Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 13382 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wan to Lan or Lan to wan - Which to use when setting up a Business APplication Rule

NashBrydges

In setting up an internal webserver that should be available to the internet. Which type of policy should I be using. Should I use a "Wan to Lan" because the visitor traffic is coming from the Wan to the internal server or should I use a "Lan to Wan" policy?

When is it appropriate to use a Wan to Lan policy? Help me understand the difference between Wan to Lan and Lan to Wan and when it is appropriate to use each policy. Examples of use-cases would be awesome!



This thread was automatically locked due to age.
  • 0

    NashBrydges,

    traffic is blocked by default when a Firewall intercepts it. In order to allow traffic, you have to think about "from" "to", so if your users need to go on internet, the source is "users/internal networks" and the destination is "internet".

    This applies all the time on every firewall on the market nowadays. You can find DNAT example here:

    https://www.sophos.com/en-us/support/knowledgebase/122976.aspx

    Regards

  • 0 in reply to lferrara

    Thanks Luk.

    I'm clear on users accessing the internet so I've used "Lan to Wan" policies to allow for HTTP/S traffic for example so they can access websites.

    By that same logic, if I am configuring a web server that is hosted on my internal network, the proper policies to use would be "Wan to Lan"?

    Looking at the example you've provided doesn't even mention IPS policies of any kind. In fact I'm not using a DNAT rule but a WAF Template. In fact, I have many locally hosted servers, all of which use port 443 so I've successfully created the appropriate objects and rules to allow external access to those web servers using the WAF Template.

    The only remaining question is whether IPS policies should be Wan to Lan.

  • +1 in reply to NashBrydges

    Good that you are using WAF, more secure.

    IPS on XG uses profiles, so the pre-configured one are intended to be used for most of the users. Every IPS profile includes a number of signature used for generic traffic (wan to lan, lan to wan, general, etc.).

    I recommend you to clone the WAN to LAN (in this case) and then customize the profile by adding/removing unneeded signatures. More signatures you add, more RAM will be consumed and more time will be required to scan the packets that match that profile.

    Regards

  • 0 in reply to lferrara

    Perfect! That's what I needed to confirm. The use of Wan to Lan is appropriate for WAF.

    Thanks Luk! Appreciate your help.