WAF & SNAT

Been a while so apologies....

If you have a webserver behind WAF, does the webserver reply on the address the WAF is using?

eg. webserver sits on a subnet that is maquarading to PUBLIC IP X, WAF is using PUBLIC IP Y for https

In the above example, does the webserver reply to https requests on PUBLIC IP Y but will try to get out to the internet for all other protocols eg windows update via PUBLIC IP X?

  • Yes, since the incoming request would be on the port and URL specified withing WAF configuration on UTM and also on Webserver, any incoming web request will be replied from the same IP. For example, if your website is hosted on X address and you've configured it on UTM and on WAF to forward it to your Webserver, it will be replying using that same X address.

    For all other traffic going out of your Webserver to the Internet, since the destination port will be different and services as well, it will go ahead using MASQ or SNAT rule (if any) specified in your UTM.