Not recommended if SNAT environment exists between the LAN and this NGAF device.

Farazkhan Lv1Posted 2023-Nov-07 15:02

we have Firewall on edge and IAM after firewall.we need to know we turn off following options on firewall ?

This topic contains more resources

You must log in to download or view the file. Not registered yet? Register

x

ArsalanAli has solved this question and earned 20 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

This option is related to Anti-DOS/DDOS attack,  
This is normal message you can ignor it, (We have also receiving this message)
Once you enable it some IPs start getting block because of NGAF consider this IPs as DDOS attacker (So you have to change the threshold level, or exclude these IPs (by putting them in "internal IP Whitelisting list")

go to Tool TAB and internal IP Whitelisting list
Is this answer helpful?
Farina Ahmed Lv5Posted 2023-Nov-08 18:04
  
If a Source Network Address Translation (SNAT) environment exists between the LAN and the Next-Generation Application Firewall (NGAF) device, it is not recommended to turn off certain options on the firewall. Disabling these options might disrupt the SNAT functionality, leading to communication issues between the LAN and the NGAF device. It's crucial to maintain these options enabled to ensure proper network address translation and seamless communication flow within the network architecture. Disabling them could potentially cause connectivity problems and compromise the overall security and functionality of the network setup.
jerome_itable Lv3Posted 2023-Nov-09 08:54
  
In a SNAT environment, the firewall on the edge should not be configured to allow incoming connections. This is because the SNAT device will be responsible for routing incoming traffic to the correct internal server. If the firewall were to allow incoming connections, this could bypass the SNAT device and allow unauthorized access to the internal network.

The firewall should also be configured to block outgoing connections to any IP address that is not explicitly allowed. This is to prevent users from sending data to unauthorized servers.

Finally, the firewall should be configured to only allow specific applications to communicate over the firewall. This will help to prevent unauthorized applications from accessing the network.

Here are some specific firewall options that you may need to turn off in a SNAT environment:

    Allow incoming connections from any IP address.
    Allow outgoing connections to any IP address.
    Allow any application to communicate over the firewall.

You may also need to configure the firewall to allow SNAT to translate IP addresses. This will allow internal servers to communicate with the internet without having their public IP addresses exposed.

In addition to disabling firewall options, you can also use IAM to control access to your network resources. IAM can be used to create IAM roles that grant users specific permissions, such as the ability to read or write data to a specific database.

By disabling unnecessary firewall options, using IAM to control access to your network resources, and configuring the firewall to allow SNAT to translate IP addresses, you can help to improve the security of your SNAT environment.
VanFlyheights Lv3Posted 2023-Nov-09 10:27
  
It is not advised to disable specific firewall settings if there is a Source Network Address Translation (SNAT) environment between the Local Area Network (LAN) and the Next-Generation Application Firewall (NGAF) device. If these parameters are disabled, SNAT functioning may be affected, which might cause problems with communication between the LAN and the NGAF device. To guarantee correct network address translation and smooth communication throughout the network architecture, it is imperative to keep these parameters enabled. Disabling them may result in connection issues and jeopardize the network's general security and operation.
ZoroZoro Lv3Posted 2023-Nov-09 10:34
  
   Allow incoming connections from any IP address.
    Allow outgoing connections to any IP address.
    Allow any application to communicate over the firewall.
ArsalanAli Lv3Posted 2023-Nov-10 13:21
  
This option is related to Anti-DOS/DDOS attack,  
This is normal message you can ignor it, (We have also receiving this message)
Once you enable it some IPs start getting block because of NGAF consider this IPs as DDOS attacker (So you have to change the threshold level, or exclude these IPs (by putting them in "internal IP Whitelisting list")

go to Tool TAB and internal IP Whitelisting list
Racoon Lv2Posted 2023-Nov-10 16:55
  
to turn off, just uncheck the enable checkbox options.

I Can Help:

Change

Moderator on This Board

11
8
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
138
3

Started Topics

Followers

Follow

Board Leaders