Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 9607 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rules LAN to WAN & WAN & LAN

Badrobot

I have a question about rules, do I need a LAN to WAN Rule and a WAN to LAN rule?  Or a DMZ to WAN and WAN to DMZ Rule?  In a sense I would think that I would given the layout or the rules for XG Firewall. 

 

Thanks,



This thread was automatically locked due to age.
Parents
  • 0

    I should add I only ask this because my UTM does not have a rule for traffic from the WAN to DMZ in the same sense.  Basically there are no zones in UTM so I am just checking to see if that is the recommended practice or not.  

     

    For example, I have a ftp/sftp/www server in the DMZ-

    I have setup rules for-

    LAN to DMZ, source: any host, services: FTP, HTTP, HTTPS, SSH, destination: sftp/ftp/www server, set the IPS for the LAN to DMZ policy

    DMZ to WAN, source:sftp/ftp/www server, services: DNS, HTTP, HTTPS, IMAP, NTP, SMTPS, POP3, SMTP, destination: sftp/ftp/www server, set the IPS for the DMZ to WAN policy

    WAN to DMZ, source: any host, services: FTP, HTTP, HTTPS, destination: sftp/ftp/www server, set the IPS policy for the DMZ to WAN policy.

    I also added additional rules for clients who want to access the SFTP or SSH will port forwarding further down.  i.e.

    WAN to DMZ, source: xxx.xxx.xxx.xxx, service: ssh, destination: sftp/ftp/www server, IPS WAN to DMZ Policy

     

    I am just trying to see if this is the correct method?  Also the top down aspect of it all, if I allow forwarding in for specific clients should that be above the existing WAN to DMZ rule or below it.

     

     

    Any help is appreciated.

     

    Thanks,

  • +1 in reply to Badrobot

    Hello badrobot,

    The LAN/DMZ to WAN rules are for your basic internet access. Now if you wish to allow some connection from the WAN then you may need to create a buisness rule such as DNAT (Virtual host) and map with the ports you wish to port forward based on the assumption that you have configured in gateway mode.

    If you have configured in bridge or gateway and you have a MPLS connection or another local/private network in your WAN side of XG then WAN to LAN/DMZ would be applicable here.

Reply
  • +1 in reply to Badrobot

    Hello badrobot,

    The LAN/DMZ to WAN rules are for your basic internet access. Now if you wish to allow some connection from the WAN then you may need to create a buisness rule such as DNAT (Virtual host) and map with the ports you wish to port forward based on the assumption that you have configured in gateway mode.

    If you have configured in bridge or gateway and you have a MPLS connection or another local/private network in your WAN side of XG then WAN to LAN/DMZ would be applicable here.

Children
No Data