This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Firewall policy for a web server with two websites

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Firewall policy for a web server with two websites

Als_ITGuru
L0 Member

‎10-11-2016 02:56 PM

Hi Community,
I am new to this forum and also not an exprienced person on firewall policies. So I thought to put my question on the forum. This is what I try to achieve, I have a group of web servers with one virtual IP serving two websites (HTTPS). Externally, these two websites have different public IPs. I need to apply ACL for one website and the other one is widely open for public. Can this be achieved by simply creating two differnet Security and NAT policies? Lets say the external IPs are 200.x.y.z1 and 200.x.y.z2 and the internal private IP is 10.1.1.10. 

0 Likes Likes
3 REPLIES 3

reaper
Cyber Elite
Cyber Elite

‎10-12-2016 12:32 AM - edited ‎10-12-2016 12:33 AM

Hi

 

if the 2 websites have different external IP addresses, this is very easily achieved

 

you'll need 2 NAT rules, one for each public IP address (you can already apply your ACL here, by defining a source in the 'original packet' fields)

next, you will need to create security policies, which you can also split into 2 policies (the security policy will have the pre-NAT public IP as destination) and apply your ACL by defining a source in the one policy, and setting 'any' in the other

 

here's an article on the matter you might like: Getting Started: Network Address Translation

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Als_ITGuru
L0 Member
In response to reaper

‎10-12-2016 09:23 AM

Thanks for your reply. That's what I thought but wasn't sure if that would work. I had a chat with one guy who is a Security Administrator and have done so many firewall deployments and migrations, and he suggested to have two internal IPs one for each website. I was little confused and decided to post on here. 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to Als_ITGuru

‎10-13-2016 12:44 AM

there're several options available to get your scenario to work. you can have 2 internal IPs matched to 2 external IPs or you can run both services on the same host and port and use header information for the webserver to decide which site to return, or run 2 instances on the same host on different ports and use port translation to direct your connections.

 

NAT is very flexible 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2197 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks