topic Re: Reverse Proxy + Access Rules in Firewall and Security Management

Reverse Proxy + Access Rules

nemezis_rock — Wed, 19 Jul 2023 13:22:29 GMT

Hi all,

How to restrict access to services that were published via Reverse Proxy? Can someone provide exmaple configuration?

I've already played with Access Rules after checking box Unified Access Policy. But access policy not working.

Attaching log file showing that rules not working. It is just passing traffic according empty rule... Im confused.

Re: Reverse Proxy + Access Rules

the_rock — Wed, 19 Jul 2023 13:53:43 GMT

What exact services are you trying to block? Can you send a screenshot of the rule you created? Please blur out any sensitive info.

Andy

Re: Reverse Proxy + Access Rules

nemezis_rock — Thu, 20 Jul 2023 04:44:32 GMT

Block services? Nope.

I've published services via Reverse Proxy:

1. Service 1: https://example1.domain.com/ ---> internal.server.com:8080

2. Service 2: https://example2.domain.com/ ---> anotherinternal.server.com:80

So, when there is an external requests to subdomain Service1 it proxies to internal service. I want to create access rule for that https://*.domain.com services. For example, Group of external IP addresses have access to example1.domain.com, or only US IP addresses (Updatable object) have access to example2.domain.com and etc.

Re: Reverse Proxy + Access Rules

PhoneBoy — Thu, 20 Jul 2023 12:48:51 GMT

When you say "Reverse Proxy" are you referring to the configuration here? https://support.checkpoint.com/results/sk/sk110348
More details on exactly what you've configured will help.

Re: Reverse Proxy + Access Rules

nemezis_rock — Thu, 20 Jul 2023 13:02:52 GMT

Dear @PhoneBoy ,

Thank you for reply, and

Of course I read some topics, how would I publish web service via ReverseProxy without reading docs?

I have published web service:

And it works fine, it published and I can access it from internet. But I want also create some Access Rules for published services and give access only known hosts from internet. Some of checkmaters are saying that it is not possible. But,

After playing with rules and analyzing it, i noticed that Access Rules working but Partially.

When you create Accept rule for ExternalIP and dst test.domain.com, traffic goes through that rule. But other External IPs goes through Implied Access Rule 0:

So traffic goes in this order i believe:

It just cant reach drop rule. If there is any way to disable implied rule, or move the order of Accept rule of Implied Rule and place it after Drop Rule of Access Policy it will work i think.