Configuration Example



Similar documents
Configuration Example

Configuration Example

Configuration Example

Configuration Example

Configuration Example

Configuration Example

WatchGuard Certified Training Partner (WCTP) Program

WatchGuard Certified Training Partner (WCTP) Program

WatchGuard Certified Training Partner (WCTP) Program

How do I configure multi-wan in Routing Table mode?

Fireware How To Logging and Notification

WatchGuard XCSv Setup Guide

Firebox X550e, Firebox X750e, Firebox X1250e Firebox X5500e, Firebox X6500e, Firebox X8500e, Firebox X8500e-F

Fireware Essentials Exam Study Guide

WatchGuard System Manager User Guide. WatchGuard System Manager v8.0

Networking for Caribbean Development

How do I set up a branch office VPN tunnel with the Management Server?

Fireware XTM Traffic Management

Fireware How To Network Configuration

WatchGuard Training. Introduction to WatchGuard Dimension

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Integration Guide. LogicNow MAXfocus

DOWNTIME CAN SPELL DISASTER

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Application Note. Configuring McAfee Firewall Enterprise for McAfee Web Protection Service

Firewall Firewall August, 2003

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

How to configure DNAT in order to publish internal services via Internet

WATCHGUARD FIREBOX SOHO 6TC AND SOHO 6

Chapter 15. Firewalls, IDS and IPS

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Proxies. Chapter 4. Network & Security Gildas Avoine

Introduction to Computer Security Benoit Donnet Academic Year

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Firewalls. Chapter 3

WatchGuard Gateway AntiVirus

INTRODUCTION TO FIREWALL SECURITY

How To Manage Outgoing Traffic On Fireware Xtm

Firewalls, IDS and IPS

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Multi-Homing Security Gateway

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

IP Filtering for Patton RAS Products

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Lesson 5: Network perimeter security

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

WatchGuard SSL Web UI User Guide

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Microsoft Lync Server 2010

Security Technology: Firewalls and VPNs

WatchGuard Technologies WatchGuard Technologies

nappliance misa Server 2006 Standard Edition Users Guide For use with misa Appliances 2006 nappliance Networks, Inc.

DMZ Network Visibility with Wireshark June 15, 2010

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

WatchGuard SSL Web UI 3.2 User Guide

Implementing Network Address Translation and Port Redirection in epipe

Figure 41-1 IP Filter Rules

Network Configuration Settings

Komplettschutz für den Mittelstand

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Migration Quick Reference Guide for Administrators

SonicOS 5.9 One Touch Configuration Guide

Firewall Defaults and Some Basic Rules

Firewall and UTM Solutions Guide

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

eprism Security Suite

Branch Office VPN Tunnels and Mobile VPN

Load Balancing Bloxx Web Filter. Deployment Guide

Polycom. RealPresence Ready Firewall Traversal Tips

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

John M. Stengel, WCSP, WCT 5/7/2010

Core Protection Suite

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

1 You will need the following items to get started:

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Chapter 11 Cloud Application Development

Deployment Guide. Deploying F5 BIG-IP Global Traffic Manager on VMware vcloud Hybrid Service

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

Configuring Security for SMTP Traffic

F-SECURE MESSAGING SECURITY GATEWAY

Lab Configuring Access Policies and DMZ Settings

Date: 2011/8/1. 1. N etwo r k Ne twork Config uration

Secure Web Appliance. Reverse Proxy

CheckPoint Software Technologies LTD. How to Configure Firewall-1 With Connect Control

Transcription:

Configuration Example Set Up a Public Web Server Behind a Firebox Example configuration files created with WSM v11.10.1 Revised 7/21/2015 Use Case In this configuration example, an organization wants to set up a public web server on a protected network behind the firewall. They want to direct incoming website traffic from the Internet to the private address of this web server. They also want local users on their own internal network to use the public URL to browse to this website. This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate, for your network environment. Solution Overview When a computer sends traffic over the Internet to a server or another computer, it uses an IP address to identify the server, and a TCP or UDP port number to identify the process on the server that receives the data. Port 80 is used for HTTP traffic. Network Address Translation (NAT) refers to any of several forms of IP address and port translation. Static NAT, also known as port forwarding, is a port-to-host NAT. When a packet comes in to a port on a Firebox interface, a static NAT action can change the destination IP address to a different IP address and port behind the firewall. Static NAT also operates on traffic sent from networks that your Firebox protects. This solution uses a static NAT action in an HTTP-proxy policy to forward incoming traffic on port 80 to the private IP address of the web server located behind the Firebox. This is transparent to the Internet user. How It Works The web server has a private IP address and is connected to a network behind an optional interface of the Firebox. In the public DNS record for this web server, the IP address associated with the web server is the external IP address of the Firebox. The Firebox configuration includes an HTTP-proxy policy to handle all incoming port 80 traffic. The policy configuration contains a static NAT action that tells the device to forward all incoming port 80 traffic to the private IP address of the web server on the optional network.

Requirements When an Internet user browses to the URL of the web server, the traffic comes in to the external interface of the Firebox on port 80. The HTTP-proxy policy receives the traffic and uses the IP address specified in the static NAT action to forward that web traffic to the web server. Requirements A Firebox This configuration example is for a Firebox that runs Fireware OS v11.7.2. In versions of Fireware XTM earlier than 11.4.x the static NAT configuration looks slightly different than what is shown here. A web server An HTTP server configured as a public web server with a private IP address. We recommend that you do not connect publicly accessible servers, such as a web server, FTP server, or mail server, to the same network that connects to internal users or other non-public network resources. Because these servers are publicly accessible, they represent a potential vulnerability to your internal network. Instead, connect these publicly accessible servers to a separate network from your other internal network resources and users. In this example, the web server is part of a network connected to a Firebox configured as Optional, sometimes called the optional network. Configuration Example In this use case, the web server is located behind the Firebox on the optional network. 2 WatchGuard Fireware

Configuration Explained The Firebox and the web server use these IP addresses: Site A External interface IP address 203.0.113.2/24 Default Gateway IP address 203.0.113.1 IP address of the Firebox interface connected to the trusted network 10.0.1.1/24 IP address of the Firebox interface connected to the optional network 10.0.2.1//24 IP address of the web server on the optional network 10.0.2.80/24 Example Configuration File For your reference, we have included an example configuration file with this document. To examine the details of the example configuration file, you can open it with Policy Manager. The name of the configuration file is snat_web_server.xml. Configuration Explained Static NAT Action The example configuration file contains a static NAT action, also known as an SNAT action, to forward traffic from the public IP address of the Firebox external interface to the private IP address of the web server. To see the static NAT action: 1. Start Policy Manager for the Firebox. 2. Select Setup > Actions > SNAT. 3. Open the web_server action. The Edit SNAT dialog box appears. The static NAT action forwards packets addressed to the Firebox external interface IP address (203.0.113.2) to the private IP address of the web server (10.0.2.80). You can also see and edit this static NAT action from within policies where it is used. Configuration Example 3

Configuration Explained HTTP-Proxy Policy for Incoming Traffic to the Web Server By default, the Firebox does not allow incoming traffic from the external interface to the trusted or optional networks. To allow the traffic to your web server, you must add either an HTTP packet filter or HTTP-proxy policy. We recommend you use the HTTP-proxy policy because it monitors the commands used in the connection to make sure they are in the correct syntax and order, and uses deep packet inspection to help protect your HTTP server from attacks. For each proxy policy, you assign a proxy action that contains rules about what kind of content to allow. The rules in the HTTP-Server proxy action are good defaults for traffic to an internal web server. To see the HTTP-proxy policy: 1. Open the example configuration file in Policy Manager. 2. Double-click the HTTP-proxy-server policy to open it. 4 WatchGuard Fireware

Configuration Explained Make sure you understand these settings: From To The From section contains the Any-External alias, because this policy handles traffic that comes in to the web server from the external interface. The To section contains the static NAT action that forwards packets addressed to the Firebox external interface IP address (203.0.113.2) to the private IP address of the web server (10.0.2.80). Proxy action The Proxy action is set to HTTP-Server.Standard. The default settings in the HTTP-server proxy action are the recommended default settings for traffic to a web server. HTTP Policy to Allow Internal Users to Use the Public Web Server URL The example configuration contains an HTTP policy to allow the internal users to browse to the web server by its public domain name, such as www.example.com. The HTTP policy handles traffic from the trusted network to the local web server. This policy includes the same static NAT action as in the HTTP-proxy-server policy. Because this policy handles only internal traffic, there is no need for deep packet inspection, so we use the HTTP packet filter policy instead of the HTTP-Proxy policy. To see the HTTP NAT policy for this example: 1. Open the example configuration file in Policy Manager. 2. Double-click the HTTP-SNAT-to-web-server policy to open it. Configuration Example 5

Conclusion This policy includes: From To The From section of the policy allows traffic from Any-Trusted. The To section contains the same static NAT action to forward packets addressed to the Firebox external interface IP address (203.0.113.2) to the private IP address of the web server (10.0.2.80). This policy uses the static NAT action for traffic from users on the trusted network. If the network has a local DNS server with a split DNS configuration, you can add a DNS record to the internal zone to map the public domain name of the web server to its private IP address. If you do this, the HTTP policy with the SNAT action is not necessary. HTTP-Proxy Policy for Outbound Web Requests The example configuration file also includes an HTTP-proxy policy to control outbound web server access. This is not related to configuration of the web server on the optional network, but is a policy you would typically use to apply HTTP-proxy settings to outbound HTTP access for users on the trusted network. This policy allows HTTP traffic from Any-Trusted to Any-External. In the example configuration file, that policy is named HTTP-proxy-client. Conclusion In this configuration example, the Internet user browses to 203.0.113.2, or to a URL that resolves to that IP address. The traffic enters the Firebox external interface on port 80. The HTTP-proxy-server policy inspects the incoming traffic on the external interface and forwards that traffic to the HTTP server on the private network address, 10.0.2.80. Responses from the web server appear to the Internet user to come from IP address 203.0.113.2. This configuration example demonstrates how to use static NAT to send web traffic to an HTTP server on a protected network. You can also use static NAT in other policies to redirect incoming traffic to other internal servers, such as an FTP server or an SMTP email server. For more information about static NAT, see the Fireware Help. 6 WatchGuard Fireware

About this Configuration Example About this Configuration Example This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate, for your network environment. For complete product documentation, see the Fireware Help on the WatchGuard website at: http://www.watchguard.com/help/documentation/. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright 1998-2015 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/. About WatchGuard WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard Firebox line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The XCS line offers email and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer right-sized security ranging from small businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity. For more information, please call 206.613.6600 or visit www.watchguard.com. Address 505 Fifth Avenue South Suite 500 Seattle, WA 98104 Support www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575 Sales U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895 Configuration Example 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information