This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - how to protect a public server

Balocco SpA - Ufficio IT over 2 years ago

Hi,

we have a web server with a public IP. Let's say the IP is 123.123.10.1/28. The gateway of this server is a network interface of Sophos XG, lets say 123.123.10.14/28 (we are autonomous system, we have several public IPs). How can I protect the web server with WAF in XG? What I cannot figure it out is that in "Hosted Address" in WAF firewall rule I cannot select the public IP of the web server (123.123.10.1/28), but only the gateway of that network 123.123.10.14/28.

In this moment the web server can be accessed from Internet just with a firewall rule "Any (source) to web Server), NAT is not necessary.

Thank you.

This thread was automatically locked due to age.

Top Replies

dirkkotte over 2 years ago in reply to Balocco SpA - Ufficio IT +3 verified

No, users have to talk with the XG. You can change the DNS record to point to XG instead of Web-Server. ...or bound the Web-Server IP as additional-IP to the XG and use a new IP with the webserver.

0 dirkkotte over 2 years ago

Hosted address is a public IP bound to the XG.

Users only speak with this IP. XG/WAF then build the connection to selected "web Server" from Protected servers-List.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up +2 Vote Down

Cancel
0 Balocco SpA - Ufficio IT over 2 years ago in reply to dirkkotte

Ok, got it. But users don't call hosted address IP to go to webserver, they call webserver IP directly. So what do i put into hosted address? Webserver's gateway? thanks!
Cancel
Vote Up +1 Vote Down

Cancel
+1 dirkkotte over 2 years ago in reply to Balocco SpA - Ufficio IT

No, users have to talk with the XG.

You can change the DNS record to point to XG instead of Web-Server.
...or bound the Web-Server IP as additional-IP to the XG and use a new IP with the webserver.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up +3 Vote Down

Cancel
0 Balocco SpA - Ufficio IT over 2 years ago in reply to dirkkotte

Ok, got it!. Thank you so much!
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 2 years ago in reply to Balocco SpA - Ufficio IT

It was a pleasure for me.
If an answer was correct or helpful, please mark it

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel