new to FireBox, firewall question

I have Firebox M3270 with VLANs.
How can I block internet access, and only allow internal networks using the web gui?

I went to FIREWALL --> Firewall Policies, but not sure what to do from there.

«1

Comments

  • Block Internet access for ????

    The "web gui" - meaning the firewall Web UI?
    If so, the default setup is to only allow access from internal access.
    The policy name is "WatchGuard Web UI"

    FYI, besides the Web UI, there are Windows based management tools - WatchGuard System Manager, which many of us use.

  • Sorry I wasn't being clear. I would like to block internet access to a network, VLAN 30. I was asking how would I do that from the WatchGuard Web GUI interface.

    I have 2 VLAN with the following number and name

    20 Admin 10.0.20.1 /24
    30 CMM 10.0.30.1/24

    I would like to block internet for VLAN 30 (CMM), but allow access to internal network, VLAN 20 (Admin).

    So when done, computers connected to VLAN 30 should not be able to go to internet.

  • Add an Any packet filter, From: CMM To: Any-external
    Set this policy to Denied.
    Move this policy to the top of your policy list.
    Packets denied by this policy will show in Traffic Monitor.

  • ok thank you, I'll try that

  • And I do this from FIREWALL --> Firewall Policies, then click on ADD POLICY?

  • Thanks again, its also blocking me from going to the Netgear switch web gui for some reason.

    But if I remove my default gateway from the Firebox, the Netgear switch web gui works.

  • I can ping the Netgear switch, but can't access the web gui

  • What do you see in Traffic Monitor when you try to access the Netgear?

    Where is the Netgear located in your network setup?
    What is the default gateway of the Netgear?

  • The laptop I'm accessing the Netgear switch is on VLAN 20 (Admins) 10.0.20.5
    The switch is on VLAN 1, 10.0.100.100

    it says Deny 10.0.20.5 10.0.100.100 56510 80 20-Admins 1-Trusted Denied 52 127

    On the WatchGuard, port 1 is VLAN 1, 10.0.100.1/24, and its connected to port 1 on the Netgear Switch, also on VLAN 1 (10.0.100.100 255.255.255.0 10.0.100.1)

    Port 6 on the WatchGuard is a trunk with VLANs 20,30, and its connected to port 2 of Netgear, also tagged with VLANs 20,30

    Default gateway of the Netgear is 10.0.100.1

    When I ping the switch, on the Traffic Monitor, it shows Allow 10.0.20.5 10.0.100.100.......

  • "Deny 10.0.20.5 10.0.100.100 56510 80 20-Admins 1-Trusted"

    This say that there is no policy allowing TCP port 80 (HTTP) from 10.0.20.5 on the 20-Admins interface to 10.0.100.100 on the 1-Trusted interface.

    So you need to add a HTTP policy to allow this access.
    For this, I would use a HTTP packet filter.

  • Ok, what does the 56510 mean? Is that a packet header number?

    I do have a HTTP-Proxy policy, and the type is HTTP-Proxy
    From
    Any-Trusted, Any-Option
    To
    Any-External
    Port:
    80

    Is HTTP-Proxy not the same as HTTP Packet filter / HTTP Policy?

  • Its working now, as your suggestion, I created a new policy

    to allow Admins (name of VLAN 20) to Any-Trusted on tcp:80 udp:80

    now I can access the Netgear switch web gui if I enter 10.0.100.100 on the browser

    Another question. I don't think I need udp:80, but I'm not sure how to remove it.

  • I also connected to VLAN 30, and I'm not able to connect to the Netgear switch web gui, so that's working now.

    Weird thing is that when I'm on VLAN 20, I'm able to connect to the switch web gui, but on the Traffic Monitor, it doesn't show Allow 10.0.20.5 10.0.100.100 as expected

    it shows
    Deny 10.0.20.5 10.0.0.160 20-Admins Denied 134 64

    I'm not sure what 10.0.0.160 is I can't even ping it.

  • 56510 is the source port of the packet.

    WSM Firebox System Manager -> Traffic Monitor has a Settings option of Show Log Field Names which can make understanding the fields in a log message easier for newer users.

  • A HTTP packet filter does not have UDP port 80 in it.
    Did you add a HTTP packet filter to allow this access??
    UDP port 80 should not be needed here.
    To remove the UDP port, you probably need to delete this policy and add one without the UDP port 80.

  • ok thanks for all your help

  • 1) By default, allowed packets are not shown in Traffic Monitor.
    To see packets allowed by a specific policy, you need to turn on Logging on it.

    2) one needs to see all of a deny log record to see all of the fields in it to know why a packet is being denied.

  • ok, I see the Allow on the Traffic Monitor now. I need to get familiar with Firebox GUI, I'm used to Meraki

  • I connected a cable from interface 0 on the WatchGuard to my fiber internet router. I have the interface on the WatchGuard set to DHCP, but I'm not getting internet.

  • I connected the cable from the fiber internet to my laptop, and its not getting an IP address either.

  • Do you get a link light on your firewall interface or on your laptop Ethernet port?
    If not, try the other Ethernet cable type - there are 2 - straight through and cross-over.

    https://www.computercablestore.com/straight-through-crossover-and-rollover-wiring

    Can you ping www.google.com ? If so, this could be a DNS issue.
    What DNS IP addr is your laptop getting?

    What IP addr, subnet mask & default Gateway are you getting on your laptop when connected?

    You can see all of these values from an ipconfig /all command
    https://lazyadmin.nl/it/ipconfig-command/

    Otherwise, contact your ISP about this and see if they can help.

  • Also, try a power off/on of your fiber internet device and see if that makes a difference.

  • Yes, I get a link light on the firewall interface and on the laptop, just not getting an IP address and no internet.

    I think its an ISP issue.

  • I'm checking with the ISP, but just to make sure, on the WatchGuard, I have interface 0 as type External, and I had it set to DHCP. That should be enough to give internet access to WatchGuard right?

    I don't need to configure any firewall rules?

  • As long as you ran the QuickSteup Wizard, and have External set to DHCP, you should be able to connect to the Internet

  • Also you need to import the Feature Key

  • ok, ISP replied and said they need to turn on the ports for internet. Just waiting for them to do that so I can connect it to the WatchGuard to test.

  • It looks like I can run the Policy Checker to test if a policy exists if not, see what it would do. Like a what-if feature if I understand correctly.

    On my production network, I have 2 WatchGuard FireBox M270 in a cluster. I did not setup this network, another company did. I'm more used to Meraki MX. On the link below, it says with a cluster, the Policy Checker is not available, but when I login to my cluster, I do have that feature.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policy_checker_web.html

    Is the point of the Policy Checker to run a what-if scenario if a certain policy is applied?

  • Yes, or what policy would be applied.
    Sometimes Policy Check doesn't provide a policy name when in fact there is a policy which matches the entered info.

    I don't have a cluster, so I can't respond to the cluster issue.

Sign In to comment.