1. Home
  2. Networking Firewalls
  3. Watchguard 9.1 beginner question(s)

Watchguard 9.1 beginner question(s)

I just got our new Firebox x550e to setup as a simple firewall to protect some web servers, and the documentation can be a bit daunting since (for now) we're only using it as a firewall.

A couple basic questions - maybe Leythos will see this?

I assume that, by default, all traffic from external to trust is blocked, and that by adding policies I'm allowing certain traffic through. So by setting a policy for ANY to TRUSTED port 80/TCP I'm letting any external traffic to HTTP.

One question I have in the policy section is they have groups listed as "ANY EXTERNAL" and "EXTERNAL" - what's the difference with the "ANY" in front?

Also regarding firewall rules - assuming my interpretation of the abive example for port 80 is correct, how would I then add a block to another specific network or networks? For example, all any to port 80 except 210.0.0.0/7 and 212.0.0.0/8? I'm used to microtik where I can visually coordinate my rules top to bottom, but I'm still getting used to the Watchguard software.

Final question for now has to do with remote management. One of my locations that I'll need access to the firewall and the servers behind it is my home office - which does not have a static IP. Is there a way that I can access the firewall via the System Manager 9.1 software even with the static IP? I see that I could add all of my ISPs networks to the allow access to the firebox itself policy - and that would at least limit potential attacks to those with the same ISP, who find the firebox, who have the firebox software and who crack my admin password.

What I really need to be able to do is access certain ports from my home office (i.e. mysql, remote access). Maybe there's a completely different / better way to do that than getting in remotely to the firewall and adding my current non-static IP to allow access to those ports?

Reply to
steve.logan
Loading thread data ...

Once you've touched it I don't assume anything. By default, there are no inbound connections permitted, except the WG authentication in some versions.

Setting ANY to trusted, well, it doesn't mean that it's allowing inbound, assuming that you're using a ROUTED mode, where you have a PUBLIC IP on the WAN, and a PRIVATE IP on the LAN and DMZ, then you have to NAT the PUBLIC IP + PORT to the Private IP/Port that you want to map it to.

So, you might select 70.12.12.12 NAT 192.168.8.100 TCP 80.

In a Drop-In mode, ANY to TRUSTED, TCP 80, would allow any external IP to map to the same IP on the TRUSTED interface - but in Drop-In mode, all interfaces have the same PUBLIC IP addresses.

No idea, never use ANY, just External.

There are hard blocking lists, I use these all the time and block most non-US countries. You can also create a HTTP rule, define the PUBLIC ranges, and set it to NO ACCESS (or disabled).

Setup the firewall as a PPTP server, then VPN into it, using a WG User Account, then create a rule that allows your USER access to the networks inside the firewall. This means that ONLY THAT USER can get full access to the networks.

PPTP is your friend.

Reply to
Leythos

--With multiple interfaces and multi-WAN options you could have two ports assigned as External Ports (External, External1). Using the External refers only to that specific port (0) whereas Any External would apply to any interface designated as external.

--2 Rules

  1. Allow External -> NAT'ed internal IP ( External to 22.22.22.22-
  1. Deny 210.0.0.0/7 & 212.0.0.0/8 and make sure the rule is above the "Allow" rule. Remember rule processing is top down. Normally WG auto- order will do this correctly. But you can go to manual order mode if need be.

Using a VPN or PPTP solution would accomplish this, or a more insecure way (read more convenient) is to modify the Watchguard Management policy (usually next to last) and allow any external (don't remove any trusted). If you use strong passphrases this could be an alternate management method.

Tsudohnimh

formatting link

-
Reply to
Tsudohnimh

In many of the WG training classes they often talk about exposing the WG Auth port to the public, which I've always been against. The advantage is that you can then setup AUTH based rules without the user having to do a PPTP, so a simple HTTP://firewall_IP:xxxx (auth port) will get you authenticated...

Reply to
Leythos

Thanks both of your for the info. I spent about an hour on it last night and (at least to me) I think I'm getting the logic of how the software works.

Here's some more info on the setup.

Both WAN and LAN are public IPs.

WAN side we'll call 200.0.0.72/30, which gives me a WAN gateway (ISPs switch) of 200.0.0.73 and a WAN IP of 200.0.0.74 / 255.255.255.252.

LAN side IP space is in the same class C, but a different subnet:

200.0.0.96/28. This gives me a gateway IP for the webservers of 200.0.0.97 / 255.255.255.240, and then usable IPs of 200.0.0.98 - 200.0.0.210 for the actual hardware.

In policies, I've put ordering on manual.

I created a alias with the big IP blocks that shouldn't even see the public web sites (i.e. 222.0.0.0/8, 223.0.0.0/8 etc.). At the top of my policy list, I have a DENY, from = blocked_alias, to = ANY TRUSTED

I then have my public allow policies: allow from = ANY EXTERNAL to = ANY TRUSTED port: 80/TCP allow from = ANY EXTERNAL to = ANY TRUSTED port: 443/TCP

I then created another alias called OFFICE with our office's static IP in it.

Then, add some policies for my office IP:

all from = OFFICE (alias), to = ANY TRUSTED port:xxxxx/TCP all from = OFFICE (alias), to = ANY TRUSTED port:yyyyy/TCP all from = OFFICE (alias), to = ANY TRUSTED port:zzzzz/TCP

I still need to read up on ANY TRUSTED vs. TRUSTED / ANY EXTERNAL vs. EXTERNAL.

Regarding the remote management, I saw where I could assign it to a VPN user. Could I create a VPN user for myself, install the VPN client on my home office system, put it's VPN IP into the optional group (10.0.2.xxx) and then establish a VPN connection and and allow access to FIREBOX for that vpn user?

Thanks again for taking the time to read through my long post!

Steve

Reply to
steve.logan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.