laf | Language application firewall | Firewall library

Cloud SQL supports MySQL, Postgres, and SQL Server engines, but not MariaDB.

Additionally, you tested telnet x.y.z.a 5432, but the port for Cloud SQL MySQL instances is 3306. (5432 is the port for Postgres).

You should verify which type of Cloud SQL instance you have created, and that you are using the right cli to connect with it.

If you are calling from your application to the gmail server. That would be an outbound rule so you need to add a outbound exception to the firewall.

The wg-quick script sets up these rules only when you configure the AllowedIPs of a WireGuard peer to include /0 -- aka "all addresses" or the "default route" for an address family (0.0.0.0/0 for IPv4 and ::/0 for IPv6).

Using a tunnel like WireGuard for a default route requires some tricks to work correctly in most scenarios. The main trick wg-quick uses is to put the new default route into a custom routing table, while adding policy routing rules with a firewall mark to overide only the default route of the main table. This is the purpose for the route and policy rules you'll see wg-quick set up in this case:

As provided in this Microsoft Documentiation ARM template , you will have to declare the TLS inspection and IDPS in azurerm_firewall_policy in tls_certificate block and intrusion_detection block .

ARM Template:

You may be following the guide on Building Internet Connectivity for private VMs and this part on Configuring IAP tunnels for interacting with instances and the use of TCP Forwarding in IAP. By Tunneling other TCP connections:

"The local port tunnels data traffic from the local machine to the remote machine in an HTTPS stream. IAP then receives the data, applies access controls, and forwards the unwrapped data to the remote port."

You can create an encrypted tunnel to a port of the VM instance by:

Core Rule Set Dev on Duty here. As the list of exclusions you gave comes from someone else's blog post it's probably best to ignore them. They disable some key functionality of the Core Rule Set (the 9xxxxx rules you're using is the OWASP Core Rule Set) so it's best not to apply those rule exclusions unless you're certain you know what you're doing and why those exclusions are required.

The three entries from the "HitList" that you quoted: are you certain those are the result of known good traffic? Are those definitely from when you were trying to update a page and you got 403 errors? If you're sure those are genuine false positives (and not attacks) then let's continue…

• The rule causing the false positive: 921110
• The location in question: /wp-admin/post.php
• The variable causing the false positive: ARGS:content

Applying a rule exclusion means poking a hole in your WAF's security. We want to try and be as specific as possible so that we make only the smallest hole necessary. We just want to let through the transactions that are being blocked in error and nothing more. We don't want to open a large hole and present an opportunity for attackers to get through.

With that in mind, let's try taking the following approach: let's exclude only the variable in question (ARGS:content) and exclude it only from the rule causing the issue (921110) and only for the location we've seen the problem occur at (/wp-admin/post.php).

Putting all that together looks like so:

Connection refused means you can initiate a TCP connection but no process is listening on the port, so the connection attempt is refused. This means the firewall is probably not the problem. A firewall problem usually results in a Timeout error.

Edit the postgresql.conf configuration file:

Where you looking is fine, you can do it. The steps are, as I suggested in my comment a little bit more, I will resume them in this list, and let you the link of a qwiklab, you can check the steps there with the code to do it by yourself.

Basically:

1. Create the instances or instance group with the corresponding healtcheck.
2. Configure the Load balancer
3. Set the traffic to the new loadbalancer and build the proxy.
4. Create HTTPS Load Balancer and send the traffic to the Proxy.

https://www.qwiklabs.com/focuses/12007?catalog_rank=%7B%22rank%22%3A1%2C%22num_filters%22%3A0%2C%22has_search%22%3Atrue%7D&parent=catalog&search_id=15082883

I think that the link is creating instance by instance, but the steps should be the same for an instance group.

There are two implied firewall rules in gcp with lowest priority. You cannot delete these.

• Allow all egress traffic (this will allow your instance to access the internet)
• Deny all ingress traffic (this blocks your instance to be accessible from anywhere)

Solution - You can create a firewall rule to allow ingress traffic only from internal vpc network on TCP port 80.

1. Select your instance and click on Edit.
2. In Networking column, remove http-server and https-server tags if present and add your own tag e.g "my-app" and save. We will allow http traffic in our own firewall rule.
3. Go to VPC network. Select Firewall. Create a firewall rule to allow ingress traffic with target tag as "my-app" and source as CIDR IP range of your vpc network or subnet with tcp port 80. This rule will allow only internal HTTP traffic only from vpc network.