Solved

Watchguard Firebox Edge authentication from behind a NAT

Posted on 2007-12-01
5
598 Views
Last Modified: 2013-11-16
I hope I'm wrong below, but I don't think so.

I have been evaluating a Watchguard Edge X20e and was all looking good from a web blocking perspective.  Setup some accounts and yes, the blocking works.

I then placed the X20e in our DMZ between our firewall and the ADSL connection and an odd thing happened.

I went through the X20e, authenticated and yes, blocking works.
However, I then when to another machine, went browsing and it went right through without authentication.  I looked at the authenticated users on the X20e and there was only one (from the first machine).  The ARP table on the X20e only shows the MAC access of our firewall and not the MAC address of the workstations (expected as effectively the firewall is acting as a NAT box)

I assumed that the authentication was between the browser and the firebox, but it appears that the authentication is against the MAC address (in this case the public side of the NAT)

Can anyone confirm this?

If this is the case, it makes the X20e absolutely useless for anyone who has a common NIC to push Internet traffic through (e.g. Small Business Server with internal and external nics).

Disappointing :(

SF
0
Comment
Question by:sheepfarmer
  • 3
  • 2
5 Comments
 

Author Comment

by:sheepfarmer
ID: 20389224
Or indeed it could be authenticating against the IP address of the public side of the NAT
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 20398040
You are right, WG does authentication based on IP address so in your case moment one user authenticates; anyone would be allowed access to internet.

You should not use a NAT device behind WG; it is not recommended.

Please let me know if you need more detals.

Thank you.
0
 

Author Comment

by:sheepfarmer
ID: 20399370
As a matter of interest I talked to Watchguard today. Apparantely the Edge product range is a few versions behind the larger Fireboxes but the good news is that the next release of firmware (this month) for the X20e/Edge is very likely to have a more flexible authentication method which should allow authentication from the other side of the NAT.  

I'll leave this question open so I can post the outcome in a couple of weeks (apparently).

SF
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20399826
Thank you for the update; I'll waiting for your next update! :)
0
 

Author Comment

by:sheepfarmer
ID: 20537138
Watchguard has confirmed they have no immediate plans to change the authentiation method for the X20e :(

Shame.  I'll shall have to look for another safe surf appliance.

SF
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question