Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - AVOID FULL NAT BEHAVIOR

Hi Team,

I'm trying to migrate from TMG to Sophos XG. I have 40 web sites, 39 are ok, but 1 is causing a real headache :( 

In TMG you can use site path routing for web publishing, and for each rule, decide if you want to send to the real web server the traffic SNATed or Not.

*** I have a big problem, Sophos always do Full NAT when i use WAF ***

The question is, ¿How can i avoid this behavior?

I need that for some site path routing rules, doesn't do SNAT (the application at the server side doesn't support the traffic that comes from the firewall, only accepts the traffic he sees from Outside (WAN) with public IPs). 

¿How It Works?

It's a simple web application. Users calls the web app Ej. www.site.com in port 80, then it redirects to the IIS in the same port. I use a site path routing rule to redirect the traffic to the 192.168.100.39 server. That's All. The IIS use the host header to do the rest.

¿How is the real web server configured?

  • Ip: 192.168.100.39
  • Port: 80
  • Keep Alive (+)

¿How is the site path routing configured?

/TimDFCT/*

Things i have tried...

  1. Doing a DNAT, i changed de outside port to 25200 and make a redirection to the port 80 (internally). This worked, the problem is that the client says, that he can´t change the external port, because the application has burned this address in many devices, and is virtually impossible to change that at this point.
  2. Doing a DNAT and putting at the bottom. This DNAT just send to hell all my other publications with WAF. It seams DNAT overlaps WAF Rules, it doesn't matter if the DNAT is at the beginning or at the end.
  3. Tring to eliminate the SNAT internal Rule with advance_firewall sys-traffic-nat delete 192.168.100.39 192.168.100.5
  4. Tring that my IIS accepts the traffic from firewall, this is because other applications in the same server seems not to have problems with the traffic coming from the firewall (i don´t know why). Anyway i couldn't' figure out how to put the application to accept the traffic coming from the firewall.

If there is a crack out there, i need you man.

Thanks Anyway, Team.



This thread was automatically locked due to age.
Parents
  • The problem is caused by the WAF itself. WAF is implemented on a firewall product. Therefore it will forward the traffic to the firewall. The firewall will decide, to use Source IP, destination IP etc. 

    If you have one Real Server, the WAF will give you all the time the same packets without differences. Therefore you cannot separate on a packet level. There are techniques to do this on a packet level with X-Forward Headers etc. But not on this one. 

Reply
  • The problem is caused by the WAF itself. WAF is implemented on a firewall product. Therefore it will forward the traffic to the firewall. The firewall will decide, to use Source IP, destination IP etc. 

    If you have one Real Server, the WAF will give you all the time the same packets without differences. Therefore you cannot separate on a packet level. There are techniques to do this on a packet level with X-Forward Headers etc. But not on this one. 

Children
No Data