How to block ICMP HTTP requests on P2 interface of WSA S195?

AndrewM · ‎10-06-2021

Hello,

We have implemented WSA S195 as an edge device. M1 -management interface, P1- facing LAN with private IP, P2-facing Internet with public IP. It appeared that P2 interface responding to ping and HTTP requests. Is it possible to filter/block those requests on P2 interface?

Thanks

Andrew.

balaji.bandi · ‎10-06-2021

Most use case deployment will be WSA in DMZ or behind FW , so we block incoming request ICMP at FW level.

Good question never thought that WSA directly exposed to Internet side. (not that i am aware WSA have any secure feature,) - but sure time to read myself anything missing here in the config this kind of request.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AndrewM · ‎10-06-2021

Thanks. I thought WSA is a security appliance and is not require additional protection Actually we scanned P2 interface by Qualys and it did not found any major vulnerabilities. So there is no other solution than put WSA behind firewall?

fw_mon · ‎10-19-2021

Hello @AndrewM

never place any WSA appliance directly in Internet. Please read any of best practices documentation. At least use a packet filter to reduce an attack surface. In a forward proxy setup WSA doesn't provide any service to the internet users, it acts as a client sending requests to web sites on behalf of internal users. Any new incoming packet/datagram/segment on P2 that is not part of an established connection must be dropped. Strictly speaking you even don't need an external IP address on the interface.