Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 883 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - how to protect a public server

Balocco SpA - Ufficio IT

Hi,

we have a web server with a public IP. Let's say the IP is 123.123.10.1/28. The gateway of this server is a network interface of Sophos XG, lets say 123.123.10.14/28 (we are autonomous system, we have several public IPs). How can I protect the web server with WAF in XG? What I cannot figure it out is that in "Hosted Address" in WAF firewall rule I cannot select the public IP of the web server (123.123.10.1/28), but only the gateway of that network 123.123.10.14/28.

In this moment the web server can be accessed from Internet just with a firewall rule "Any (source) to web Server), NAT is not necessary.

Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    Hosted address is a public IP bound to the XG.

    Users only speak with this IP. XG/WAF then build the connection to selected "web Server" from Protected servers-List.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Ok, got it. But users don't call hosted address IP to go to webserver, they call webserver IP directly. So what do i put into hosted address? Webserver's gateway? thanks!

  • +1 in reply to Balocco SpA - Ufficio IT

    No, users have to talk with the XG.

    You can change the DNS record to point to XG instead of Web-Server.
    ...or bound the Web-Server IP as additional-IP to the XG and use a new IP with the webserver.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • +1 in reply to Balocco SpA - Ufficio IT

    No, users have to talk with the XG.

    You can change the DNS record to point to XG instead of Web-Server.
    ...or bound the Web-Server IP as additional-IP to the XG and use a new IP with the webserver.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
Unfiltered HTML