This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use group objects in allowed networks under site path routing

Hi,

I am in the process of migrating our companies existing Firewall to a Sophos UTM and I would like to take advantage of the Webserver protection module to protect our internet facing web  servers but have hit a wall with one particular part of our setup.

In our existing setup we use an IP whitelist to control which IP addresses can access which servers and to simplify it we have a hierarchical structure. That is we have an address object used in the firewall rule which contains other address groups or individual IP addresses. This makes modifying the whitelist easier as we just add or remove items from the top level object to control access.

When setting up a test in the UTM i can see that there is an "Access Control" option under site path routing with 2 sections for "Allowed" and "Denied" networks. This looks like the place to add the whitelist but i cannot add group objects here, only IP or network objects. Is there any way around this? If not under this section is there somewhere else i can use my groups to control access rather than having to list every IP address?

Thanks in advance

Andrew



This thread was automatically locked due to age.
Parents
  • I would create a DNAT Rule for access to the webserver, this way you can create an IP group and use them in the rule and achieve the same thing you want to do.

    Respectfully, 

     

    Badrobot

     

  • Hi Badrobot,

    Thanks foe coming back to me on this. One of the reasons for going with the UTM was to enable use to use SNI so we could host multiple servers on the same IP and the WAF would direct the traffic to the correct server. I'm guessing if we went down the NAT route we would not be able to do this? Or could the DNAT compliment the WAF rules?

    Thanks,

    Andrew

  • I think you could, some of this would depend on what ports for what servers.

     

    Could you provide a better scenario of what you are trying to do with at least 2 or 3 servers so we can hash it out.

    Respectfully, 

     

    Badrobot

     

Reply Children
  • Hi Badrobot,

     

    OK so we have a number of webservers hosting a service for our customers. All run over standard https port 443. At the moment we have a number of public IP addresses (one per customer) which have an associated DNS record for accessing their web app. On the firewall there are NAT rules which forward traffic on their IP and port 443 to their server. This also has an associated firewall rule with the whitelist address object which limits access based on IP.

    What we would like to do it be able to point the DNS at 1 IP address and have the firewall NAT the traffic based on the host name in the http request. We would also need to keep the IP whitelist in place but need to use group objects as there are way too many to add individual IP objects.

     

    I have attached a very rough diagram of what we would like to achieve too.

    Thanks,

    Andrew

  • You can achieve this with two NAT rules, in order:

    1. No NAT : {whitelist group} -> {80, 443, etc.} -> {group of "(Address)" objects used in  the Virtual Servers}
    2. DNAT : Internet -> {80, 443, etc.} -> {group of "(Address)" objects used in  the Virtual Servers} : to (240.0.0.1}
      (See #2.5 in Rulz to understand this choice of destination IP for a blackhole DNAT. #2 also explains why this strategy works.  See #4 to understand the requirement for "(Address)" objects.)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    Thanks for this info. I have read the Rulz you suggest and think i understand what is going on but could you confirm it for me to make sure i have the right end of the stick.

     

    First NAT rule:

    Traffic from = Whitelist object

    Service: 443

    Going to: Address Object used in virtual servers in WAF

    No Destination changes

     

    Second Rule:

    Traffic from = Internet

    Service = 443

    Going to: Address Object used in virtual servers in WAF

    Change destination to 240.0.0.1

     

    When this is in place the first rule allows the traffic and NATs it into the WAF and the second captures all other traffic and sends it into the abyss. Is that correct?

    If so i would guess we don't need to use the "Automatic firewall rule" option as the rules set in WAF take precedence as per Rulz #2.

     

    As a final point, is there any reason we can't have multiple NAT rules above the blackhole rule. One for each high level whitelist object?

     

    Really do appreciate the help with this.

     

    Thanks,

    Andrew

  • The first rule exempts the whitelist and allows its traffic to proceed un-NAT'd to the WAF (reverse proxy).

    It's cleaner and easier to understand if you use Network Groups - one for the clients and one for the public IPs of the Virtual Servers.  Of course, if all clients are not allowed to all servers, then, yes, individual NoNAT rules would be necessary and would work anywhere above the blackhole DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for this Bob.

    I have presented this as the solution to my manager and he's happy so we are going to implement it.

    It is a little strange that it needs to be done this way and that group objects are not allowed in the "Allow" list in the WAF but never mind.

    Thanks for all your help with this it is much appreciated.

    Thanks,

    Andrew