Sangfor Community»Categories Products Network Secure (NGAF) Not recommended if SNAT environment exists between t ...

Not recommended if SNAT environment exists between the LAN and this NGAF device.

views: 2051 | comments: 6 | added to Favorites 0
Lights on | 提示:支持键盘翻页<-左 右->
    组图打开中,请稍候......
Created: 07 Nov 2023 15:02

Summary:

we have Firewall on edge and IAM after firewall.we need to know we turn off following options on firewall ?

Reply

Racoon Posted 10 Nov 2023 16:55
to turn off, just uncheck the enable checkbox options.
ArsalanAli Posted 10 Nov 2023 13:21
This option is related to Anti-DOS/DDOS attack,  
This is normal message you can ignor it, (We have also receiving this message)
Once you enable it some IPs start getting block because of NGAF consider this IPs as DDOS attacker (So you have to change the threshold level, or exclude these IPs (by putting them in "internal IP Whitelisting list")

go to Tool TAB and internal IP Whitelisting list
ZoroZoro Posted 09 Nov 2023 10:34
   Allow incoming connections from any IP address.
    Allow outgoing connections to any IP address.
    Allow any application to communicate over the firewall.
VanFlyheights Posted 09 Nov 2023 10:27
It is not advised to disable specific firewall settings if there is a Source Network Address Translation (SNAT) environment between the Local Area Network (LAN) and the Next-Generation Application Firewall (NGAF) device. If these parameters are disabled, SNAT functioning may be affected, which might cause problems with communication between the LAN and the NGAF device. To guarantee correct network address translation and smooth communication throughout the network architecture, it is imperative to keep these parameters enabled. Disabling them may result in connection issues and jeopardize the network's general security and operation.
jerome_itable Posted 09 Nov 2023 08:54
In a SNAT environment, the firewall on the edge should not be configured to allow incoming connections. This is because the SNAT device will be responsible for routing incoming traffic to the correct internal server. If the firewall were to allow incoming connections, this could bypass the SNAT device and allow unauthorized access to the internal network.

The firewall should also be configured to block outgoing connections to any IP address that is not explicitly allowed. This is to prevent users from sending data to unauthorized servers.

Finally, the firewall should be configured to only allow specific applications to communicate over the firewall. This will help to prevent unauthorized applications from accessing the network.

Here are some specific firewall options that you may need to turn off in a SNAT environment:

    Allow incoming connections from any IP address.
    Allow outgoing connections to any IP address.
    Allow any application to communicate over the firewall.

You may also need to configure the firewall to allow SNAT to translate IP addresses. This will allow internal servers to communicate with the internet without having their public IP addresses exposed.

In addition to disabling firewall options, you can also use IAM to control access to your network resources. IAM can be used to create IAM roles that grant users specific permissions, such as the ability to read or write data to a specific database.

By disabling unnecessary firewall options, using IAM to control access to your network resources, and configuring the firewall to allow SNAT to translate IP addresses, you can help to improve the security of your SNAT environment.
Farina Ahmed Posted 08 Nov 2023 18:04
If a Source Network Address Translation (SNAT) environment exists between the LAN and the Next-Generation Application Firewall (NGAF) device, it is not recommended to turn off certain options on the firewall. Disabling these options might disrupt the SNAT functionality, leading to communication issues between the LAN and the NGAF device. It's crucial to maintain these options enabled to ensure proper network address translation and seamless communication flow within the network architecture. Disabling them could potentially cause connectivity problems and compromise the overall security and functionality of the network setup.