WatchGuard® Made Simple

This site is for common setup practices as well as tips and tricks for WatchGuard® Firewall products and contain editorial content.  While every effort is made to ensure all information is correct and concise, no warranty of any kind is expressed or implied, and all information is provided on an "as is" basis.

WatchGuard® is not affiliated with this site and all trademarks and graphics referenced are the property of WatchGuard Technologies Inc. or their respective owners.  All other content is the property of Fireboxsupport.com and may not be reproduced without permission.
 

                                       PLEASE REFRESH THE  PAGES IF YOU HAVE VISITED PREVIOUSLY! - NEW CONTENT ADDED!  01/02/2007

Common Practices

Fireware Pro

Configurations and examples

Firebox SSL VPN

Firebox Core SSL VPN

Firebox X Core/Edge

Setup -

Branch Office VPN (IPSec) - Firebox/Soho

Proxy Configuration

Webblocker Configuration

Remote User configuration using MUVPN & PPTP

Spamscreen®

High Availability

Troubleshooting -

Firebox X Resetting

Rebuilding your configuration

Backing Up/Restoring your Firebox Image.

 

WatchGuard Support Programs

Top

                                                 

MoneyCentral Stock Quote
Enter (WGRD) 

 

 

Configuration of incoming policies with a single WAN connection or Multi-WAN connection with Fireware Pro.

 

Using the WatchGuard System Manager, select “connect to Device” and enter the trusted IP of your Firebox and its readonly passphrase.

 

 

After the device is shown in the WatchGuard System Manager display, select the device and click the “Policy Manager” icon.

 

 

 

The Firebox will open the Policy Manager for your Firebox.

 

In this example, the primary WAN has already been configured with an IP of 64.30.5.2/24 with a default gateway of 64.30.5.1

 

The secondary WAN has already been configured with an IP of 24.111.1.2/24 with a gateway of 24.111.1.1

 

The example will show how to configure HTTP to be allowed incoming from each WAN connection to a single webserver holding the private IP 172.30.0.2/24 which has a default gateway set to the Firebox trusted interface of 172.30.0.1  

 

Note: If you only have one WAN connection you can stop at the section on adding a second NAT for your secondary WAN.

 

The same methods are used to configure other policies to allow incoming TCP/UDP unicast packets as needed by your organization.  Once you understand this, you can configure almost any policy on the Firebox.

 

Click on “Add Policies”

 

 

 

 

Expand the “Packet Filters” section and scroll down to HTTP. 

 

Double click on HTTP, do not click “New”.  If you click “New” this creates a custom packet filter and we only need to use the predefined packet filter.

 

 

Now you see the options for HTTP.  There are no special options to configure with packet filters. 

 

 

Here you may rename the policy if you wish, but keep it specific so anyone would understand what this policy does.  In the rules of this policy, by default it has from any-trusted > any-external. 

 

But those settings won’t be used for an incoming policy, so remove them by clicking on each one and selecting “remove”.  This will show “none” in both incoming and outgoing.

 

 

 

Next on the From: field, click Add.  On the Add Address screen double click on “Any” as we will want anyone to be allowed to the webserver.

 

After you double click Any, it will populate it into the bottom of the dialog box.

Click OK.

 

 

 

Now for the incoming NAT to point HTTP traffic to the internal server IP from the outside WAN IP’s.

 

In the To: field, click Add.

 

 

Next click NAT as above.

Notice that the system automatically selected the primary WAN IP as the external IP address to NAT.  If you wish, you can use the drop down box for “External IP address” to select any external interface IP or alias that is configured.

 

 

In this example we will allow traffic in from the primary WAN interface. 

For the Internal IP address, enter the HTTP server IP of 172.30.0.2

Note:  For most policies you will not check the box to “set internal port to a different port than this policy”.  This is only for custom applications where this may be needed.  Generally this is rarely used.

 

 

Then click OK.

 

 

Verify the rule properly shows the external IP you want to map to the webserver internal IP of 172.30.0.2

 

Click OK

 

 

 

Click OK to the policy, it will show the new policy in your configuration, and the setup is complete.

 

Now select File>Save to Firebox

 

 

This completes creating a NAT rule for incoming traffic with a single WAN connection.  You can make additional rules as you wish.

 

Note: Only one NAT rule can be in a policy.  If you need additional NAT rules for other policies, as here we will add another HTTP policy.  Just remember to name it something helpful such as “HTTP-Server1” and for the next name it “HTTP-Server2” and so on depending on the policy. 

 

Allowing incoming traffic for any of your policies such as SMTP, FTP, HTTP are all configured with the same method.  Proxy policies are also done in the same fashion, but they have additional options for configuring the proxy portion of a policy.

 

 

 --------------------------------------------------------------------------------------------------------

 

Configuring incoming HTTP for a second WAN connection IP’s.  You can have many policies to point HTTP to different servers for example.  But you must have one public IP on external for each HTTP port 80 connection you want to forward in.  You cannot forward the same port from a public address to more than one machine.

 

In this example, we want traffic for the secondary WAN to be allowed to the same server providing additional bandwidth and availability for the webserver which is generally a common setup.

 

 

Add another policy as was done for the previous policy by going back to the Add policies menu, expand on Packet filters and double click on HTTP again.  

 

 

 

Then rename the policy under “Name” and remove the entries from from: and to: so it shows “none”.

 

Next on the From: field, click Add.  On the Add Address screen double click on “Any” as we will want anyone to be allowed to the webserver.

 

 

 

After you double click Any, it will populate it into the bottom of the dialog box.

 

Click OK.

 

 

 

Next click “Add” on the To: field, and then click NAT as was done in the last policy setup.

 

 

 

Use the dropdown to select the IP of the Secondary WAN IP address or alias on the secondary interface.

 

 

 

 

 

Then enter the same private IP of the webserver 172.30.0.2 which we used in the last policy. 

 

 

Click OK.

 

 

 

Verify the rule is correctly mapping the Secondary WAN IP to the webserver. 

 

This completes Configuring incoming HTTP for a second WAN connection IP’s

 

Now either external interface will forward HTTP port 80 requests sent from the internet and forward them to the webserver at 172.30.0.2

 

Don’t forget that if you do this multi-WAN configuration with SMTP there are special requirements.  Traffic will be sent out on either of your WAN interfaces because it’s round robin, so you must have an MX record for each interface or your mail may be rejected by anti spam mailservers.  Contact your DNS provider to have this done for you. 

 

For HTTP, all you need to do is add both the primary and secondary public IP’s you configured here to the domain name of the webserver such as www.domain.com.  Contact your DNS provider of your domain so both IP’s will resolve to your website domain name.  DNS services will then handle incoming round robin and will distribute load between your internet connections incoming.

 

Lastly, you should review your Outgoing TCP rule to ensure that it is configured properly to allow your traffic outgoing as below.

 

 

Configuring the Outgoing TCP Proxy

 

 

 

Top      User Forum