Source IP of Dimension Logging Traffic

I have Watchguard Fireboxes at various locations connected to my head office with BOVPN’s.
I have a Dimension server which I recently set up to receive logging messages from the Fireboxes.
Some of the Fireboxes send their logging messages from their local LAN interface IP address, and some send their logging messages from their WAN IP.
What causes the device to choose which interface to send its logging traffic?
I am searching for differences in the configs and policies at the moment.
Any help would be appreciated.
Thank you.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If the firewall has a route to the dimension server using an internal network, it will try that first, and use the IP address of that interface.

    If the firewall does not have a route, it will source from the external IP of the lowest numbered external interface (by default) unless it is overridden by SD-WAN.

    You can enable placing policies above the any-from-firebox rule, which allows you to specify thinks like custom SD-WAN policies, and NAT settings applied to that traffic:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policies_firebox_generated_traffic_config_examples.html

    -James Carson
    WatchGuard Customer Support

  • Hi James,
    Thank you for your help with this. Unfortunately I am still struggling. I will try to explain. Excuse any terminology mistakes I may make.
    On one of the sites with a problem and I have noticed the following:
    The site firebox is set to send messages to the IP address of our Dimension server in our head office.
    The site trusted network has a route to the dimension server through a BOVPN.
    In Traffic Monitor on the Head Office firebox I see wg-logging traffic coming in from the site via the BOVPN to the IP of the Dimension server. The traffic is Denied. The traffic source address is show as the external IP of the site Firebox. The there is a comment which says IP Spoofing Sites.
    In Traffic Monitor on the site firebox I never see it send any data to the dimension server – I have tried filtering by the IP address of the Dimension server and by the word ‘log’ or ‘logging’. I might be filtering incorrectly or misunderstanding how this traffic appears in traffic monitor.
    I have displayed the Any From Firebox policy, and it is always at the top of the list of policies.
    Thank you,
    Andy

  • IP Spoofing Sites indicates that the firewall does not expect to see packets from the public IP addr coming through the BOVPN.

    I can't explain why this is happening.

    However, to address this, you can add a Tunnel entry on your BOVPN setup with the Remote value being the remote firewall external IP addr and the local IP addr being the Dimension server IP addr or subnet.

  • Hi Bruce
    All our BOVPNs are set up as BOVPN Virtual Interfaces. Does that mean I can't use your suggestion?
    While I was looking at the BOVPN I thought of adding an individual route specifically for the Dimension server (even though the dimension server IP is within one of the routes already).
    Thank you,
    Andy

  • That is what I would try.

Sign In to comment.