Watchguard Firebox Edge authentication from behind a NAT

I hope I'm wrong below, but I don't think so.

I have been evaluating a Watchguard Edge X20e and was all looking good from a web blocking perspective.  Setup some accounts and yes, the blocking works.

I then placed the X20e in our DMZ between our firewall and the ADSL connection and an odd thing happened.

I went through the X20e, authenticated and yes, blocking works.
However, I then when to another machine, went browsing and it went right through without authentication.  I looked at the authenticated users on the X20e and there was only one (from the first machine).  The ARP table on the X20e only shows the MAC access of our firewall and not the MAC address of the workstations (expected as effectively the firewall is acting as a NAT box)

I assumed that the authentication was between the browser and the firebox, but it appears that the authentication is against the MAC address (in this case the public side of the NAT)

Can anyone confirm this?

If this is the case, it makes the X20e absolutely useless for anyone who has a common NIC to push Internet traffic through (e.g. Small Business Server with internal and external nics).

Disappointing :(

Who is Participating?
dpk_walConnect With a Mentor Commented:
You are right, WG does authentication based on IP address so in your case moment one user authenticates; anyone would be allowed access to internet.

You should not use a NAT device behind WG; it is not recommended.

Please let me know if you need more detals.

Thank you.
sheepfarmerAuthor Commented:
Or indeed it could be authenticating against the IP address of the public side of the NAT
sheepfarmerAuthor Commented:
As a matter of interest I talked to Watchguard today. Apparantely the Edge product range is a few versions behind the larger Fireboxes but the good news is that the next release of firmware (this month) for the X20e/Edge is very likely to have a more flexible authentication method which should allow authentication from the other side of the NAT.  

I'll leave this question open so I can post the outcome in a couple of weeks (apparently).

Thank you for the update; I'll waiting for your next update! :)
sheepfarmerAuthor Commented:
Watchguard has confirmed they have no immediate plans to change the authentiation method for the X20e :(

Shame.  I'll shall have to look for another safe surf appliance.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.