Use SD-WAN routes for WAF
You can use SD-WAN routes to route traffic to a web server protected by web server protection (WAF) in a remote network.
-
Scenario
This example is based on the following deployment:
- A website protected by WAF is published on Port1 (WAN) over TCP port 8080.
- Sophos Firewall and the remote firewall are connected through route-based IPsec VPN.
- The web server behind the remote firewall can be reached through the
gw6
gateway.
Network diagram
Requirements
Make sure you have the following configurations:
- WAF rule for the website. See Add a web server protection (WAF) rule.
- Route-based IPsec VPN connections on both firewalls. See Create a route-based VPN with traffic selectors.
Configure gateway object
You must configure a gateway object for the gateway where the remote web server can be reached. To configure a gateway object, do as follows:
- Go to Routing > Gateways.
- Under IPv4 gateway, click Add.
- Enter a name. This example uses
gw6
. - Under Gateway IP, enter the remote gateway's IP address. This example uses
10.12.13.2
. - Under Interface, select the interface of the gateway. This example uses
xfrm1-10.12.13.1
. - Under Monitoring condition, enter the IP address of a host device behind the gateway. This example uses
10.12.13.2
.
For more information, see Add a gateway.
Configure SD-WAN route
To configure an SD-WAN route, do as follows:
- Go to Routing > SD-WAN routes.
- Select IPv4 and click Add.
- Enter a name. This example uses
SD-WAN WAF
. - Under Destination networks, remove
Any
and select the WAN interface on which the web server can be reached. This example uses#Port1
. -
Under Services, remove
Any
and select the service object for the port on which the web server can be reached. This example uses TCP8080
.If the web server's external TCP port is different from the internal TCP port, you must use the external TCP port in the SD-WAN route.
-
Under Link selection settings, select Primary and Backup gateways.
-
Under Primary gateway, select the gateway on which the web server can be reached. This example uses
gw6
. -
Click Save.
Route to multiple web servers
To route traffic to multiple web servers, you can do as follows:
- Use the same SD-WAN route if the servers use the same gateway but different TCP ports or WAN IP addresses. Add these ports to the SD-WAN route's services and WAN IP addresses to the destination networks.
- Use different SD-WAN routes if the servers use different gateways.