Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 10461 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebProtection: Routing to Internal Networks when "Optional: Interface for Outgoing traffic" is used

DanielHüppe

Hello,

we have the following Problem:

We use the option "Optional: Interface for Outgoing traffic" for our WebProtection Profiles, so different customers can browse websites with different public IPs.

If we want to connect to an internal web-server we get the error "an error occoured while handling your request (no route to host)"

I think this is beacuase the http request is always going from the interface we assigned in "Optional: Interface for Outgoing traffic". This is a Interface with an public IP and so it can not connect to a private IP within our Network.

If we put the Intenal Network to "Skip Transparent Mode Destination..." everything works fine.

Is it possible to configure the WebProtection, so it works without the exeption for the internal network?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to DouglasFoster

    To elaboarte:   Your customers are effectively in a DMZ, because UTM separates them from your internal network and their networks are presumably less trusted than your internal network.   You probably have a mix of internal websites, some of them may be intended for customer use, but probably not all of them.   WAF allows you to control which sites they will be able to use, and filter hostile traffic if it occurs. 

    The network design principle is that Web Proxy is used to protect trusted clients from less trusted and possibly hostile web servers.   Web Application Firewall / WebServer Protection is used to protect trusted web servers from less trusted and possibly hostile web clients.  Your use of the Optional Interface feature has the accidental benefit of ensuring that your internal websites are not reachable.

    The real challenge occurs if Client A wants to access a webserver on Client B.   Ideally, outbound traffic from A should go through web proxy, because A does not know if B can be trusted, and inbound traffic from A to B should go through WAF, because B does not know if A can be trusted.  WAF will provide connectivity from A to B, and protect B, but I don't know how you can force traffic through both Web Proxy and WAF with a single UTM device.

Unfiltered HTML