The WAF rules protect applications and websites hosted on physical or cloud-based web servers from exploits and attacks.
XG Firewall acts as a reverse proxy, protecting your internal and external web servers. You can create WAF rules for IPv4 traffic.
You can use the WAF rules to specify virtual web servers and translate these into physical servers without configuring DNAT and firewall rules. You can also protect web applications, such as Salesforce and Microsoft applications.
Add a web server protection (WAF) rule With WAF rules, you can protect web applications from attacks and data leakage by filtering HTTP traffic. You configure a WAF rule for an IP address assigned to a network interface, a port, and one or more domain names. XG Firewall matches traffic based on the IP address assigned to the interface. With support for Server Name Indication (SNI), web server protection will present the correct server to each client, based on the requested hostname. Go to Firewall and select IPv4 using the filter switch. Click + Add firewall rule and Business application rule. Enter the general rule details. Sophos XG Firewall provides the world’s best network visibility, protection, and response to secure your Azure environments. Integrate multiple, leading security technologies into a single, preconfigured virtual-machine image with extensive reporting, including full insight into user and network activity. One of the key features of the Sophos XG Firewall is Web Protection, which allows for the scanning and categorization of web related traffic. Websites may be allowed, blocked, or display a warning to keep web browsing safe and productive.
XG Firewall offers preconfigured WAF rule templates with specific paths and protection policies for Exchange Autodiscover, Outlook Anywhere (Outlook 2007, 2010, 2013), Outlook Web Access (in an Exchange general rule), Lync, Sharepoint (2010 and 2013), Remote Desktop Gateway 2008 R2, and Remote Desktop Web 2008 R2.
WAF rules are part of firewall rules. To create a WAF rule, you need to add a firewall rule and set the action to Protect with web server protection.
WAF functionality
XG Firewall supports HTTPS protocol with SNI (Server Name Indication), allowing you to create more than one virtual web server over the same IP address and port. The WAF rules support wildcard domains.
You can forward URL requests to specific web servers, bind sessions to a web server, or send all requests to a primary web server, using the others as backup servers. Traffic shaping policies added to the WAF rules allow you to allocate bandwidth and prioritize traffic based on a schedule.
Protection and authentication
Protection policies: You can add intrusion prevention and protection policies to the WAF rules. Protection policies allow you to protect web servers from vulerability exploits, such as cookie, URL, and form manipulation. They also protect web servers from application and cross-site scripting (XSS) attacks. You can specify the filter strength for common threats.
Sophos Xg Firewalls
The exceptions you create in WAF rules allow you to skip some types of security checks for the paths and sources you specify.
To prevent slow HTTP denial-of-service (DoS) attacks and enforce TLS version controls, go to Web server > General settings.
Authentication policies: In WAF rules, you can specify the client networks to allow or block. You can also add authentication policies to WAF rules to protect web servers using basic or form-based reverse-proxy authentication. The client authentication settings in these policies allow you to control access to the paths specified in the WAF rule.
Sophos Xg Home
Authentication templates: You can upload pre-configured HTML form templates. For customizable HTML and CSS templates, go to the authentication template help page.