https://live.paloaltonetworks.com/t5/general-topics/firewall-policy-for-a-web-server-with-two-websites/m-p/119051#M45726 <P>there're several options available to get your scenario to work. you can have 2 internal IPs matched to 2 external IPs or you can run both services on the same host and port and use header information for the webserver to decide which site to return, or run 2 instances on the same host on different ports and use port translation to direct your connections.</P> <P>&nbsp;</P> <P>NAT is very flexible <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 13 Oct 2016 07:44:04 GMT reaper 2016-10-13T07:44:04Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy-for-a-web-server-with-two-websites/m-p/118946#M45699 <P>Hi Community,<BR />I am new to this forum and also not an exprienced person on firewall policies. So I thought to put my question on the forum. This is what I try to achieve, I have a group of web servers with one virtual IP serving two websites (HTTPS). Externally, these two websites have different public IPs. I need to apply ACL for one website and the other one is widely open for public. Can this be achieved by simply creating two differnet Security and NAT policies? Lets say the external IPs are 200.x.y.z1 and 200.x.y.z2 and the internal private IP is 10.1.1.10.&nbsp;</P> Tue, 11 Oct 2016 21:56:36 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy-for-a-web-server-with-two-websites/m-p/118946#M45699 Als_ITGuru 2016-10-11T21:56:36Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy-for-a-web-server-with-two-websites/m-p/118964#M45707 <P>Hi</P> <P>&nbsp;</P> <P>if the 2 websites have different external IP addresses, this is very easily achieved</P> <P>&nbsp;</P> <P>you'll need 2 NAT rules, one for each public IP address (you can already apply your ACL here, by defining a source in the 'original packet' fields)</P> <P>next, you will need to create security policies, which you can also split into 2 policies (the security policy will have the pre-NAT public IP as destination) and apply your ACL by defining a source in the one policy, and setting 'any' in the other</P> <P>&nbsp;</P> <P>here's an article on the matter you might like: <A title=" Getting Started: Network Address Translation" href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Network-Address-Translation/ta-p/116340" target="_blank"> Getting Started: Network Address Translation</A></P> Wed, 12 Oct 2016 07:33:39 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy-for-a-web-server-with-two-websites/m-p/118964#M45707 reaper 2016-10-12T07:33:39Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy-for-a-web-server-with-two-websites/m-p/119003#M45719 <P>Thanks for your reply. That's what I thought but wasn't sure if that would work. I had a chat with one guy who is a Security Administrator and have done so many firewall deployments and migrations, and he suggested to have two internal IPs one for each website. I was little confused and decided to post on here.&nbsp;</P> Wed, 12 Oct 2016 16:23:01 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy-for-a-web-server-with-two-websites/m-p/119003#M45719 Als_ITGuru 2016-10-12T16:23:01Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy-for-a-web-server-with-two-websites/m-p/119051#M45726 <P>there're several options available to get your scenario to work. you can have 2 internal IPs matched to 2 external IPs or you can run both services on the same host and port and use header information for the webserver to decide which site to return, or run 2 instances on the same host on different ports and use port translation to direct your connections.</P> <P>&nbsp;</P> <P>NAT is very flexible <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 13 Oct 2016 07:44:04 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy-for-a-web-server-with-two-websites/m-p/119051#M45726 reaper 2016-10-13T07:44:04Z