new to FireBox, firewall question

I have Firebox M3270 with VLANs.
How can I block internet access, and only allow internal networks using the web gui?

I went to FIREWALL --> Firewall Policies, but not sure what to do from there.



  • Options

    Block Internet access for ????

    The "web gui" - meaning the firewall Web UI?
    If so, the default setup is to only allow access from internal access.
    The policy name is "WatchGuard Web UI"

    FYI, besides the Web UI, there are Windows based management tools - WatchGuard System Manager, which many of us use.

  • Options

    Sorry I wasn't being clear. I would like to block internet access to a network, VLAN 30. I was asking how would I do that from the WatchGuard Web GUI interface.

    I have 2 VLAN with the following number and name

    20 Admin /24
    30 CMM

    I would like to block internet for VLAN 30 (CMM), but allow access to internal network, VLAN 20 (Admin).

    So when done, computers connected to VLAN 30 should not be able to go to internet.

  • Options

    Add an Any packet filter, From: CMM To: Any-external
    Set this policy to Denied.
    Move this policy to the top of your policy list.
    Packets denied by this policy will show in Traffic Monitor.

  • Options

    ok thank you, I'll try that

  • Options

    And I do this from FIREWALL --> Firewall Policies, then click on ADD POLICY?

  • Options

    Thanks again, its also blocking me from going to the Netgear switch web gui for some reason.

    But if I remove my default gateway from the Firebox, the Netgear switch web gui works.

  • Options

    I can ping the Netgear switch, but can't access the web gui

  • Options

    What do you see in Traffic Monitor when you try to access the Netgear?

    Where is the Netgear located in your network setup?
    What is the default gateway of the Netgear?

  • Options

    The laptop I'm accessing the Netgear switch is on VLAN 20 (Admins)
    The switch is on VLAN 1,

    it says Deny 56510 80 20-Admins 1-Trusted Denied 52 127

    On the WatchGuard, port 1 is VLAN 1,, and its connected to port 1 on the Netgear Switch, also on VLAN 1 (

    Port 6 on the WatchGuard is a trunk with VLANs 20,30, and its connected to port 2 of Netgear, also tagged with VLANs 20,30

    Default gateway of the Netgear is

    When I ping the switch, on the Traffic Monitor, it shows Allow

  • Options

    "Deny 56510 80 20-Admins 1-Trusted"

    This say that there is no policy allowing TCP port 80 (HTTP) from on the 20-Admins interface to on the 1-Trusted interface.

    So you need to add a HTTP policy to allow this access.
    For this, I would use a HTTP packet filter.

  • Options

    Ok, what does the 56510 mean? Is that a packet header number?

    I do have a HTTP-Proxy policy, and the type is HTTP-Proxy
    Any-Trusted, Any-Option

    Is HTTP-Proxy not the same as HTTP Packet filter / HTTP Policy?

  • Options

    Its working now, as your suggestion, I created a new policy

    to allow Admins (name of VLAN 20) to Any-Trusted on tcp:80 udp:80

    now I can access the Netgear switch web gui if I enter on the browser

    Another question. I don't think I need udp:80, but I'm not sure how to remove it.

  • Options

    I also connected to VLAN 30, and I'm not able to connect to the Netgear switch web gui, so that's working now.

    Weird thing is that when I'm on VLAN 20, I'm able to connect to the switch web gui, but on the Traffic Monitor, it doesn't show Allow as expected

    it shows
    Deny 20-Admins Denied 134 64

    I'm not sure what is I can't even ping it.

  • Options

    56510 is the source port of the packet.

    WSM Firebox System Manager -> Traffic Monitor has a Settings option of Show Log Field Names which can make understanding the fields in a log message easier for newer users.

  • Options

    A HTTP packet filter does not have UDP port 80 in it.
    Did you add a HTTP packet filter to allow this access??
    UDP port 80 should not be needed here.
    To remove the UDP port, you probably need to delete this policy and add one without the UDP port 80.

  • Options

    ok thanks for all your help

  • Options

    1) By default, allowed packets are not shown in Traffic Monitor.
    To see packets allowed by a specific policy, you need to turn on Logging on it.

    2) one needs to see all of a deny log record to see all of the fields in it to know why a packet is being denied.

  • Options

    ok, I see the Allow on the Traffic Monitor now. I need to get familiar with Firebox GUI, I'm used to Meraki

  • Options

    I connected a cable from interface 0 on the WatchGuard to my fiber internet router. I have the interface on the WatchGuard set to DHCP, but I'm not getting internet.

  • Options

    I connected the cable from the fiber internet to my laptop, and its not getting an IP address either.

  • Options

    Do you get a link light on your firewall interface or on your laptop Ethernet port?
    If not, try the other Ethernet cable type - there are 2 - straight through and cross-over.


    Can you ping www.google.com ? If so, this could be a DNS issue.
    What DNS IP addr is your laptop getting?

    What IP addr, subnet mask & default Gateway are you getting on your laptop when connected?

    You can see all of these values from an ipconfig /all command

    Otherwise, contact your ISP about this and see if they can help.

  • Options

    Also, try a power off/on of your fiber internet device and see if that makes a difference.

  • Options

    Yes, I get a link light on the firewall interface and on the laptop, just not getting an IP address and no internet.

    I think its an ISP issue.

  • Options

    I'm checking with the ISP, but just to make sure, on the WatchGuard, I have interface 0 as type External, and I had it set to DHCP. That should be enough to give internet access to WatchGuard right?

    I don't need to configure any firewall rules?

  • Options

    As long as you ran the QuickSteup Wizard, and have External set to DHCP, you should be able to connect to the Internet

  • Options

    Also you need to import the Feature Key

  • Options

    ok, ISP replied and said they need to turn on the ports for internet. Just waiting for them to do that so I can connect it to the WatchGuard to test.

  • Options

    It looks like I can run the Policy Checker to test if a policy exists if not, see what it would do. Like a what-if feature if I understand correctly.

    On my production network, I have 2 WatchGuard FireBox M270 in a cluster. I did not setup this network, another company did. I'm more used to Meraki MX. On the link below, it says with a cluster, the Policy Checker is not available, but when I login to my cluster, I do have that feature.


    Is the point of the Policy Checker to run a what-if scenario if a certain policy is applied?

  • Options

    Yes, or what policy would be applied.
    Sometimes Policy Check doesn't provide a policy name when in fact there is a policy which matches the entered info.

    I don't have a cluster, so I can't respond to the cluster issue.

Sign In to comment.