Firewall policy for a web server with two websites

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Firewall policy for a web server with two websites

L0 Member

Hi Community,
I am new to this forum and also not an exprienced person on firewall policies. So I thought to put my question on the forum. This is what I try to achieve, I have a group of web servers with one virtual IP serving two websites (HTTPS). Externally, these two websites have different public IPs. I need to apply ACL for one website and the other one is widely open for public. Can this be achieved by simply creating two differnet Security and NAT policies? Lets say the external IPs are 200.x.y.z1 and 200.x.y.z2 and the internal private IP is 10.1.1.10. 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi

 

if the 2 websites have different external IP addresses, this is very easily achieved

 

you'll need 2 NAT rules, one for each public IP address (you can already apply your ACL here, by defining a source in the 'original packet' fields)

next, you will need to create security policies, which you can also split into 2 policies (the security policy will have the pre-NAT public IP as destination) and apply your ACL by defining a source in the one policy, and setting 'any' in the other

 

here's an article on the matter you might like: Getting Started: Network Address Translation

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for your reply. That's what I thought but wasn't sure if that would work. I had a chat with one guy who is a Security Administrator and have done so many firewall deployments and migrations, and he suggested to have two internal IPs one for each website. I was little confused and decided to post on here. 

there're several options available to get your scenario to work. you can have 2 internal IPs matched to 2 external IPs or you can run both services on the same host and port and use header information for the webserver to decide which site to return, or run 2 instances on the same host on different ports and use port translation to direct your connections.

 

NAT is very flexible 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2236 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!