Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 2529 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ORDER OF DNAT RULES

John de Haas

Hi I'm a newby @ Sophos.

I'm using a Sophos UTM9 for 3 webservers (IIS) behind my firewall.
For 2 servers (ie web001 and web002) I need to block all HTTP traffic except from an exception list i've made in groups under network definition.

SO Web001 and Web002 only may receive http(s) requests, when the IPaddres exists in the list i've created (Exception).
So far so good.

For 1 other (ie Web003) server behind my Firewall I must receive all http(s) requests from any external (All IP).

I've created a HTTP DNAT rule and a HTTP(S) DNAT rule, since you can't group services to an destination address. (error message)
So for the other two servers i did the same. So I have now 6 DNAT rules.

When i test this.. The only first 2 DNAT rules (for 1 server) will work. The other rules which are on place 3-6 won't work.
If I change the order of the rules it remains the same. Rules on position 1 and 2 still works...The rest won't work...

Is there any restriction which says that the least rights or membership of a group blocks rules?


 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    I suppose you have already configured additional addresses on your WAN link? You will need at least 3 public IP-addresses if you need to redirect traffic on the same port(s) to 3 different internal servers....

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Reply
  • 0

    I suppose you have already configured additional addresses on your WAN link? You will need at least 3 public IP-addresses if you need to redirect traffic on the same port(s) to 3 different internal servers....

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML