BOVPN Virtual interface rules & odd behaviour

Hi,

Just setting up a BOVPN to Azure and noticed something odd. It creates its standard any / any rule, which works fine, but if you add a deny rule above it, it is just ignored. Do virtual interfaces only work with BOVPN policy generated rules? This would be very limiting as we want don't want everything coming through the tunnel to fall into the same rules.

Also, (something i've raised with TAC, but maybe someone has seen this). We are seeing inbound ports 135 & 445 being dropped. Its not logged anywhere and it works outbound.
Can also see the traffic hitting the tunnel at the other end.. then it just vanishes.

thanks

--
WatchGuard M4600 (x2 Cluster)
WatchGuard M640 (x2 Cluster)
Firmware : 12.8

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Abertay
    BOVPN VIFs should follow standard rules, but make sure you're using the VPN rule type. The rule should appear green in policy manager if it's detected as a VPN rule.
    (Either use the VPN alias in the add menu, or use OTHER and specify "tunnel address" in the drop down.)

    Unless there's a rule for the traffic to be handled inbound, it'll be dropped. If it's happening a lot, you're likely getting log suppression (the firewall will not show repeated logs of the same type to keep the firewall from bogging down the whole system logging it.) If it's an ongoing attempted connection, there should be a new log when a new connection opens.

    -James Carson
    WatchGuard Customer Support

  • Thanks, So you need to leave the standard bovpn.in and bovpn.out rules as any/any and then put other rules above them to lock things down?
    For instance if i only want 1.1.1.1 (local) to access 2.2.2.2 (remote), if i add a rule that states this it won't be green as it isnt referencing the BOVPN interface and 1.1.1.1 to BOVPN is too open.

    Its new connections we are testing. Just trying to open 445 from an azure server to a local server. Its the only device live up there at the moment so very little traffic. We can RDP/Ping no problem.

    --
    WatchGuard M4600 (x2 Cluster)
    WatchGuard M640 (x2 Cluster)
    Firmware : 12.8

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Abertay
    Leave the standard policies, they're governed by the checkbox the bottom of every VPN (gateway/gateway tab) that says "Add this tunnel to the BOVPN-Allow Policies." -- if you don't want it to be part of that policy, uncheck the box there.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.