Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 11652 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

URL Hardening Questions

tomtomtom
I have set up WAF in the following way:

1. virtual webserver:

Domains: domain.com
Real Web Servers: Lotus Domino Server
Firewall Profile: Advanced Protection (with URL hardening)

2. real webserver:

name: Lotus Domino Server
host: an internal host (external access via DNAT)

3. firewall profiles:

Advanced with URL hardening.


For testing purposes I have entered only "www.domain.com" in URL hardening.

I tried to open "domain.com/otherthings" directly and this still works. I thought URL hardening would disable the direct access to URLs not entered in the "Entry URL"-list

Do I missunderstand URL hardening or is it the DNAT which does not work with WAF?


This thread was automatically locked due to age.
Parents
  • 0
    Like Bob mentioned, do it with DNATS.

    Rule 1:
    source:  netblocks to allow
    service:  http(s)
    destination: external WAN (address)
    new destination:  external WAN (address) (same as above)

    Rule 2:
    source:  internet or any
    service:  http(s)
    destination:  external WAN (address)
    new destination:  non-existent blackhole address

    The first rule will accept the traffic and put it back on the external interface, so WAF can pick it up.  The second rule will take traffic from all other sources and send it to the packet dumpster.  [:)]
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Reply
  • 0
    Like Bob mentioned, do it with DNATS.

    Rule 1:
    source:  netblocks to allow
    service:  http(s)
    destination: external WAN (address)
    new destination:  external WAN (address) (same as above)

    Rule 2:
    source:  internet or any
    service:  http(s)
    destination:  external WAN (address)
    new destination:  non-existent blackhole address

    The first rule will accept the traffic and put it back on the external interface, so WAF can pick it up.  The second rule will take traffic from all other sources and send it to the packet dumpster.  [:)]
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Children
No Data
Unfiltered HTML