Seeking clarity on FireCluster management as well as the varieties of VPNs

Hello WatchGuard and friends,

My company recently had an M370 installed by our MSP, as I'm still in my first year working in networking at an SMB. My director and I basically let our consultant replace our ancient Cisco ISR and took a backseat to that process.

So he did the physical installation and replaced our Cisco AnyConnect VPN that remote employees used with the WatchGuard SSLVPN, which overall went very smooth, but he left many of the subscription features untouched. This I guess could be question 1:

Since I've read that IKEv2 is preferable in terms of speed and security -- I understand that we're using SSL to achieve a split-tunnel VPN that my co-workers are all used to, but I've just been reading about how it's possible to achieve a similar situation by use of reverse proxies in the configuration of Access Portal.

Then I read that M3xx devices cannot run this feature -- but that WatchGuard Cloud could -- my question is: is Access Portal accessible to perform these feats (as vaguely as I worded it -- I haven't quite gotten much of the full experience yet); but does the installation of WG Cloud give an M370 TSS setup more abilities, like the one I just mentioned above?

The consultant who installed the M370 said we didn't really need WatchGuard Cloud, or Dimension actually, because all the features are accessible from both the Server Manager as well as the web UI. Is this true? I was looking forward to trying out Dimension if only for the experience, so I'm wondering if you think this would be a worthwhile endeavor.

So right, first: does the WatchGuard Cloud, Server Manager, and Dimension all cover the same features and allow for the same administration?

~~

Also -- when considering the MFA (we'll be implementing AuthPoint) I'm also looking at a hard token to achieve SSO capabilities for the sake of our workers -- and after looking at a few more articles it seems like this could be a possible outcome with AuthPoint MFA (properly configured) alone; earlier I had been considering Okta or Yubico to solve this issue for me but the spend would be tough to rationalize.

So second: is the M370 + TSS capable of creating an MFA/SSO that can achieve (split-tunnel) remote VPN access, Windows login, and application credential management?

Thanks much!

Comments

  • My primary comment is about split tunnel VPNs.
    This is a potential significant security risk, and you should seriously consider not using split tunneling client VPNs.
    You can find many discussions on the security issues related to this.
    Here is one:

    VPN Split tunnel pros and cons (especially for high bandwidth applications)
    https://community.isc2.org/t5/Industry-News/VPN-Split-tunnel-pros-and-cons-especially-for-high-bandwidth/td-p/5471

    Next, does your config use any of the proxy policies?
    FTP, SMTP, HTTP, HTTPS are significant ones.
    Implementing each requires some effort and periodic adjustment, but provide substantial security enhancement compared to using packet filters.

    IKEv2 and IPSec are much faster than SSLVPN - higher throughput. They use hardware based encryption in the firewall hardware, whereas SSLVPN does not.

    Dimension is a logging & reporting solution implemented on a VM. There is a Watchguard cloud version of this, but the historical records are currently maxed at 30 days (for free), and the reporting etc. is not currently as full functioned as Dimension.
    There are Windows server based logging and reporting functions (WSM Server), but those seem to be no longer being enhanced - Dimension and the WG cloud logging & reporting seem to be the future.
    I run Dimension and no longer use WSM Server logging & reporting, which I did use many years ago.
    While I have access to the logging/reporting in WG cloud, I rarely go there since I use Dimension.

    I will let others answer your other questions.

  • Regarding the VPN (any type) and the Access Portal, it does seem that the Access Portal MAY be able to replace the need for a VPN. It's really going to depend on the Information Resources that the VPN is providing connectivity to (as the Access Portal OR Reverse Proxy) will need to take on that capability.

  • WatchGuard Cloud is NOT going to run your Access Portal. The WatchGuard Cloud is alternative solution to Dimension (for Reporting and Logging).

  • @BrianSteingraber said:
    WatchGuard Cloud is NOT going to run your Access Portal. The WatchGuard Cloud is alternative solution to Dimension (for Reporting and Logging).

    But from what I understand WG Cloud is required for proper use of Threat Detection & Response, APT Blocker and the Sandbox feature for opening suspicious files found by the host sensors, so I may be setting up each, for separate reasons. I appreciate your reply though, thanks much!

  • Log into the WatchGuard support portal.
    Then select My Watchguard.
    You will find a number of options, including:
    WatchGuard Cloud
    Manage TDR

    WatchGuard Cloud includes Authpoint and the Dimension like logging & reporting
    "WatchGuard Cloud" is not necessarily an all inclusive location for "cloud" based WG offerings

  • @photofalling said:

    @BrianSteingraber said:
    WatchGuard Cloud is NOT going to run your Access Portal. The WatchGuard Cloud is alternative solution to Dimension (for Reporting and Logging).

    But from what I understand WG Cloud is required for proper use of Threat Detection & Response, APT Blocker and the Sandbox feature for opening suspicious files found by the host sensors, so I may be setting up each, for separate reasons. I appreciate your reply though, thanks much!

    What Bruce said. Watchguard Cloud is a separate item/solution to TDR, APT Blocker, Dimension, Etc. It's not needed for any of those things.

Sign In to comment.