Solved

Watchguard Firebox Edge authentication from behind a NAT

Posted on 2007-12-01
5
595 Views
Last Modified: 2013-11-16
I hope I'm wrong below, but I don't think so.

I have been evaluating a Watchguard Edge X20e and was all looking good from a web blocking perspective.  Setup some accounts and yes, the blocking works.

I then placed the X20e in our DMZ between our firewall and the ADSL connection and an odd thing happened.

I went through the X20e, authenticated and yes, blocking works.
However, I then when to another machine, went browsing and it went right through without authentication.  I looked at the authenticated users on the X20e and there was only one (from the first machine).  The ARP table on the X20e only shows the MAC access of our firewall and not the MAC address of the workstations (expected as effectively the firewall is acting as a NAT box)

I assumed that the authentication was between the browser and the firebox, but it appears that the authentication is against the MAC address (in this case the public side of the NAT)

Can anyone confirm this?

If this is the case, it makes the X20e absolutely useless for anyone who has a common NIC to push Internet traffic through (e.g. Small Business Server with internal and external nics).

Disappointing :(

SF
0
Comment
Question by:sheepfarmer
  • 3
  • 2
5 Comments
 

Author Comment

by:sheepfarmer
ID: 20389224
Or indeed it could be authenticating against the IP address of the public side of the NAT
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 20398040
You are right, WG does authentication based on IP address so in your case moment one user authenticates; anyone would be allowed access to internet.

You should not use a NAT device behind WG; it is not recommended.

Please let me know if you need more detals.

Thank you.
0
 

Author Comment

by:sheepfarmer
ID: 20399370
As a matter of interest I talked to Watchguard today. Apparantely the Edge product range is a few versions behind the larger Fireboxes but the good news is that the next release of firmware (this month) for the X20e/Edge is very likely to have a more flexible authentication method which should allow authentication from the other side of the NAT.  

I'll leave this question open so I can post the outcome in a couple of weeks (apparently).

SF
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20399826
Thank you for the update; I'll waiting for your next update! :)
0
 

Author Comment

by:sheepfarmer
ID: 20537138
Watchguard has confirmed they have no immediate plans to change the authentiation method for the X20e :(

Shame.  I'll shall have to look for another safe surf appliance.

SF
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server 2012 network 51 105
Best firewall recommendation 12 169
ACL per VPN User 12 102
Content Filtering by Search Term with a Smoothwall Firewall 1 86
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now