For each proxy policy, you assign a proxy action that contains rules about what kind of content to allow. We recommend you use the HTTP-proxy policy because it monitors the commands used in the connection to make sure they are in the correct syntax and order, and uses deep packet inspection to help protect your HTTP server from attacks. To allow the traffic to your web server, you must add either an HTTP packet filter or HTTP-proxy policy. HTTP-Proxy Policy for Incoming Traffic to the Web Serverīy default, the Firebox does not allow incoming traffic from the external interface to the trusted or optional networks. You can see and edit this static NAT action from within policies where it is used.
In this case, the static NAT action forwards packets addressed to the Firebox external interface IP address (203.0.113.2) to the private IP address of the web server (10.0.2.80). Create an SNAT action similar to our web_server action.In this example, we created a configuration with a static NAT action, also known as an SNAT action, to forward traffic from the public IP address of the Firebox external interface to the private IP address of the web server. IP address of the web server on the optional network IP address of the Firebox interface connected to the optional network IP address of the Firebox interface connected to the trusted network The Firebox and the web server use these IP addresses: In our configuration example, the web server is located behind the Firebox on the optional network. In this example, the web server should be part of a network connected to a Firebox configured as Optional, sometimes called the optional network. Instead, connect these publicly accessible servers to a separate network from your other internal network resources and users. Because these servers are publicly accessible, they represent a potential vulnerability to your internal network. We recommend that you do not connect publicly accessible servers, such as a web server, FTP server, or mail server, to the same network that connects to internal users or other non-public network resources. This configuration example is for a Firebox that runs Fireware v11.7.2 or higher.Īn HTTP server configured as a public web server with a private IP address. The HTTP-proxy policy receives the traffic and uses the IP address specified in the static NAT action to forward that web traffic to the web server. When an Internet user browses to the URL of the web server, the traffic comes in to the external interface of the Firebox on port 80. The policy configuration should contain a static NAT action that tells the device to forward all incoming port 80 traffic to the private IP address of the web server on the optional network. The Firebox configuration should include an HTTP-proxy policy to handle all incoming port 80 traffic. In the public DNS record for this web server, the IP address associated with the web server is the external IP address of the Firebox. In this example, the web server has a private IP address and is connected to a network behind an optional interface of the Firebox. This is transparent to the Internet user. This solution uses a static NAT action in an HTTP-proxy policy to forward incoming traffic on port 80 to the private IP address of the web server located behind the Firebox. Static NAT also operates on traffic sent from networks that your Firebox protects. When a packet comes in to a port on a Firebox interface, a static NAT action can change the destination IP address to a different IP address and port behind the firewall. Static NAT, also known as port forwarding, is a port-to-host NAT. Network Address Translation (NAT) refers to any of several forms of IP address and port translation. When a computer sends traffic over the Internet to a server or another computer, it uses an IP address to identify the server, and a TCP or UDP port number to identify the process on the server that receives the data. Additional configuration settings could be necessary, or more appropriate, for your network environment. This configuration example is provided as a guide. We also want local users on their own internal network to use the public URL to browse to this website. In this example, we want to direct incoming website traffic from the Internet to the private address of this web server. The objective of this configuration example is to show how an organization can set up a public web server on a protected network behind the firewall. Set Up a Public Web Server Behind a Firebox - Configuration Example
0 kommentar(er)
