?
Solved

Watchguard Firebox Edge authentication from behind a NAT

Posted on 2007-12-01
5
Medium Priority
?
610 Views
Last Modified: 2013-11-16
I hope I'm wrong below, but I don't think so.

I have been evaluating a Watchguard Edge X20e and was all looking good from a web blocking perspective.  Setup some accounts and yes, the blocking works.

I then placed the X20e in our DMZ between our firewall and the ADSL connection and an odd thing happened.

I went through the X20e, authenticated and yes, blocking works.
However, I then when to another machine, went browsing and it went right through without authentication.  I looked at the authenticated users on the X20e and there was only one (from the first machine).  The ARP table on the X20e only shows the MAC access of our firewall and not the MAC address of the workstations (expected as effectively the firewall is acting as a NAT box)

I assumed that the authentication was between the browser and the firebox, but it appears that the authentication is against the MAC address (in this case the public side of the NAT)

Can anyone confirm this?

If this is the case, it makes the X20e absolutely useless for anyone who has a common NIC to push Internet traffic through (e.g. Small Business Server with internal and external nics).

Disappointing :(

SF
0
Comment
Question by:sheepfarmer
  • 3
  • 2
5 Comments
 

Author Comment

by:sheepfarmer
ID: 20389224
Or indeed it could be authenticating against the IP address of the public side of the NAT
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 20398040
You are right, WG does authentication based on IP address so in your case moment one user authenticates; anyone would be allowed access to internet.

You should not use a NAT device behind WG; it is not recommended.

Please let me know if you need more detals.

Thank you.
0
 

Author Comment

by:sheepfarmer
ID: 20399370
As a matter of interest I talked to Watchguard today. Apparantely the Edge product range is a few versions behind the larger Fireboxes but the good news is that the next release of firmware (this month) for the X20e/Edge is very likely to have a more flexible authentication method which should allow authentication from the other side of the NAT.  

I'll leave this question open so I can post the outcome in a couple of weeks (apparently).

SF
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20399826
Thank you for the update; I'll waiting for your next update! :)
0
 

Author Comment

by:sheepfarmer
ID: 20537138
Watchguard has confirmed they have no immediate plans to change the authentiation method for the X20e :(

Shame.  I'll shall have to look for another safe surf appliance.

SF
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 15 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question