Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 31

Thread: It's a WAF!

  1. #21
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,877

    Default

    Quote Originally Posted by solvonex View Post
    And so to confirm, the thinking is this will NOT be an add-on app to the UT Firewall? Meaning this will go to production as a standalone software that could be a VM.
    I believe you are correct. Especially, this could be a VM (or maybe even just the container?) in a cloud where running full Untangle could be awkward.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  2. #22
    Newbie
    Join Date
    Jan 2009
    Posts
    2

    Default

    OK, we have use cases for multiple scenarios:

    1.) Smaller client with UT Firewall (I would probably want at least a Z12 or Z20 to run additional workload) with web servers in back so having a WAF app add-on that could run inline with DMZ segment would make sense.

    2.) Larger client where a WAF VM on-site works since they have a VM environment and more resources.

    3.) Cloud hosted WAF VM similar to number 2.

    Number 1 would be nice but sort of get the direction here.

    Did anybody test running it on UT appliance hardware out of curiosity in R&D as a standalone? That would be an interesting combination and would be something we could sell...

  3. #23
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,877

    Default

    Not exactly... my understanding is right now a single WAF can only protect a single web server. So if you have multiple web servers in back you need multiple WAF instances, which can quickly get out of hand for both pricing and management. Additionally, if I were a small client already running UT I would instead use UT to setup a DMZ for the web servers on their own vlan, where all traffic (whether from inside the network our out) has to route through the UT uvm to reach that vlan.

    I see the current scenarios more like this:

    1.) Small client without UT -- maybe using a competitor or even (yikes) nothing but the ISP-provided NAT gateway -- and just one or two web servers on site. They can add a VM per web server, perhaps a guest on the same host as the web server.
    2.) Small to medium customers just figuring out the cloud, and not comfortable setting up full UT in that situation, can instead setup cloud WAF VMs per public resource.
    3.) Larger client using containers (whether cloud or local) and managed with something like Puppet, where they figure out how to provision WAF as a container automatically with each web server deployment with a consistent/predictable set of rules.

    Possibly a later version will have support for multiple servers per WAF instance, but I really think #3 is the direction they are moving, and instead expect to see more features making it easier to deploy automatically.
    Last edited by jcoehoorn; 11-03-2021 at 08:08 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  4. #24
    Untanglit
    Join Date
    Sep 2020
    Posts
    20

    Default

    Will this be available for Home users?
    Can i use this as a reverse proxy? So i can get a wild card cert *.miguel.xxx and reverse proxy to my servers?

  5. #25
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,258

    Default

    Quote Originally Posted by SuperMiguel View Post
    Will this be available for Home users?
    Can i use this as a reverse proxy? So i can get a wild card cert *.miguel.xxx and reverse proxy to my servers?
    Yes on adding a wildcard cert. But sadly currently you can only forward one* site with the WAF implementation.

    See my post here:
    https://forums.untangle.com/web-appl...tml#post253464

  6. #26
    Untanglit
    Join Date
    Sep 2020
    Posts
    20

    Default

    So i can have a.miguel.com pointing to 10.0.0.3 with cert *.miguel.com and b.miguel.com pointing to 10.0.0.7 using same * .miguel.com cert?

    All have all my dns *.miguel.com pointing to my untangle server?

    Quote Originally Posted by WebFooL View Post
    Yes on adding a wildcard cert. But sadly currently you can only forward one* site with the WAF implementation.

    See my post here:
    https://forums.untangle.com/web-appl...tml#post253464

  7. #27
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,258

    Default

    Quote Originally Posted by SuperMiguel View Post
    So i can have a.miguel.com pointing to 10.0.0.3 with cert *.miguel.com and b.miguel.com pointing to 10.0.0.7 using same * .miguel.com cert?

    All have all my dns *.miguel.com pointing to my untangle server?
    As long as you want to forward to one internal server or a cluster that all have the same content.
    the WAF will not be able to split b.miguel.com to server 1.1.1.2 and c.miguel.com to 1.1.1.3 so if all your sites are on the same backend/upstream server then yes.

    In my case I always have multiple servers so I would need 1 WAF for every internal server.

  8. #28
    Untanglit
    Join Date
    Sep 2020
    Posts
    20

    Default

    Quote Originally Posted by WebFooL View Post
    As long as you want to forward to one internal server or a cluster that all have the same content.
    the WAF will not be able to split b.miguel.com to server 1.1.1.2 and c.miguel.com to 1.1.1.3 so if all your sites are on the same backend/upstream server then yes.

    In my case I always have multiple servers so I would need 1 WAF for every internal server.

    Yeah thats kinda pointless

  9. #29
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,236

    Default

    So... it's a wiff?

    Rerouter 2.0?

    I'm not ready to write it off yet... but Untangle would be better served getting TOTP on the admin UI in both NGFW and SDWAN Router than mucking with this. But I'm sure someone thinks it's a good idea.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #30
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,258

    Default

    I feels like a firewall/layer 7 team decided to do ha WAF but none of them have used or worked with a Loadbalancer (Or done so in modern time)

    But I am afraid that some design elements will be connected to the license model so it might soon all be clear why it is the way it is.


    And just to be clear!

    I Like the GUI!
    I Like the WAF part!

    The parts why I can't use it is all LB or Redundancy connected.
    So if you just have One web server or One Site than This WAF might be something for you.

Page 3 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2