?
Solved

Watchguard Firebox Edge authentication from behind a NAT

Posted on 2007-12-01
5
Medium Priority
?
603 Views
Last Modified: 2013-11-16
I hope I'm wrong below, but I don't think so.

I have been evaluating a Watchguard Edge X20e and was all looking good from a web blocking perspective.  Setup some accounts and yes, the blocking works.

I then placed the X20e in our DMZ between our firewall and the ADSL connection and an odd thing happened.

I went through the X20e, authenticated and yes, blocking works.
However, I then when to another machine, went browsing and it went right through without authentication.  I looked at the authenticated users on the X20e and there was only one (from the first machine).  The ARP table on the X20e only shows the MAC access of our firewall and not the MAC address of the workstations (expected as effectively the firewall is acting as a NAT box)

I assumed that the authentication was between the browser and the firebox, but it appears that the authentication is against the MAC address (in this case the public side of the NAT)

Can anyone confirm this?

If this is the case, it makes the X20e absolutely useless for anyone who has a common NIC to push Internet traffic through (e.g. Small Business Server with internal and external nics).

Disappointing :(

SF
0
Comment
Question by:sheepfarmer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:sheepfarmer
ID: 20389224
Or indeed it could be authenticating against the IP address of the public side of the NAT
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 20398040
You are right, WG does authentication based on IP address so in your case moment one user authenticates; anyone would be allowed access to internet.

You should not use a NAT device behind WG; it is not recommended.

Please let me know if you need more detals.

Thank you.
0
 

Author Comment

by:sheepfarmer
ID: 20399370
As a matter of interest I talked to Watchguard today. Apparantely the Edge product range is a few versions behind the larger Fireboxes but the good news is that the next release of firmware (this month) for the X20e/Edge is very likely to have a more flexible authentication method which should allow authentication from the other side of the NAT.  

I'll leave this question open so I can post the outcome in a couple of weeks (apparently).

SF
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20399826
Thank you for the update; I'll waiting for your next update! :)
0
 

Author Comment

by:sheepfarmer
ID: 20537138
Watchguard has confirmed they have no immediate plans to change the authentiation method for the X20e :(

Shame.  I'll shall have to look for another safe surf appliance.

SF
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question