Watchguard Firebox Edge authentication from behind a NAT
Posted on 2007-12-01
I hope I'm wrong below, but I don't think so.
I have been evaluating a Watchguard Edge X20e and was all looking good from a web blocking perspective. Setup some accounts and yes, the blocking works.
I then placed the X20e in our DMZ between our firewall and the ADSL connection and an odd thing happened.
I went through the X20e, authenticated and yes, blocking works.
However, I then when to another machine, went browsing and it went right through without authentication. I looked at the authenticated users on the X20e and there was only one (from the first machine). The ARP table on the X20e only shows the MAC access of our firewall and not the MAC address of the workstations (expected as effectively the firewall is acting as a NAT box)
I assumed that the authentication was between the browser and the firebox, but it appears that the authentication is against the MAC address (in this case the public side of the NAT)
Can anyone confirm this?
If this is the case, it makes the X20e absolutely useless for anyone who has a common NIC to push Internet traffic through (e.g. Small Business Server with internal and external nics).