Product Documentation

Firewall Traffic Redirection Support by Using Forcepoint in NetScaler SD-WAN

Aug 09, 2017

In NetScaler SD-WAN 9.3, you can use the Firewall redirect (transparent proxy by Destination NAT) feature to redirect internet (HTTP and HTTPS) traffic from an SD-WAN appliance at the enterprise edge to the Forcepoint cloud-hosted security module. You can redirect HTTP traffic from port 80 to port 8081 and HTTPS traffic from port 443 to port 8443 of the nearest Forcepoint cloud proxy server.

Forcepoint additionally supports the following features, although SD-WAN 9.3 supports only the firewall redirect feature:

  • IPSec with PKI
  • IPsec with PSK
  • Proxy chaining using PAC file configuration
  • Proxy chaining with standard headers
  • Proxy chaining with proprietary headers removing the need to configure the client¹s IP range - partnership/development
  • Firewall redirect (transparent proxy by Destination NAT)

The introduction of Destination NAT policy in NetScaler SD-WAN 9.3 enables enterprises to route internet traffic through cloud-hosted security service using ForcePoint.

Review the following use case to understand how to configure Destination NAT in SD-WAN appliances and redirect internet traffic through a secure cloud-based firewall service.

Pre-requisites:

1.    Login to the Forcepoint portal site. Create a policy by providing the Enterprise Public IP address through which internet traffic needs to be redirected to Forcepoint. Obtain the Primary and Secondary IP addresses to which the internet traffic should be redirected.

2.    In the SD-WAN GUI, on a SD-WAN appliance at the DC site, configure Internet service associated with WAN links.

3.    Destination NAT is performed using Destination IP address of the internet traffic. This destination address is changed to the Forcepoint public IP address.

4.    Configure Destination NAT policy by providing the source IP address and the primary IP address.   The source IP is the internet IP address of the SD-WAN appliance inside ports 80 (http) and 443 (https) which is redirected/translated to the primary destination IP address of the cloud-based firewall gateway with outside ports 8081 (http) and 8443 (https) respectively.

5.    After configuring DNAT policy, ensure that the Routes configured on the DC have the Internet service type selected for the SD-WAN network IP address.

For additional information about NAT support in NetScaler SD-WAN, see the following topic:  Configure NAT

localized image

Configuring Destination NAT (DNAT)

Use the NetScaler SD-WAN GUI to configure Destination NAT (DNAT). In the configuration, add one or more DNAT policies that redirect traffic matching a specific destination IP address and port.

To configure Destination NAT

1.    In the SD-WAN SE/VPX GUI, go to Configuration -> Virtual WAN -> Configuration Editor. Click Open to open an existing package. Select a saved configuration package. You can also create new DNAT rules while building the network configuration.

2.    At the DC (MCN), configure Internet Service. Go to Connections -> Internet Services -> Internet -> WAN Links.

3.    Click Add to add a DNAT policy.

4.    In the Add Destination NAT Policy dialog box, provide the following information:

  • Priority
  • Direction
  • Service Type
  • Service Name
  • Inside IP Address
  • Inside Port
  • Outside IP Address
  • Outside Port
localized image

Monitoring a Destination NAT Policy (Firewall)

You can also use the NetScaler SD-WAN GUI to monitor the current DNAT policy configuration.

To monitor the current Destination NAT policy configuration:

1.    In the NetScaler SD-WAN GUI, navigate to Monitoring -> Firewall -> NAT Policies.

2.   Select the tab that includes the statistics you want to monitor.

localized image
localized image