We help IT Professionals succeed at work.

how to use the optional port on the firebox x700

ecsfederal
ecsfederal asked
on
1,764 Views
Last Modified: 2013-11-16
We purchased a firebox x700 to replace our firebox III. We are also in the process of changing isp providers so i thought now would be a good time to switch out the fireboxes. I saved the config file from the III and changed the public ip address to the new public ip address and flashed the config file to the x700. The firebox III had a dmz setup using public ip address but i guess the x700 does not like that type of configuration so i used 192.168.1.x for the optional port which works with the servers being 192.168.2.x. But when i tried to change over to the new ISP last night, I could not get the servers on the dmz to communicate with the servers on the trusted side and the reserve way. We have a time collection server located on the dmz which communicates back to its database located on a server on the trusted side. It would not allow me to login but i was able to get the logon page to display. Also i could not log into OWA which is located on the dmz. I was able to ping each other from the other. I have contacted watchguard but they have not called me back. I guess I could move these server to the trusted side but it seems to defeat the purpose of the dmz zone.
Any help would be greatly appeciated
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
>> I could not get the servers on the dmz to communicate with the servers on the trusted side and the reserve way

By default the traffic between optional and trusted port is blocked. Trusted machines can send traffic to machines on optional but any traffic originating from optional destined for trusted would be blocked.
Please define a policy which would allows the traffic from optional to trusted.

You can defined custom made specific services or can open ANY service and then later tone it down [caution: ANY opens communication on all ports and protocols]

Please let know if you need details.

Thank you.

Author

Commented:
I did create a policy using any. I have it setup to enable and allow from optional to trusted for incoming and for outgoing I allow from trusted to optional. Did I set this up incorrect because it still did not help.

thanks for you help
Leslie
CERTIFIED EXPERT
Top Expert 2007

Commented:
Please enable logging on the service and then observe traffic monitor while trying to communicate between the machines on the optional and trusted network; if you get enable then the FB is passing the traffic.

Please post few logs from traffic when you are attempting traffic between the interfaces; it would make clear as to what is happening.
Also, I would like to know if the machines on optional and trusted have the respective interface as their default gateway.

I had a question, in your original post you have mentioned:
>> i used 192.168.1.x for the optional port which works with the servers being 192.168.2.x
I think this is a typo or have I assumed incorrectly; if it is correct I would like to know how would the machines on 192.168.2.x/24 network communicate with optinal port which is on 192.168.1.x/24 network.

Please update.

Thank you.

Author

Commented:
Because I had to get something working; I had to roll back to the original firebox and took the new one offline. I could see the traffic in the logs between the two ports and all was green but when i tried to enter my id and pw into the logon screen I would get page could not be display errors.  I am hoping to bring the new firebox online this evening to try again.

i have setup the optional interface as 192.168.1.1/24. the servers are within that range and use 192.168.1.1 as the gateway. Yes it was a typo. We are using 192.168.1.1/24 on the optional side.
On the trusted side, we have the  trusted interface setup as 10.0.2.1 and the servers using this as it gateway.

thanks for your help
CERTIFIED EXPERT
Top Expert 2007

Commented:
Can you connect two computers to test if not possible to throw the FB into network; In the policy can you change from trust to any-trusted and optional to any-optional instead and check if this makes any difference.


If the traffic monitor shows allow then the things are good; also, have you checked if any personal firewall is blocking anything.


I would also like to know if you have fireware or just WSM on the new unit.

Please update.

Thank you.

Author

Commented:
i should be able to hook up two computers but how would I test if they are truly talking to each other. I was able to ping from all direction.

I will change the policy and see if it helps tonight.
We did not have any personal firewalls running. I tested on 3 computers here in the network and 3 differnet computers on the Net and we could not log in to those dmz servers.

we are using WSM

thanks
Leslie
CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I had to remove a smart switch that was in front of the firebox. Once I remove the switch things worked fine

Author

Commented:
thanks for your help
CERTIFIED EXPERT
Top Expert 2007

Commented:
You are welcome, thank you for the update.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.