02-07-2012 02:28 AM
Hi all,
I am in front of this issue and I don't know how to solve it, can anyone help me?
I have to migrate the configuration of some checkpoint security rules to a Paloalto PA-500 (panos 4.0).
On checkpoint there are some rules that make URL rewriting:
EX (I try to translate the rules)
some rules are configured to grant access to the website. So, when the client type in the web vrowser "www.xxx.com" the request mach the security rules and the checkpoint change the url in "www.yyy.com\xxx" because the website is in another location.
How can I do this with Paloalto?
02-07-2012 02:50 AM
You mean like a destination NAT but instead of doing this at the ip level (replace dstip x.x.x.x with y.y.y.y) you do this at the url-level instead (replace http://www.xxx.com with http://www.yyy.com when the request is flowing through (or rather alter the "Host:" part of the http-header?))?
Whats the main purpose of this (in order to help you out with a better solution)?
Is it so the client who vists (and in their addressbar) have "www.google.com" but they are actually being served pages from "www.bing.com" (forward situation)?
Or is it because you have a webserver where you cannot change the hostname/which domains it listens for (for one reason or another), like companyname, but your company just changed name so both the old and the new name must work (reverse situation)?
Or is it a mix? Because if you alter the host-header you can still send the packet to the original dstip. Or do you change dstip aswell based on what the dns says that www.yyy.com points to? And if so, is this dns lookup performed only when you commit your rules or lookuped for each requst (or some buffer)?
02-07-2012 03:39 AM
It is almost like in this situation:
Or is it because you have a webserver where you cannot change the hostname/which domains it listens for (for one reason or another), like companyname, but your company just changed name so both the old and the new name must work (reverse situation)?
02-07-2012 04:15 PM
The proper way is to obviously fix this in the webserver itself.
If you run apache on it you can use ServerName in cooperation with ServerAlias to do this.
Lets say your server is supposed to handle http://www.company.com (and http://company.com) but now it must, for the very same files and all that, also listen to http://www.anothercompany.com (and http://anothercompany.com).
You can either setup this up as two different virtualhosts, OR by using the ServerName/ServerAlias like so:
ServerName www.company.com
ServerAlias company.com www.anothercompany.com anothercompany.com
And if the above isnt possible then setup a reverse proxy in front of your webserver(s) which will do the same.
Doing this in the firewall is just... wrong... IMHO
08-10-2012 12:43 PM
https://live.paloaltonetworks.com/message/17683#17683
Message was edited by: Jason Ott I linked it to my original question.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
