This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - Packet filtering/Firewall rules

Hi All

We are trying to use the WAF to host an internal https service for specific clients only.

We can user NAT to port forward 443 to the internal server and restrict the nat rule to certain IP's etc. However this adds another machine to a long list of installing and maintaining SSL Certs.

Ideally we would like to use WAF for this feature which enables us to use the centrally stored SSL cert.

We have tried creating a packet filter rule to block 443 traffic from any(for testing purposes only) going to external IP and also the internal server, but the access is still granted.

Anyone have any experience with this or, any suggestions ?

i have looked through the forums and google but found nothing that satifies my question.

Many thanks

This thread was automatically locked due to age.

0 Michael Dunn over 10 years ago

This forum is for outgoing HTTP proxy.

The WAF forum is:
https://www.astaro.org/gateway-products/web-server-security/
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 10 years ago in reply to Michael Dunn

Moving thread...

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago

Chris, it's not clear what you're doing as you've discussed NAT, WAF and firewall rules. Does #2 in Rulz answer your question?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 ChrisTwigg over 10 years ago

Hi Bob

Sorry for the incorrect use of Category.

What we are trying to achieve :-

Use WAF to host an internal(DMZ) web service using the installed SSL Cert centrally stored on the Sophos Box.

But we'd like to restrict access to 1 public client's IP address only.

Thanks

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago
The hint is in #2 in Rulz. Use two NAT rules:
[LIST=1]NoNAT : {clients' IPs} -> HTTPS -> External [Add'l Address] (Address)
DNAT : Internet -> HTTPS -> External [Add'l Address] (Address) : {non-existent IP}
[/LIST]
Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 ChrisTwigg over 10 years ago

Thanks Bob

I'll give it a try.

It is a shame the packet filter/exceptions rules are not built in to the WAF GUI

Many Thanks

Chris
Cancel
Vote Up 0 Vote Down

Cancel