This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG loopback rule for WAF with "external" URL

Hi,

I'm trying to set up the web application firewall for an internal webserver.
But the tricky part: I had to use the external URL for this. And that's exactly my problem.

The WAF log says:

[Tue Apr 05 13:42:19.261160 2022] [proxy:error] [pid 31869:tid 140564917860096] (111)Connection refused: AH00957: HTTPS: attempt to connect to IP-OF-URL:443 (URL) failed

Here is my Firewall rule:

And my NAT rule:

I also tried to change "Translated source to MASQ" inside the NAT rule. Without success.

The problem seems to be, that the firewall can't access the URL itself?
External and internal users can use the webserver directly (over the Firewall rule, without the WAF) without any problems.

Hoping anybody of you had any idea.
Many thanks!

Best regards,
Daniel

This thread was automatically locked due to age.

Parents

0 dja over 3 years ago

Does no one have any idea?

Best regards,
Daniel
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to dja

I actually could not follow your problem. What do you mean? Can you show us a network flow plan?
Cancel
Vote Up 0 Vote Down

Cancel
0 dja over 3 years ago in reply to LuCar Toni

Not really. But I will try to find other words:

Actually, I have a webservice that is made available with a simple DNAT rule (see above).
Internal IP for example: 10.0.0.1
External URL for example: mygreatwebservice.com

Now I want a new URL to make the same webservice available with WAF in front of it.
Normally I would let the WAF connect to 10.0.0.1 and everything is great.

But I need the WAF to connect to mygreatwebservice.com instead. And there it says "Connection refused".

Best regards,
Daniel
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to dja

DNAT will always have precedence before WAF. So you cannot grab some Port 443/80 Traffic with WAF and then redirect it via NAT.

NAT will always grab the traffic.

You cannot Point the WAF to a DNAT. That is not possible.

So you would have to disable the NAT and use WAF instead. No need for a Loopback or NAT.
Cancel
Vote Up 0 Vote Down

Cancel
0 dja over 3 years ago in reply to LuCar Toni

Even if I don't want to use the same external IPs?

For the WAF I have assigned a completely new external IP, which is not yet used in any DNAT rule.

Best regards,
Daniel
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 dja over 3 years ago in reply to LuCar Toni

Even if I don't want to use the same external IPs?

For the WAF I have assigned a completely new external IP, which is not yet used in any DNAT rule.

Best regards,
Daniel
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data