interface address of the web application firewall (WAF)
and not the client’s IP address. The HTTP header X-Forwarded-For carries the
client’s IP address.

Listening Enter the port number on which to reach the hosted web server. The defaults
port are port 80 for HTTP and port 443 for HTTPS.

You can use the same port (for example, 443) for SSL VPN and WAF. In
this case, SSL VPN works on any IP address except the IP address (Hosted
address) configured for WAF.

WAF can't share the same port as the user portal. The default user portal port
is 443.

You can't use some ports as these are reserved by the firewall for system
services. For details, see Reserved ports.

HTTPS If you turn this on, the hosted server is accessible through HTTPS and not
 Name Description

through HTTP.

HTTPS If you selected HTTPS, select the certificate.

certificate
Sophos Firewall supports SNI (Server Name Indication), allowing you to
create more than one virtual web server that's accessible over the same IP
address and port. You can assign a different certificate to each server. Servers
are presented to clients based on the requested hostname.

To create or upload a certificate, go to Certificates > Certificates.

Redirect Select to redirect port 80 traffic to port 443.

HTTP

Domains Enter the FQDN configured for the web server, for example, shop.example.com.

If you've turned on HTTPS, domain names of the selected HTTPS certificate

show in the list. You can edit or delete these or add new domain names.

You can use the wildcard *. at the start of a domain name only.

Example: *.company.com

A single WAF policy supports multiple wildcard domains. Virtual web

servers with wildcard domains are only matched when there are no virtual
web servers with specific domains configured.

Example: A client request to the domain, test.company.com, will match

with test.company.com before it matches with *.company.com before matching
with *.com.

5. Specify the details of the Protected servers. You can specify the web servers,
authentication method, and allowed and blocked client networks. If you select
path-specific routing, in addition to these settings, you can bind sessions to
servers, specify the primary and backup servers, and use the WebSocket
protocol.
Note
If you select multiple web servers, requests are balanced between the
webservers.
 If you don't want to configure path-specific routing, specify the Web
servers and Access permissions.

Name Description

Web server Select the web servers from the Web server list. Alternatively, you
can create new ones. You can see the selected web servers
under Selected web servers.

Allowed client Specify the IP addresses and networks that can connect to the hosted
networks web server.

Blocked client Specify the IP addresses and networks to block from connecting to
networks the hosted web server.

Authentication Specify an authentication profile for web applications.

6. Select Path-specific routing to forward specific path requests to the selected

web servers. For example, if you specify the domain www.test.com, the path /web,
and the web server Web server 1, a request for www.test.com/web is forwarded to Web
server 1.

Note
Sophos Firewall doesn't evaluate requests based on the order of path listing. It
applies the paths, starting with the longest path and ending with the default path
route. The default path is used only if a more specific path doesn't match the
request.

Some instances in which you can specify path-specific routing are as follows:

 Send requests with a specific path (example: /products/) to a specific

web server.
 Bind each session to a web server, using Sticky session cookie.
Example: If you host an e-commerce site and want a single server to
serve users for the duration of a shopping session.
 Send all requests to the specified web server with the others
remaining as backup servers, using Hot-standby mode.

Name Description

Default path Select the edit button and select a web server for the default path.
(path /) Requests that don't match a listed path are sent to the default route. If
you delete the default route, Sophos Firewall denies requests that don't
Name Description

match a listed path with a 404 Not found response.

Add new path Select to add a new path.

You can add a path if you've added a web server.

Path Enter the website path. Example: /products/

Web server Select the web servers from the Web server list. Alternatively, you can
create new ones. You can see the selected web servers under Selected
web servers.

Authentication Specify an authentication profile for web applications.

Allowed client Specify the IP addresses and networks that can connect to the hosted
networks web server. Sophos Firewall only implements the protection for IP host
type IP and Network. Don't specify an IP range or IP list.

Blocked client Specify the IP addresses and networks to block from connecting to the
networks hosted web server.

Sophos Firewall only implements the protection for IP host

type IP and Network. Don't specify an IP range or IP list.

Sticky session Turn it on to bind a session to a web server. Sophos Firewall forwards a
cookie cookie to the user’s browser, enabling it to route requests from the
browser to the same web server.

If the server isn't available, the cookie is updated, and the session is
switched to another web server.

Hot-standby Turn it on to send all requests to the first selected web server. The other
mode web servers remain as backup servers and are used if the first server
fails.

When the main server starts functioning again, the sessions are
switched back to it. If you select Sticky session cookie, the session
 Name Description

continues with the backup web server.

WebSocket Turn it on to allow applications hosted on the specified site path to use
passthrough the WebSocket protocol.

Since RFC standards don't specify the protocol's data format, checks
can't be implemented and WebSocket traffic is allowed without
protection.

7. Select Add new exception to specify the security checks to skip.

Select the paths, sources, and security checks to skip. You can specify more
than one exception in a WAF rule.

Name Description

Paths Specify the paths for which you want to create an exception. You can use
wildcards in the paths. Example: /products/*/images/*

Operation Select the Boolean operation for paths and source networks.

Sources Specify the IP addresses, range, list, or networks from which the traffic
originates.

Cookie signing Skips check for cookie tampering. Cookie signing mitigates attempts to
obtain private session data and engage in fraudulent activity by tampering
with cookies. When the web server sets a cookie, a second cookie is added
to the first cookie containing a hash built from the primary cookie's name
and value and a secret known only to Sophos Firewall. If a request can't
provide the correct cookie pair, the cookie is dropped.

Static URL Allows rewritten links for the specified paths and source networks.
hardening
Static URL hardening prevents users from manually constructing deep
links that lead to unauthorized access. When a client requests a website,
all static URLs of the website are signed using a procedure similar to
cookie signing. In addition, the response from the web server is analyzed
regarding which links can be validly requested next.
 Name Description

When you turn on static URL hardening, the entries for URL paths
become case-sensitive. For example, if you add the path /rule.html and
users enter /Rule.html, Sophos Firewall reports that the signature can't be
found.

Form Skips checks for web form rewriting. To prevent tampering with forms,
hardening Sophos Firewall saves the original structure of a web form and signs it. If
the structure has changed when the form is submitted, Sophos Firewall
rejects the request.

Antivirus Skips anti-virus scanning for requests from the specified source networks
and to the paths that you specify.

Block clients Skips checks for clients that have a bad reputation according to real-time
with bad blackhole lists (RBLs) and GeoIP information.
reputation

8. Specify the advanced protection policies.

Name Description

Protection Specify a protection policy for the servers.

Intrusion prevention Specify an intrusion prevention policy.

Traffic shaping Specify a traffic shaping policy to allocate bandwidth.

9. Specify the Advanced settings.

Name Description

Disable When clients request compressed data, Sophos Firewall sends data in
compression compressed form.
support
Select this setting to turn off compression if web pages appear incorrectly
or if users experience content-encoding errors. Sophos Firewall then
requests uncompressed data from web servers and sends it to the client
irrespective of the request’s encoding parameter.
 Name Description

Rewrite Select to rewrite the links of returned web pages to retain link validity.
HTML
Example: If a web server's hostname is yourcompany.local, but the hosted
web server’s hostname is yourcompany.com, absolute links like [a
href="http://yourcompany.local/"] are broken if the link is not rewritten to [a
href="http://yourcompany.com/"] before delivery to the client.

You don't need to select this option if yourcompany.com is configured on

your web server or if internal links on your web pages are always realized
as relative links.

We recommend that you use the option with Microsoft Outlook web
access or SharePoint portal server.

HTML rewriting affects all files with HTTP content type text/* or *xml*.
* is a wildcard. To prevent corruption during HTML rewriting, make sure
that other file types (example: binary files) have the correct HTTP
content type.

Rewrite Select to rewrite cookies of the returned web pages.

cookies

Pass host Select to forward the host header requested by the client to the web
header server.

You can use this to match the requested hostname with the web server
when you've hosted more than one website on a server.

10. Click Save. When you save a new or edited web server protection rule, Sophos
Firewall restarts all web server rules. Live connections using any of these rules
will be lost and need to be re-established.

You can see the WAF rule you created in the Firewall rules table.