How to configure a Firebox Model T35 to open a port for an alarm system

My IT guy left me and I need help configuring a policy. I have an alarm company installing an alarm system and I need to open a dedicated port from their public IP Address to the IP address assigned to their alarm system inside my network. I have almost no experience doing this and need help.

I have the public IP, subnet, and gateway of the alarm service.
I have the private internal IP of the alarm system, subnet, and gateway.
The port to open for them to communicate is 7700.

I know this is a basic configuration issue, but I have no idea where to start. I haven't done a firewall configuration in over 15 year. Does anyone have a step by step on how to do this configuration? Thank you in advance for your help!

Comments

  • You need to set up a SNAT and set up a custom packet filter for TCP port 7700.

    If you are using the Web UI, you need to log in using the admin userid & password.

    Select Firewall -> Firewall SNAT
    Add, enter a name for this
    Add
    select the public IP addr, type = Internal IP addr, & enter the private IP addr. You do not need to select either check box.
    OK, SAVE

    Select Firewall -> Firewall Policies
    Add Policy
    Select Custom, select ADD
    enter a name, then ADD
    select Single port, TCP, Server port = 7700.
    OK, ADD Policy
    From: - remove Any-trusted, Add Any-external, OK
    To: - remove Any-external, Add - select Member Type = Static NAT, select the SNAT name that you created, OK
    Save

  • edited September 2022

    I did this for both TCP and also UDP, I'll let you know if it worked for me. Thank you so much for the quick response. One last question, you recommended Any-External in the from portion. Can that be limited to the source public IP of the alarm company?

  • If you know the public IP addr of the alarm company, yes use it instead of Any-external.

    You can turn on "Send a log message" on this policy to see packets allowed by it in Traffic Monitor.

  • @Bruce_Briggs said:
    If you know the public IP addr of the alarm company, yes use it instead of Any-external.

    You can turn on "Send a log message" on this policy to see packets allowed by it in Traffic Monitor.

    I would also enable "Logging for reports" so that your Dimension server or WG Cloud Visibility gets the logs so you can monitor how much the policy is being used over a period of time (or if it is being used).

    Logging for reports when able on your policies is a good practice to get into (It's nice when you want to do a policy audit a few years down the road and you want to know which policies are safe to remove)

    ~T

  • OK, I've made the changes as suggested. Yet another question. Should the to part of the policy be External->Private IP Address or Any-External->Private IP Address?

  • @JeffQ said:
    OK, I've made the changes as suggested. Yet another question. Should the to part of the policy be External->Private IP Address or Any-External->Private IP Address?

    That is up to you and how many public IPs you have. Either option you listed will work... though the more specific you can get the better usually.

    If you only have one Public IP, "Any-External" should be fine. However, if this uses 443, and you have SSL VPN running on 443 as well you will have port conflicts if you don't get it on a separate IP Address.

    I prefer each service I control getting it's own public when necessary. "Any External" will make any External Interface IP on the WG work for the NAT which isn't always great if you want more granular customization later.

    ~T

  • edited September 2022

    I believe I have only one external IP. This connection is limited to port 7700 so hopefully that isn't a conflict with anything else. Thank you for your help. They are installing the alarm system later this morning. I'll let you know if this works. Thank you again for your guidance!

  • Thank you all for your help! The alarm system installation was a success and this thread was the reason! Thank you again!

Sign In to comment.