Firewall Profiles

On the Firewall Profiles tab you can create WAFClosed Web Application Firewall profiles that define the modes and levels of protection for your webservers.

To create a WAF profile, do the following:

  1. Click the New Firewall Profile button.

    The Add Firewall Profile dialog box opens.

  2. Specify the following settings:

    Name: Enter a descriptive name for the profile.

    Mode: Select a mode from the drop-down list:

    • Monitor: HTTP requests are monitored and logged.
    • Reject: HTTP requests are rejected.

    The selected mode is applied when an HTTP request meets any one of the conditions selected below.

  3. Make the following Hardening & Signing settings:

    Static URL hardening: Protects against URL rewriting. For that, when a client requests a website, all static URLs of the website are signed. The signing uses a similar procedure as with cookie signing. Additionally, the response from the webserver is analyzed with regard to which links can be validly be requested next. URLs with static hardening can furthermore be bookmarked and visited later. Select one of the following methods to define entry URLs:

    • Entry URLs specified manually: Enter URLs that serve as kind of entry URLs of a website and therefore do not need to be signed. They need to comply with the syntax of the following examples:, or /products/.
    • Entry URLs from uploaded Google sitemap file: You can upload a sitemap file here which contains information on your website structure. Sitemap files can be uploaded in XML or in plain text format, the latter simply containing a list of URLs. As soon as the profile is saved, the sitemap file is going to be parsed by the WAF.
    • Entry URLs from Google sitemap URL: You can have Sophos UTM download a sitemap file from a defined URL which contains information on your website structure. This file can be checked for updates at a regular interval. As soon as the profile is saved, the sitemap file is going to be downloaded and parsed by the WAF.

      URL: Enter the path to the sitemap as absolute URL.

      Update: Select an update interval from this drop-down list. When you select Manual the sitemap is going to be updated only when you save this profile anew.

      Note – When using Reverse Authentication with frontend mode Form on a designated path, it is not necessary to specify entry URLs for the login form and for this path. How to configure the path is described on the Webserver Protection > Web Application Firewall > Site Path Routing page.

    Note – Static URL hardening affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the URL hardening feature. It does not work for dynamic URLs created by a client, for example: JavaScript.

    Form hardening: Protects against web form rewriting. Form hardening saves the original structure of a web form and signs it. Therefore, if the structure of a form has changed the WAF rejects the request when it is submitted.

    Note – Form hardening affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the form hardening feature.

    Cookie signing: Protects a webserver against manipulated cookies. When the webserver sets a cookie, a second cookie is added to the first cookie containing a hash built of the primary cookie's name, its value and a secret, where the secret is only known by the WAF. Thus, if a request cannot provide a correct cookie pair, some sort of manipulation has occurred and the cookie will be dropped.

  4. Make the following Filtering settings:

    Block clients with bad reputation: Based on GeoIPClosed Technique to locate devices worldwide by means of satellite imagery. and RBLClosed Realtime Blackhole List information you can block clients which have a bad reputation according to their classification. Sophos uses the following classification providers:

    RBL sources:

    • Sophos SXL

    The GeoIP source is Maxmind. The WAF blocks clients that belong to one of the following Maxmind categories:

    • A1: Anonymous proxies or VPN services used by clients to hide their IP address or their original geographical location.
    • A2: Satellite providers are ISPs that use satellites to provide Internet access to users all over the world, often from high risk countries.

    Skip remote lookups for clients with bad reputation: As reputation lookups include sending requests to remote classification providers, using reputation-based blocking may slow down your system. Select this checkbox to only use GeoIP-based classification which uses cached information and is therefore much faster.

    Common Threats filter: If enabled, you can protect your webservers from several threats. You can specify the threat filter categories you want to use in the Threat Filter Categories section below. All requests will be checked against the rule sets of the selected categories. Depending on the results, a notice or a warning will be shown in the live log or the request will be blocked directly.

    Rigid filtering: If enabled, several of the selected rules will be tightened. This may lead to false positives.

    Skip Filter Rules: Some of the selected threat categories may contain rules that lead to false positives. To avoid false positives induced by a specific rule, add the rule number that you want to skip to this box. WAF rule numbers can for example be retrieved on the Logging & Reporting > Webserver Protection > Details page, via the Top rules filter. There are basic rules for WAF, so called infrastructure rules. Infrastructure rules affect rules which are built upon these rules.

    Caution – Do not disable required infrastructure rules because this could affect other rules and lead to security issues. For detailed information on infrastructure rules, see the Sophos Knowledge Base.

    Note – Starting with version 9.7 MR1, with the common threat filter turned on, responses from the WAF are sent uncompressed to the client, even if the client requested the response to be compressed.

  5. Optionally, select the following threat filter categories (only available when Common Threats filter is enabled):

    Protocol violations: Enforces adherence to the RFC standard specification of the HTTP protocol. Violating these standards usually indicates malicious intent.

    Protocol anomalies: Searches for common usage patterns. Lack of such patterns often indicates malicious requests. These patterns include, among other things, HTTP headers like 'Host' and 'User-Agent'.

    Request limits: Enforces reasonable limits on the amount and ranges of request arguments. Overloading request arguments is a typical attack vector.

    HTTP policy: Narrows down the allowed usage of the HTTP protocol. Web browsers typically use only a limited subset of all possible HTTP options. Disallowing the rarely used options protects against attackers aiming at these often less well supported options.

    Bad robots: Checks for usage patterns characteristic of bots and crawlers. By denying them access, possible vulnerabilities on your webservers are less likely to be discovered.

    Generic attacks: Searches for attempted command executions common to most attacks. After having breached a webserver, an attacker usually tries to execute commands on the server like expanding privileges or manipulating data stores. By searching for these post-breach execution attempts, attacks can be detected that might otherwise have gone unnoticed, for example because they targeted a vulnerable service by the means of legitimate access.

    SQL injection attacks: Checks for embedded SQL commands and escape characters in request arguments. Most attacks on webservers target input fields that can be used to direct embedded SQL commands to the database.

    (XSSClosed Cross-site scripting) attacks: Checks for embedded script tags and code in request arguments. Typical cross-site scripting attacks aim at injecting script code into input fields on a target webserver, often in a legitimate way.

    Tight security: Performs tight security checks on requests, like checking for prohibited path traversal attempts.

    Trojans: Checks for usage patterns characteristic of trojans, thus searching for requests indicating trojan activity. It does not, however, prevent the installation of such trojans as this is covered by the antivirus scanners.

    Outbound: Prevents webservers from leaking information to the client. This includes, among other things, error messages sent by servers which attackers can use to gather sensitive information or detect specific vulnerabilities.

    Comment (optional): Add a description or other information.

  6. Make the following Scanning settings:

    Enable antivirus scanning: Select this option to protect a webserver against viruses.

    Mode:Sophos UTM features several antivirus engines for highest possible security.

    • Single scan: Default setting; provides maximum performance using the engine defined on the System Settings > Scan Settings tab.
    • Dual scan: Provides maximum recognition rate by scanning the respective traffic twice using different virus scanners. Note that dual scan is not available with BasicGuard subscription.

    Direction: Select from the drop-down list whether to scan only up- or downloads or both.

    Block unscannable content: Enable this option to block files that cannot be scanned. The reason for this may be, among other things, that files are encrypted or corrupted.

    Note – Please note that the scan size limit refers to an upload, not to single files. This means, if you set for example a limit of 50 MB and upload multiple files (45 MB, 5 MB and 10 MB), the last file will not be scanned and a virus might not be detected due to the limitation.

    Note – If you do not enter a limitation value, limitation will be saved with '0' megabytes which means the limitation is not active.

    Block uploads by MIME type: Select this option to scan and block uploads defined on the MIME type (RFC 2045, RFC 2046).

    Blocked MIME Types: Enter the MIME types you want to block for uploading files.

    Block unscannable content: Enable this option to block files that cannot be scanned. The reason for this may be, among other things, that files are encrypted or corrupted.

    Scan timeout: Enter the timeout limit for antivirus and MIME type scanning. After the timeout the file will be blocked. Default is 90 seconds.

    Limit scan size: Enable this option to enter a scan size limit for antivirus and MIME type scanning. Provide the limitation in megabytes.

  7. Make the following Application Customization settings:

    Pass Outlook Anywhere: Allows external Microsoft Outlook clients to access the Microsoft Exchange Server via the WAF. Microsoft Outlook traffic will not be checked or protected by the WAF.

  8. Click Save.

    The WAF profile is added to the Firewall Profiles list.

Additional Information on Static URL Hardening and Form Hardening

It would be best practice to always enable both URL hardening and form hardening because those two functions are complementary, especially in the way that they prevent issues you may have when enabling just one of them:

  • Only form hardening is activated: When a webpage contains hyperlinks with appended queries (which is the case with certain CMSClosed Content Management Systems), e.g., such page requests are blocked by form hardening because it expects a signature which is missing.
  • Only URL hardening is activated: When a web browser appends form data to the action URL of the form tag of a web form (which is the case with GET requests), the form data becomes part of the request URL sent to the webserver, by that rendering the URL signature invalid.

The reason why activating both functions solves those issues is that in case either form hardening or URL hardening find that a request is valid, the WAF accepts the request.

Outlook Web Access

The configuration of the WAF for Outlook Web Access (OWA) is a bit tricky since OWA handles requests from a public IP differently than internal requests from an internal LAN IP to the OWA website. There are redirects attached in the URLs of OWA, where for external access the external FQDN is used, whereas for internal requests the internal server's IP address is used.

The solution is to set the OWA directory as Entry URL in the WAF profile of your OWA webserver (e.g. http://webserver/owa/). Additionally, you need to create an exception which skips URL hardening for the pathes /owa/*, /OWA/* and to disable cookie signing completely for the virtual webserver.

To display the notifications, you need to make the following settings:

Create a second exception which skips Antivirus checks, skip all categories for path /owa/ev.owa* and activate the advanced function Never change HTML during Static URL Hardening or Form Hardening.