Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 28186 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to replicate UTM rule to redirect DNS, NTP to internal server?

JeffThompson

I'm trying to match my UTM9 setup on a text XG system.  Hit a blocker...

I have a forwarding rule in UTM which catches traffic to destination "Any IPv4" on the NTP & DNS ports and redirects it to the UTM's LAN address.  It's there to stop unecessary external connections from IoT devices and also to prevent people circumventing any restrictions I impose via DNS lookups.

I can't seem to make this work in XG - there's no "any" destination and trying to create it as (0.0.0.0/0.0.0.0) raises an error.  Can anyone advise how I can replicate my UTM rule?

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Can you show us a picture of the configuration on UTM, I am not able to understand what exactly are you trying to explain?

    Thanks

  • 0 in reply to sachingurung

    I'll try to post a screengrab or something later - can't access my UTM right now.

    The aim is to catch attempts to access external DNS services and redirect them to the UTM/XG's DNS service instead.  Same with NTP.

    Written down, the UTM rule would say this:

    - for traffic from LAN

    - using service DNS

    - going to Internet IPv4

    - change destination to UTM's LAN IP address

    Thanks!

  • +1 in reply to JeffThompson

    Hi Jeff,

    To replicate this, you need to create Non-HTTP Business Application rule that would supercede (top) the others with the following setup:

    -Source Zone: LAN

    -Allowed Client Networks: Any (Or a network definition of your subnet)

    -Destination Host/Network: Create an IP Range of 0.0.0.1-255.255.255.254

    -Forward type: Port/Port list (NTP & DNS/NTP/DNS)

    -Protocol: DNS can be both TCP and UDP, but is primarily UDP

    -Protected Server: Create an IP Host object for the internal IP Address of the XG

    -Mapped Port Type: Match the configuration of forwarding if it's not auto done for you

    -Protection zone: LAN

    Creating an IPS rule for DNS and NTP wouldn't hurt and you shouldn't need to rewrite source addressing and you won't need to create a reflexive rule.

    This should do it, hope that helps!

    Emile

  • 0 in reply to Emile Belcourt

    A bit more complex than UTM, then!  ;-)

     

    Thanks Emile, I appreciate your help.  I'll give that a go :-)

  • 0 in reply to JeffThompson

    Hi Jeff,

    Ha ha, it is a teensy bit because in the majority of cases the XG is combining multiple spread out systems on the UTM into one area which means some things get streamlined, others get complex, ha ha!

    If you have any problems, let us know and provide a screenshot of your rule set up and information from logs (if any) and we will see if we can resolve :)

    Emile

Reply
  • 0 in reply to JeffThompson

    Hi Jeff,

    Ha ha, it is a teensy bit because in the majority of cases the XG is combining multiple spread out systems on the UTM into one area which means some things get streamlined, others get complex, ha ha!

    If you have any problems, let us know and provide a screenshot of your rule set up and information from logs (if any) and we will see if we can resolve :)

    Emile

Children
No Data