CSE - How to Reach an External URL Through Your Firewall from Banyan?

Description

This article explains how to access an external URL that only allows traffic from a specific public IP, such as the WAN IP of your SonicWall firewall when the request originates from a Banyan user. In this example, the destination URL is ipchicken.com, which resolves to a public IP.

 

LAB ENVIRONMENT:

At the time of the creation of this KB devices were running on the following versions.

TZ firewall 7.3.1-7013

End user Banyan CSE App V3.28.0

Destination URL: https://ipchicken.com

FW WAN IP – X0:V10IP in my lab. Normal customer environment could use X1-WAN interface.

CSE_Access_Tier_AIPs (created by default)

CSE and Sonicwall Firewall as a connector

 

LIMITATION: 
This method supports only IP addresses or IP ranges. FQDNs are not supported. The destination website must have a static public IP.

Resolution

RESOLUTION:

1. Create an Address Object for the Destination IP.

Create an address object for the external URL’s public IP (single IP or range).

Go to:  Objects | Match Objects | Addresses

2. Add the Address Object to the CIDR Connector.

Enable the required settings and add the destination IP to the CSE Allowed CIDRs.

Ensure that Public IPs & Increased Connector Limit is enabled.

Go to:  Firewall | Network | Cloud Secure Edge | Access Settings

Edit the Firewall Connector and add the destination public IP under CSE Allowed CIDRs

3. Create an Outbound NAT Policy.

Configure a NAT policy to ensure traffic from Banyan is translated to your firewall’s WAN IP.

Go to: Policy | Rules and Policies  | NAT Rules

Standard NAT Policy configuration:
Source:CSE_Access_Tier_AIPs (created by default)
Source Translate:your-WAN-IP
Destination:EXTERNAL-URL-IPs
DT:Original

 

How to Verify it:

-Verify that the outbound custom NAT policy you created earlier is receiving hits.

Enable a packet capture on the firewall.

You should see:

- Traffic arriving from the WireGuard interface (CSE)

- Traffic exiting through the WAN (X1) interface using the WAN public IP

- This confirms that the external URL sees the firewall’s WAN IP as the source.

Monitor | Tools & Monitors | Packet Monitor

Related Articles

  • How to Reach a Destination Behind an Existing Tunnel Interface VPN from a Banyan User Connected via Cloud Secure Edge (CSE).
    Read More
  • Authorization Error: Unregistered user device with email
    Read More
  • CSE provisioning never completes when MySonicWall Company name does not start with a letter
    Read More

Categories

Cloud Secure Edge
not finding your answers?
Ask the Community