WAF with the webserver hosted in Azure

Hello,

we have a VPN-tunnel from our XG330 (SFOS 20.0.2 MR-2) to Azure and want to host a web application in azure.

The VPN Tunnel was done via the configuration file and is route based, with the xfrm interfaces being in the169.254.0.0/30 subnet.

When I ping the webserver directly from the firewall, the source ip is 169.254.0.1 and is not routed back.

To solve this I configured a SNAT for system-generated traffic to an IP, that can be routed back.

Unfortunately this SNAT does not work on the WAF generated traffic. Doing a TCPdump I can still see the 169.254.0.1 as source IP.

I have tried to add this IP to the routes in Azure but it doesn't work.

I have also tried doing a normal SNAT via the GUI.

Is there any way to solve this issue?

Edited TAGs
[edited by: Raphael Alganes at 10:02 AM (GMT -8) on 20 Nov 2024]

Parents

0 Hardik_R 6 days ago

Hi Dominik Friedl

you are following the right way however TCPDUMP & GUI packet capture(Diagnostics > Packet capture) output for below 2 situations will help to understand more on packet flow : tcpdump -nei any host <web server IP>

1. When you ping the webserver directly from the firewall.
2. When you try to access web server using WAF

Also Which IP you have used in SNAT for system-generated traffic? and after configuring this, are you getting ping reply?

Hardik R
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Dominik Friedl 1 day ago in reply to Hardik_R

Hi,

I have screenshots attached from the tests. 10.25.0.100 is the webserver.

First test was a ping with the SNAT for system-generated traffic:

Then I tried to access the WAF from my client:

Sophos Firewall: Configuring an IPsec VPN Gateway Connection to Azure

I used this instruction to setup my VPN Tunnel.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sreenivasulu Naidu 2 hours ago in reply to Dominik Friedl

Hi @Dominik Friedl, sys-traffic-nat on cli of SFOS will not help placing waf traffic with the configured ip; in case of waf with route based vpn, the source ip will always be the xfrm ip. Please try if your use case with Azure works with policy based VPN, this uses one of the LAN ports ip while placing waf traffic into IPsec tunnel.

If the usage of route based vpn is a must, then please check with Azure on the routing part.

Also, if it is fine to use without WAF rule, equivalent functionality can be achieved by using SANT and DANT rules on SFOS.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Sreenivasulu Naidu 2 hours ago in reply to Dominik Friedl

Hi @Dominik Friedl, sys-traffic-nat on cli of SFOS will not help placing waf traffic with the configured ip; in case of waf with route based vpn, the source ip will always be the xfrm ip. Please try if your use case with Azure works with policy based VPN, this uses one of the LAN ports ip while placing waf traffic into IPsec tunnel.

If the usage of route based vpn is a must, then please check with Azure on the routing part.

Also, if it is fine to use without WAF rule, equivalent functionality can be achieved by using SANT and DANT rules on SFOS.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data