443 proxy question

AbertayAbertay
in Firebox - Proxies

Hi, Hopefully an easy answer, but im wondering if there is a way i can proxy a 443 connection so both parties see it as coming from the firewall IP?

For example:

Internal IOT device -> Cloud IOT management service on 443
10.10.10.10 -> 200.1.1.1:443 (for example)

Instead would be 10.10.10.10 -> 199.1.1.1 (FW) -> 200.1.1.1:443
Return traffic to 10.10.10.10 would be from 199.1.1.1

Issue i'm facing is IOT kit is on a switch vlan with ACL and as the external ip responds on a random port from a changing pool of addresses via DNS name.
I dont want to open all ports/Ip's inbound to IOT Vlan.

Can the WG do this? We currently use a linux proxy server.

thanks

--
WatchGuard M4800 (x2 Cluster)
WatchGuard M690 (x2 Cluster)
Firmware : 12.10.4

Comments

  • Bruce_BriggsBruce_Briggs
    edited October 16

    The firewall NATs outgoing packets from internal private IP addrs to the external IP addr of the firewall.
    Reply packets are automatically allowed - no need to add policies to allow them.
    Reply packet IP addrs will be seen by the internal device as the real source IP addr of the sending device.

  • Bruce_BriggsBruce_Briggs

    Also, there is a proxy server type function.
    Review this:

    About the Explicit Proxy
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/explicit_proxy/explicit_proxy_about_c.html

  • AbertayAbertay

    Thanks Bruce, the NAT function we use and that works fine and return packets etc are ok. The issue is usually with internal ACL's that dont have this function and dont support FQDNS, so you have this issue of a pool of changing IP addresses on random ports returning traffic.

    --
    WatchGuard M4800 (x2 Cluster)
    WatchGuard M690 (x2 Cluster)
    Firmware : 12.10.4

  • Bruce_BriggsBruce_Briggs

    Does the Explicit Proxy help?
    Or do you need the sent packet to be TCP 443, and not a different port, such as TCP 3128?

Sign In to comment.