Options

SNAT Loopback Policy Concerns?

jwamplerpajwamplerpa
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

We normally use split DNS for users to access publicly accessible resources on the internal LAN rather than a loopback policy, but we have a customer that wants to do away with split DNS. My question is this, are there any security or other concerns, with having a policy that allows traffic from both External and Trusted interfaces to an SNAT action? Would it be better to have External and Trusted in two separate policies?

Best Answers

  • Options
    Bruce_BriggsBruce_Briggs
    Answer ✓

    There is no security issue here.
    If it makes you more comfortable to have 2 policies for this, feel free to do so.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    There's no issue using two policies (the help article on SNAT Loopback actually suggests making a new policy instead of adding it to your existing policy.) Either way will work.

    The only security concern would be using the "Any" alias, as this could allow unintended interfaces (like custom or other external interfaces) to access the policy. Using "Any-Trusted" or specifying the specific interface you want to allow to access the policy would be best practice.

    I would suggest if you plan on using two policies to leave a comment in the properties tab of the policy stating what the policy does, so a different admin doesn't delete what may look like duplicate policies in the future.

    -James Carson
    WatchGuard Customer Support

Answers

  • Options
    jwamplerpajwamplerpa

    Thank you both for your replies. I didn't think there was any issue, but it seemed odd that the documentation had it as a separate policy. I knew it worked in the same policy. I just was curious if there was a specific reason that the documentation showed it as a separate policy.

Sign In to comment.