Watchguard 9.1 beginner question(s)

I just got our new Firebox x550e to setup as a simple firewall to
protect some web servers, and the documentation can be a bit daunting
since (for now) we're only using it as a firewall.

A couple basic questions - maybe Leythos will see this?

I assume that, by default, all traffic from external to trust is
blocked, and that by adding policies I'm allowing certain traffic
through. So by setting a policy for ANY to TRUSTED port 80/TCP I'm
letting any external traffic to HTTP.

One question I have in the policy section is they have groups listed
as "ANY EXTERNAL" and "EXTERNAL" - what's the difference with the
"ANY" in front?

Also regarding firewall rules - assuming my interpretation of the
abive example for port 80 is correct, how would I then add a block to
another specific network or networks? For example, all any to port 80
except 210.0.0.0/7 and 212.0.0.0/8? I'm used to microtik where I can
visually coordinate my rules top to bottom, but I'm still getting used
to the Watchguard software.

Final question for now has to do with remote management. One of my
locations that I'll need access to the firewall and the servers behind
it is my home office - which does not have a static IP. Is there a
way that I can access the firewall via the System Manager 9.1 software
even with the static IP? I see that I could add all of my ISPs
networks to the allow access to the firebox itself policy - and that
would at least limit potential attacks to those with the same ISP, who
find the firebox, who have the firebox software and who crack my admin
password.

What I really need to be able to do is access certain ports from my
home office (i.e. mysql, remote access). Maybe there's a completely
different / better way to do that than getting in remotely to the
firewall and adding my current non-static IP to allow access to those
ports?

Re: Watchguard 9.1 beginner question(s)

In article <1190758598.181993.121390@22g2000hsm.googlegroups.com>,
steve.logan@gmail.com says...
> I just got our new Firebox x550e to setup as a simple firewall to
> protect some web servers, and the documentation can be a bit daunting
> since (for now) we're only using it as a firewall.
>
> A couple basic questions - maybe Leythos will see this?
>
> I assume that, by default, all traffic from external to trust is
> blocked, and that by adding policies I'm allowing certain traffic
> through. So by setting a policy for ANY to TRUSTED port 80/TCP I'm
> letting any external traffic to HTTP.

Once you've touched it I don't assume anything. By default, there are no
inbound connections permitted, except the WG authentication in some
versions.

Setting ANY to trusted, well, it doesn't mean that it's allowing
inbound, assuming that you're using a ROUTED mode, where you have a
PUBLIC IP on the WAN, and a PRIVATE IP on the LAN and DMZ, then you have
to NAT the PUBLIC IP + PORT to the Private IP/Port that you want to map
it to.

So, you might select 70.12.12.12 NAT 192.168.8.100 TCP 80.

In a Drop-In mode, ANY to TRUSTED, TCP 80, would allow any external IP
to map to the same IP on the TRUSTED interface - but in Drop-In mode,
all interfaces have the same PUBLIC IP addresses.

> One question I have in the policy section is they have groups listed
> as "ANY EXTERNAL" and "EXTERNAL" - what's the difference with the
> "ANY" in front?

No idea, never use ANY, just External.

> Also regarding firewall rules - assuming my interpretation of the
> abive example for port 80 is correct, how would I then add a block to
> another specific network or networks? For example, all any to port 80
> except 210.0.0.0/7 and 212.0.0.0/8? I'm used to microtik where I can
> visually coordinate my rules top to bottom, but I'm still getting used
> to the Watchguard software.

There are hard blocking lists, I use these all the time and block most
non-US countries. You can also create a HTTP rule, define the PUBLIC
ranges, and set it to NO ACCESS (or disabled).

> Final question for now has to do with remote management. One of my
> locations that I'll need access to the firewall and the servers behind
> it is my home office - which does not have a static IP. Is there a
> way that I can access the firewall via the System Manager 9.1 software
> even with the static IP? I see that I could add all of my ISPs
> networks to the allow access to the firebox itself policy - and that
> would at least limit potential attacks to those with the same ISP, who
> find the firebox, who have the firebox software and who crack my admin
> password.

Setup the firewall as a PPTP server, then VPN into it, using a WG User
Account, then create a rule that allows your USER access to the networks
inside the firewall. This means that ONLY THAT USER can get full access
to the networks.

> What I really need to be able to do is access certain ports from my
> home office (i.e. mysql, remote access). Maybe there's a completely
> different / better way to do that than getting in remotely to the
> firewall and adding my current non-static IP to allow access to those
> ports?

PPTP is your friend.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Watchguard 9.1 beginner question(s)

> One question I have in the policy section is they have groups listed
> as "ANY EXTERNAL" and "EXTERNAL" - what's the difference with the
> "ANY" in front?

--With multiple interfaces and multi-WAN options you could have two
ports assigned as External Ports (External, External1). Using the
External refers only to that specific port (0) whereas Any External
would apply to any interface designated as external.

> Also regarding firewall rules - assuming my interpretation of the
> abive example for port 80 is correct, how would I then add a block to
> another specific network or networks? For example, all any to port 80
> except 210.0.0.0/7 and 212.0.0.0/8? I'm used to microtik where I can
> visually coordinate my rules top to bottom, but I'm still getting used
> to the Watchguard software.

--2 Rules
1. Allow External -> NAT'ed internal IP ( External to 22.22.22.22-
>10.0.1.10)
2. Deny 210.0.0.0/7 & 212.0.0.0/8 and make sure the rule is above the
"Allow" rule. Remember rule processing is top down. Normally WG auto-
order will do this correctly. But you can go to manual order mode if
need be.

> Final question for now has to do with remote management. One of my
> locations that I'll need access to the firewall and the servers behind
> it is my home office - which does not have a static IP. Is there a
> way that I can access the firewall via the System Manager 9.1 software
> even with the static IP? I see that I could add all of my ISPs
> networks to the allow access to the firebox itself policy - and that
> would at least limit potential attacks to those with the same ISP, who
> find the firebox, who have the firebox software and who crack my admin
> password.
>
> What I really need to be able to do is access certain ports from my
> home office (i.e. mysql, remote access). Maybe there's a completely
> different / better way to do that than getting in remotely to the
> firewall and adding my current non-static IP to allow access to those
> ports?

Using a VPN or PPTP solution would accomplish this, or a more insecure
way (read more convenient) is to modify the Watchguard Management
policy (usually next to last) and allow any external (don't remove any
trusted). If you use strong passphrases this could be an alternate
management method.

Tsudohnimh
www.knowthenetwork.com

-

Re: Watchguard 9.1 beginner question(s)

In article <1190776481.007011.143820@n39g2000hsh.googlegroups.com>,
tsudohnimh@gmail.com says...
> Using a VPN or PPTP solution would accomplish this, or a more insecure
> way (read more convenient) is to modify the Watchguard Management
> policy (usually next to last) and allow any external (don't remove any
> trusted). If you use strong passphrases this could be an alternate
> management method.

In many of the WG training classes they often talk about exposing the WG
Auth port to the public, which I've always been against. The advantage
is that you can then setup AUTH based rules without the user having to
do a PPTP, so a simple HTTP://firewall_IP:xxxx (auth port) will get you
authenticated...

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Watchguard 9.1 beginner question(s)

Thanks both of your for the info. I spent about an hour on it last
night and (at least to me) I think I'm getting the logic of how the
software works.

Here's some more info on the setup.

Both WAN and LAN are public IPs.

WAN side we'll call 200.0.0.72/30, which gives me a WAN gateway (ISPs
switch) of 200.0.0.73 and a WAN IP of 200.0.0.74 / 255.255.255.252.

LAN side IP space is in the same class C, but a different subnet:
200.0.0.96/28. This gives me a gateway IP for the webservers of
200.0.0.97 / 255.255.255.240, and then usable IPs of 200.0.0.98 -
200.0.0.210 for the actual hardware.

In policies, I've put ordering on manual.

I created a alias with the big IP blocks that shouldn't even see the
public web sites (i.e. 222.0.0.0/8, 223.0.0.0/8 etc.).
At the top of my policy list, I have a DENY, from = blocked_alias, to
= ANY TRUSTED

I then have my public allow policies:
allow from = ANY EXTERNAL to = ANY TRUSTED port: 80/TCP
allow from = ANY EXTERNAL to = ANY TRUSTED port: 443/TCP

I then created another alias called OFFICE with our office's static IP
in it.

Then, add some policies for my office IP:

all from = OFFICE (alias), to = ANY TRUSTED port:xxxxx/TCP
all from = OFFICE (alias), to = ANY TRUSTED port:yyyyy/TCP
all from = OFFICE (alias), to = ANY TRUSTED port:zzzzz/TCP

I still need to read up on ANY TRUSTED vs. TRUSTED / ANY EXTERNAL vs.
EXTERNAL.

Regarding the remote management, I saw where I could assign it to a
VPN user. Could I create a VPN user for myself, install the VPN
client on my home office system, put it's VPN IP into the optional
group (10.0.2.xxx) and then establish a VPN connection and and allow
access to FIREBOX for that vpn user?

Thanks again for taking the time to read through my long post!

Steve










On Sep 25, 11:25 pm, Leythos wrote:
> In article <1190776481.007011.143...@n39g2000hsh.googlegroups.com>,
> tsudohn...@gmail.com says...
>
> > Using a VPN or PPTP solution would accomplish this, or a more insecure
> > way (read more convenient) is to modify the Watchguard Management
> > policy (usually next to last) and allow any external (don't remove any
> > trusted). If you use strong passphrases this could be an alternate
> > management method.
>
> In many of the WG training classes they often talk about exposing the WG
> Auth port to the public, which I've always been against. The advantage
> is that you can then setup AUTH based rules without the user having to
> do a PPTP, so a simple HTTP://firewall_IP:xxxx (auth port) will get you
> authenticated...
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999f...@rrohio.com (remove 999 for proper email address)