Forward Traffic from external IP to SQL Server

Rick_BrayRick_Bray
in Technical Discussion

I imagine this would be quite easy for some of you, but I am not yet familiar with the WatchGuard interface. We are using software outside of our domain that will send data to an SQL database in our network. I know the IP address of where the data will come from and I know the internal server IP address it needs to go to as well as the port.

Using the FireWare Web UI on a Firebox M470 (version 12.1.3.B563398), I set up a SNAT as follows:

External/Optional IP Address --> Our external IP address
Internal IP address --> The IP address of the server
Set Source IP --> The IP of where the data is coming from
Set internal port --> 1433

I'm just not sure where to go from there... or even if any of that is correct. I would be very grateful for any assistance. I tried watching the WatchGuard videos (which is how I got as far as I did) but I get lost quickly after that.

Thanks in advance!

Rick

Comments

  • Bruce_BriggsBruce_Briggs
    edited February 2020

    Here is the concept:
    You need a policy to allow packets to flow through the firewall.
    The default setup has a few policies which allow most packet types to go from internal devices to the Internet.

    For incoming traffic, you need to add 1 or more policies to allow the traffic.
    For your case, you want to add a policy allowing TCP port 1433, from a known external IP addr to an internal server.
    There is a policy already created in Fireware for TCP port 1433, called MS-SQL-Server MS-SQL-Server.
    So select the MS-SQL-Server predefined policy (Firewall -> Firewall Policies -> Add Policy -> Select a packet filter) Then Add policy
    In the From field, enter the senders IP addr.
    In the To: field, add the SNAT entry that you created.
    Then do a Save

    Here is what you should change in the SNAT entry prior to adding it to the policy:
    1) remove Set Source IP
    2) remove Set internal port
    Neither of these are normally needed and are not needed in your case.

    One final note: I and many other prefer to use WSM Policy Manager - a Windows program to manage our firewalls. You can download WSM, and install it, should you desire. I also use WSM Firebox System Manager all the time instead of using the Web UI monitoring tools.

  • Rick_BrayRick_Bray

    Much appreciated. I'll check this out later tonight or tomorrow when time permits.

  • Rick_BrayRick_Bray

    When adding the From IP, do I add it as Host IPv4, Network IPv4, or something else?

  • Bruce_BriggsBruce_Briggs

    For a single IP addr - host IP addr

  • Rick_BrayRick_Bray

    Great, thanks. I went with that last night as a test and it worked, but I wanted to make sure that was the correct setting regardless of whether it worked or not.

    Thanks so much for you help!

Sign In to comment.