Firewall and WAF - what comes first?

Question

Hello, 
 this is a follow up on this post: 
 High CPU usage since 2:20 this night - General Discussion - UTM Firewall - Sophos Community 
 With some other questions. This is why the other post doesn't fit, but if reference is needed... 
 The question is: 
 What comes first? Firewall or WAF? 
 According to my tests, firewall can't block what WAF is allowing through, is that correct? 
 If so, is there a way I can selectively allow what is allowed on the WAF, like which IP or domain? 
 The problem I have is that the firewall is being bombarded with millions of packets daily from various sources (agents), and I have found no way to allow them on the WAF, without bringing the whole firewall to the crawl. 
 So my thinking is like, "block all, but allow x.x.x.x IP", hoping that one customer or IP won't overload the firewall, and I'll be able to update or uninstall agents. 
 Thank you.

dirkkotte · Answer

1. correct, you can#t block or allow WAF-Traffic from firewall-rules. 
 2. there are some options restricting inbound traffic. 
 - i love country-blocking with exceptions to WAF and mail 
 - within WAf you can configure an accesslist ... at site-path-routing ... i think

BAlfson · Answer

Hallo, Kosta - I like Dirk's suggestions. Y ou will want to be aware of #2 in Rulz (last updated 2021-02-16) for similar questions in the future. You should also be aware of Doug Foster's excellent guide: Securing Web Application Firewall (WAF) . 
 Cheers - Bob

Firewall and WAF - what comes first?

Top Replies