Workaround: WAF is not working correctly because of Common Threats Filter[fixed in v9.205]

  • Article ID: 121246
  • Rating:
  • 8 customers rated this article 3.6 out of 6
  • Updated: 29 Oct 2014

Issue

When you want to open a URL which is on a webserver behind the WAF you will receive error 403 - forbidden. 

When you then logon to the shell of the UTM and try to restart the WAF service you will get to see the following message:

# /var/mdw/scripts/reverseproxy restart

:: Starting reverseproxy

AH00526: Syntax error on line 1 of /usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.skip:

ModSecurity: Found another rule with the same id

 

First seen in

Sophos UTM 9.203

 

Fixed in

Sophos UTM 9.205

Cause

There is an issue with the option 'Common Threat Filter' in the firewall profile. Because of this the service is not able to work correctly and the WAF is not able to start. 

What To Do

Please follow this workaround:

  • Logon to the WebAdmin and navigate to Webserver Protection | WebApplication Firewall | Firewall Profiles
  • Open a firewall profile where the option for 'Common Threat Filter' is enabled
  • Disable the option 'Common Threat Filter' and click on Save 
  • Please repeat this action for all your Firewall Profiles where the is option 'Common Threat Filter' is also configured
  • Now navigate to WebServer Protection | WebApplication Firewall | Virtual Webserver
  • Disable all your virtual Webservers by clicking the green button next to the virtual Webserver name
  • Enable them again 
  • Try to open the URL for which you detected the issue again
  • If you are able to open the URL go back to Webserver Protection |  WebApplication Firewall | Firewall Profiles
  • Open all the the firewall profiles for which you disabled the option and enable it again
  • Click on Save to apply the changes

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments