Caution – Do not disable required infrastructure rules, as this may interfere with other rules and lead to security issues. For more information about infrastructure rules, see the Sophos Knowledge Base. To block a false positive.log look in the reverse proxy for non-infrastructure rules that were triggered before the infrastructure rule and add them to the Ignore filter rules list instead. Note that infrastructure rules are always the last rules triggered by an HTTP request. It`s really Streang that Sophos doesn`t talk about in its article: sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202.pdf There are certain rules that we call infrastructure rules; they are at the heart of how WAF ModSecurity works. You should not disable these rules without potentially affecting other rules that rely on them. When an infrastructure rule is added to the Ignore filter rules list, you are vulnerable to further possible attacks. Note: Starting with version 9.7 MR1, when the General Threat Filter is enabled, the WAF sends uncompressed responses to the client, even if the client has requested compression of the response. Create a second exception that ignores virus checks, ignore all categories for the path /owa/ev.owa*, and enable the advanced feature Never modify HTML during static URL reinforcement or form hardening.

If you look at the active WAF logs, there is an ID before the infrastructure ID, this is the ID you need to include in the exception 🙂 community.sophos.com/kb/en-us/121446 Common Threats Filter: If enabled, you can protect your web servers from a variety of threats. You can specify the threat filter categories you want to use in the Threat filter categories section below. All requests are compared to the rule sets of the selected categories. Depending on the results, a notice or warning will appear in the live log, or the request will be blocked directly. Web application firewalls enforce a set of rules to address known vulnerabilities in Web applications. Theoretically, these rules only come to an agreement when something unusual happens. Follow-up: If you use “rigid filtering” in the firewall profile, the 960009 rule for /Microsoft-Server-ActiveSync should be ignored. To disable rules, you can navigate to Web Server Protection > Web Application Firewall > Firewall Profile, click Edit in the appropriate firewall profile, and then paste the rule ID number into the Ignore filter rules box.

The result is similar to the following: Ignore filtering rules: Some of the selected threat categories may contain rules that cause false positives. To avoid false positives triggered by a specific rule, add the rule number that you want to ignore in this field. For example, WAF rule numbers can be found on the Logging and Reporting page > Web Server Protection > details through the Top Rules filter. There are ground rules for WAF, called infrastructure rules. Infrastructure rules affect the rules that rely on those rules. For the “Outlook Anywhere” exception, you say select all and then list individual items. I assume Sophos added some because “outgoing” and “true file type control” were not listed. Should I skip them too? community.sophos.com/kb/en-us/121446#Infrastructure Rules “The list of ignored filtering rules contains the following required infrastructure rules: 981176, 981203 981204. Disabling a required infrastructure rule can prevent attacks from being blocked by the Web Application Firewall.

Paul Fischer: Don`t use infrastructure rules in exceptions! Rigid filtering: When enabled, some of the selected rules are tightened. This can lead to false positives. This particular log entry tells us a lot about the vulnerability. The most important field here is the ID “981231”. This is the rule that detected the threat and the rule that should be ignored if it is indeed a false positive. guys my exchane OA and activesync and owa finally works We decided not to use reverse authentication because I think it still doesn`t work very well and Sophos has its issues with it and no need for reverse authentication Let the backend server perform authentication I used the Michel and the official Sophos document and set it up and operational Optional, Select the following categories of threat filters (available only if the General Threats filter is enabled): Feel free to discuss it in the comments. I saw “ModSecurity” messages from one of my customers and additionally ignored the rules 981176, 960009, 900000, 960911, 960904, 960035 and Outlook Anywhere stopped working! I don`t know why skipping some rules breaks the RPC service. Don`t forget this information.

I use the above configuration for all my clients. The solution is to set the OWA directory as the entry URL in the WAF profile of your OWA web server (for example, webserver/owa/). Additionally, you must create an exception that ignores URL reinforcement for the /owa/*, /OWA/* paths and completely disables cookie signing for the virtual web server. It`s absolutely amazing: skipping some rule IDs really breaks WAF, as you wrote above. My logs were full of warnings after I excluded 900000, 960911, 960904, 960035 and Outlook Anywhere could not connect via RPC/HTTP The warnings were like: Your Web application should be written in such a way that it does not generate, request, or receive instructions that violate these rules. In practice, however, it is very likely that the rules of your WAF indicate some behavior in your web application and display false positives. When you monitor your log, you should no longer see the detection of that particular event. Mode: Sophos UTM has multiple antivirus engines for the highest level of security. Note: Static URL hardening affects all files whose HTTP content type text/* or *xml*, where * is a wildcard. Make sure that other file types, such as binaries have the correct HTTP content type, otherwise they may be corrupted by the URL reinforcement feature. It does not work for dynamic URLs created by a client, such as: JavaScript. Outlook automatically searches for “autodiscover.yourcompany.com” :-/ You must point this DNS name to the same address as “owa.” or your “remote”.

Curious to know which version of UTM you are using. We were happy with 9,321 for a time loooong, but it seemed to me that WAF wasn`t working properly with Exchange on it. Moved to 9.355-1 for now and it seems to be working fine. Option 2: Configure an exception in the Web Application Firewall Fortunately, you can configure your WAF to ignore this site-specific vulnerability. They should be as accurate as possible, as you are now voluntarily and knowingly reducing the protective potential of WAF. I would also ensure that this bill is passed by some sort of governance or risk assessment committee. Block customers with a bad reputation: based on GeoIP technology to locate devices worldwide using satellite images. and RBL Realtime Blackhole List information allows you to block customers who have a bad reputation based on their classification.

Sophos uses the following classification providers: The msg is a brief description of the vulnerability. Maturity and accuracy indicate the success or strength of the detection method. Low maturity and accuracy would lead to many false alarms or false detections. A DNAT for SMTP is ok, WAF only works over http and https. Can you upgrade to the latest version 9.4? I`m still using this tutorial on new installations and I don`t have a problem yet. Query limits: Applies reasonable limits on the number and ranges of request arguments. Overloading query arguments is a typical attack vector. /ecp /ECP /ews /EWS /Microsoft-Server-ActiveSync /oab /OAB /owa /OWA /rpc /RPC /mapi /MAPI/Update: Select a refresh interval from this drop-down list. If you select Manual, the sitemap will not be updated unless you save this profile again.

Trojans: Searches for typical Trojan usage patterns to look for queries that indicate Trojan activity. However, this does not prevent the installation of such Trojans, as they are covered by antivirus scanners. Ultimately, you need to configure exceptions for everything to work. We`ll configure four exceptions for specific URLs: Enable virus scanning: Select this option to protect a web server from viruses. To determine the corresponding rule IDs, you must check the Web Application Firewall log when you access your site and recreate the false positive. To open the WAF Live log, go to Web Server Protection > Web Application Firewall > Virtual Web Server and click Open Live Log.