Watchguard M570 - With Webblocker licence limits

edited October 2019 in Firebox - Other

I bought a watchguard m570 with 1yr webblocker.
I´m asking about its limits about doing those stuffs into my network:

  • Stop "Gaming" (Possible / Not)
  • Stop Torrent (Possible / Not)
  • Stop Arp Spoofing/Poisoning (Netcut) (Possible / Not)
  • Alow just (Http and Https) (Possible / Not)

Comments

  • . Allow just (Http and Https) (Possible / Not) - yes, BUT you really also need to allow DNS, and probably NTP, and maybe ping, etc.

    . Stop "Gaming" (Possible / Not) - yes, using Application Control (Online Gaming)
    . Stop Torrent (Possible / Not) - yes, using Application Control (BitTorrent Series)
    . Stop Arp Spoofing/Poisoning (Netcut) (Possible / Not) - I don't think so

  • I just found this:

    "For a Firebox configured in Drop-In or Bridge mode, you can use the default-packet-handling CLI command to enable the Firebox to drop ARP spoofing attacks. This option is configurable only in the CLI and is supported in Fireware v12.2 and higher."
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/default_pkt_handling_opt_about_c.html

    Do note that most sites use Mixed Routing mode, not Drop-In or Bridge mode.
    Drop-In mode has a number of limitations, including:
    . The Firebox cannot route VLAN tagged traffic.
    . The Firebox does not support link aggregation.
    . Dynamic routing (OSPF, BGP, or RIP) is not supported.

  • @Bruce_Briggs said:

    Drop-In mode has a number of limitations, including:
    . The Firebox cannot route VLAN tagged traffic.
    . The Firebox does not support link aggregation.
    . Dynamic routing (OSPF, BGP, or RIP) is not supported.

    OMG so my firebox will not allow income traffic from my load balancers wich make link aggregation ??? It support just one ISP link ?? Why ?


  • This the architecture with my LAN. So as you said i cannot use My Firewall in the network that content 2 load balancer and 6 ISPs

  • Not what I said.

  • @Bruce_Briggs said:
    Not what I said.

    Now i understand that the appliance dont make its self link agregation but it does support income traffic from appliances that make aggregation.

    Please take a show of the architecture that i posted above. Could i use my appliance as i draw ?

  • No you still do not understand.

    The docs say IF you want to implement the ability for the Firebox to drop ARP spoofing attacks, then you must use Drop-in or Bridge mode.

    Which implies that if you use Mixed-Routing mode, then you can not implement this feature.
    Mixed-Routing mode does not have the limitations that either Drop-in or Bridge mode have.

    Why not look at the docs? There is a Search function in the Help Center which can help you find topics of interest, including for link aggregation.
    https://www.watchguard.com/wgrd-help/documentation/xtm

    While it appears to me that your new firewall can do what you want, it would probably be better for you to open a support incident to get WG help in setting up the firewall in your situation. They probably want to understand traffic load expectations among other things.

Sign In to comment.