Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nemezis_rock
Contributor

Reverse Proxy + Access Rules

Hi all,

How to restrict access to services that were published via Reverse Proxy? Can someone provide exmaple configuration?

I've already played with Access Rules after checking box Unified Access Policy. But access policy not working. 

Attaching log file showing that rules not working. It is just passing traffic according empty rule... Im confused. 

0 Kudos
4 Replies
the_rock
Legend
Legend

What exact services are you trying to block? Can you send a screenshot of the rule you created? Please blur out any sensitive info.

Andy

0 Kudos
nemezis_rock
Contributor

Block services? Nope.

I've published services via Reverse Proxy:

1. Service 1: https://example1.domain.com/  ---> internal.server.com:8080

2. Service 2: https://example2.domain.com/  ---> anotherinternal.server.com:80

So, when there is an external requests to subdomain Service1 it proxies to internal service. I want to create access rule for that https://*.domain.com   services. For example, Group of external IP addresses have access to example1.domain.com, or only US IP addresses (Updatable object) have access to example2.domain.com and etc.

 
0 Kudos
PhoneBoy
Admin
Admin

When you say "Reverse Proxy" are you referring to the configuration here? https://support.checkpoint.com/results/sk/sk110348
More details on exactly what you've configured will help.

0 Kudos
nemezis_rock
Contributor

Dear @PhoneBoy ,

Thank you for reply, and

Of course I read some topics, how would I publish web service via ReverseProxy without reading docs?

I have published web service:proxyrule.png

And it works fine, it published and I can access it from internet. But I want also create some Access Rules for published services and give access only known hosts from internet. Some of checkmaters are saying that it is not possible. But,

After playing with rules and analyzing it, i noticed that Access Rules working but Partially

When you create Accept rule for ExternalIP and dst test.domain.com, traffic goes through that rule. But other External IPs goes through Implied Access Rule 0:

nemezis_rock_0-1689858073026.png

 

 

So traffic goes in this order i believe:

nemezis_rock_1-1689858073081.png

 

 

It just cant reach drop rule. If there is any way to disable implied rule, or move the order of Accept rule of Implied Rule and place it after Drop Rule of Access Policy it will work i think.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events