Use group objects in allowed networks under site path routing

I would create a DNAT Rule for access to the webserver, this way you can create an IP group and use them in the rule and achieve the same thing you want to do.

Hi Badrobot,

Thanks foe coming back to me on this. One of the reasons for going with the UTM was to enable use to use SNI so we could host multiple servers on the same IP and the WAF would direct the traffic to the correct server. I'm guessing if we went down the NAT route we would not be able to do this? Or could the DNAT compliment the WAF rules?

Thanks,

Andrew

I think you could, some of this would depend on what ports for what servers.

Could you provide a better scenario of what you are trying to do with at least 2 or 3 servers so we can hash it out.

Hi Badrobot,

OK so we have a number of webservers hosting a service for our customers. All run over standard https port 443. At the moment we have a number of public IP addresses (one per customer) which have an associated DNS record for accessing their web app. On the firewall there are NAT rules which forward traffic on their IP and port 443 to their server. This also has an associated firewall rule with the whitelist address object which limits access based on IP.

What we would like to do it be able to point the DNS at 1 IP address and have the firewall NAT the traffic based on the host name in the http request. We would also need to keep the IP whitelist in place but need to use group objects as there are way too many to add individual IP objects.

I have attached a very rough diagram of what we would like to achieve too.

Thanks,

Andrew

You can achieve this with two NAT rules, in order:

1. No NAT : {whitelist group} -> {80, 443, etc.} -> {group of "(Address)" objects used in  the Virtual Servers}
2. DNAT : Internet -> {80, 443, etc.} -> {group of "(Address)" objects used in  the Virtual Servers} : to (240.0.0.1}
   (See #2.5 in Rulz to understand this choice of destination IP for a blackhole DNAT. #2 also explains why this strategy works.  See #4 to understand the requirement for "(Address)" objects.)

Cheers - Bob

Hi Bob,

Thanks for this info. I have read the Rulz you suggest and think i understand what is going on but could you confirm it for me to make sure i have the right end of the stick.

First NAT rule:

Traffic from = Whitelist object

Service: 443

Going to: Address Object used in virtual servers in WAF

No Destination changes

Second Rule:

Traffic from = Internet

Service = 443

Going to: Address Object used in virtual servers in WAF

Change destination to 240.0.0.1

When this is in place the first rule allows the traffic and NATs it into the WAF and the second captures all other traffic and sends it into the abyss. Is that correct?

If so i would guess we don't need to use the "Automatic firewall rule" option as the rules set in WAF take precedence as per Rulz #2.

As a final point, is there any reason we can't have multiple NAT rules above the blackhole rule. One for each high level whitelist object?

Really do appreciate the help with this.

Thanks,

Andrew

The first rule exempts the whitelist and allows its traffic to proceed un-NAT'd to the WAF (reverse proxy).

It's cleaner and easier to understand if you use Network Groups - one for the clients and one for the public IPs of the Virtual Servers.  Of course, if all clients are not allowed to all servers, then, yes, individual NoNAT rules would be necessary and would work anywhere above the blackhole DNAT.

Cheers - Bob

Thanks for this Bob.

I have presented this as the solution to my manager and he's happy so we are going to implement it.

It is a little strange that it needs to be done this way and that group objects are not allowed in the "Allow" list in the WAF but never mind.

Thanks for all your help with this it is much appreciated.

Thanks,

Andrew