Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Protect | 242

Additional Information on Static URL Hardening and Form Hardening

It is best practice always to enable both static URL hardening and form hardening. These two functions are complementary, especially in the way that they prevent the issues you may have if you enable just one of them:

• Only form hardening is activated: When a webpage contains hyperlinks with appended queries (which is the case with certain CMSs), e.g. http://example.com/?view=article&id=1, such page requests are blocked by form hardening because it expects a signature, which is missing.

• Only static URL hardening is activated: When a web browser appends form data to the action URL of the form tag of a web form (which is the case with GET requests), the form data becomes part of the request URL sent to the web server, thereby rendering the URL signature invalid.

Activating both functions helps to solve the problem s those issues because if either form hardening or static URL hardening consider a request to be valid, the Web Application Protection accepts the request.

Authentication Policies

The Authentication Policies menu allows you to configure policies for direct authentication.

You can use the Web Application Firewall (WAF) to authenticate users immediately instead of leaving the authentication to the web servers. Via authentication profiles, the reverse authentication can be used to assign specific authentication settings to each site path route.

Note: You can also view and manage the WAF status on the System > Hosts and Services > Services page.

This page displays all existing web application authentication profiles. For each authentication policy, the list shows:

Name

Name of the authentication policy.

Add Authentication Policy

This page describes how to add a web app authentication policy.

1. Go to Protect > Web Server > Authentication Policies and click Add.

2. Enter a unique Name for the authentication profile.

3. Enter a Description for the authentication policy.

4. Specify the Client Authentication details.

Mode

Select how the users should authenticate at the Web Application Firewall.

• Basic: Users authenticate with HTTP basic authentication, entering username and password. In this mode, no session cookies will be generated and a dedicated logout is not possible.

Note: As the credentials are sent unencrypted in this mode we strongly recommend that you use this mode over HTTPS.

• Form: Users will be presented with a form where they have to enter their credentials. In this mode, session cookies will be generated and a dedicated logout is possible. The form template to be used can be selected in the Web App Auth Template list. Besides the default form template,

the list shows the forms that have been defined on the

Authentication Templates

page

Basic Prompt (available only if Basic mode is selected)

The realm is a unique string that provides additional information on the login page and is used for user orientation.

Note: These characters are allowed for the Basic Prompt: A-Z a-z 0-9 , ; . : - _ ' + = )

( & % $ ! ^ < > | @

Web App Auth Template (available only if Form mode is selected)

Select the form template that will be presented to the users for authentication. Form templates are defined on the

Authentication Templates

page.

Users or Groups

Select the users or user groups that should be assigned to this web app authentication profile or create a new one. After assigning this profile to a site path route, these users will have access to the site path with the authentication settings defined in this profile. Typically, this would be a backend user group.

You can create a new user directly from this page or from the Configure > Authentication > Users page.

Registering a New User

on page 417

You can create a new group directly from this page or from the Configure > Authentication >

Groups page.

Creating a New User Group

on page 412

Note: Sometimes users should be required to use the user principal name notation

'user@domain' when entering their credentials, for example when using Exchange servers in combination with Active Directory servers.

5. Specify the Authentication Forwarding details.

Mode

Select how the Web Application Firewall authenticates against the web servers. The mode has to match the web servers' authentication settings.

• Basic: Authentication works with HTTP basic authentication, providing username and password.

• None: There is no authentication between WAF and the web servers. Note that even if your web servers do not support authentication, users will be authenticated via the frontend mode.

Username affix (available only if authentication forwarding mode Basic is selected)

Select the type of affix for the username and specify a value for it. Affixes are useful when working with domains and email addresses.

• None

• Prefix

• Suffix

• Prefix & Suffix

Note: Prefix and suffix will be added automatically if the user only enters his username. Prefix and suffix will not be added if the user enters them. Example: If the suffix is @testdomain.de and the user only enters the username test.user the suffix

@testdomain.de will be added. If the user enters [email protected] the suffix will be ignored.

Remove Basic Header (available only if authentication forwarding mode None is selected)

Enable this if you do not want to send the basic header from Sophos XG Firewall to the web server.

6. Specify the User Session details (available only if client authentication mode Form is selected).

Session Timeout

Enable to set a timeout for the user session, which will confirm the user's credentials by requiring the user to log in again if he does not perform any action.

Default: ON

Limit to (available only if Session Timeout is selected)

Set an interval for the session timeout.

Default: 5 minutes.

Session Lifetime

Enable to limit the time users may remain logged in, regardless of the activity in the meantime.

Default: ON

| Protect | 243