ecsfederal
asked on
how to use the optional port on the firebox x700
We purchased a firebox x700 to replace our firebox III. We are also in the process of changing isp providers so i thought now would be a good time to switch out the fireboxes. I saved the config file from the III and changed the public ip address to the new public ip address and flashed the config file to the x700. The firebox III had a dmz setup using public ip address but i guess the x700 does not like that type of configuration so i used 192.168.1.x for the optional port which works with the servers being 192.168.2.x. But when i tried to change over to the new ISP last night, I could not get the servers on the dmz to communicate with the servers on the trusted side and the reserve way. We have a time collection server located on the dmz which communicates back to its database located on a server on the trusted side. It would not allow me to login but i was able to get the logon page to display. Also i could not log into OWA which is located on the dmz. I was able to ping each other from the other. I have contacted watchguard but they have not called me back. I guess I could move these server to the trusted side but it seems to defeat the purpose of the dmz zone.
Any help would be greatly appeciated
Any help would be greatly appeciated
ASKER
I did create a policy using any. I have it setup to enable and allow from optional to trusted for incoming and for outgoing I allow from trusted to optional. Did I set this up incorrect because it still did not help.
thanks for you help
Leslie
thanks for you help
Leslie
Please enable logging on the service and then observe traffic monitor while trying to communicate between the machines on the optional and trusted network; if you get enable then the FB is passing the traffic.
Please post few logs from traffic when you are attempting traffic between the interfaces; it would make clear as to what is happening.
Also, I would like to know if the machines on optional and trusted have the respective interface as their default gateway.
I had a question, in your original post you have mentioned:
>> i used 192.168.1.x for the optional port which works with the servers being 192.168.2.x
I think this is a typo or have I assumed incorrectly; if it is correct I would like to know how would the machines on 192.168.2.x/24 network communicate with optinal port which is on 192.168.1.x/24 network.
Please update.
Thank you.
Please post few logs from traffic when you are attempting traffic between the interfaces; it would make clear as to what is happening.
Also, I would like to know if the machines on optional and trusted have the respective interface as their default gateway.
I had a question, in your original post you have mentioned:
>> i used 192.168.1.x for the optional port which works with the servers being 192.168.2.x
I think this is a typo or have I assumed incorrectly; if it is correct I would like to know how would the machines on 192.168.2.x/24 network communicate with optinal port which is on 192.168.1.x/24 network.
Please update.
Thank you.
ASKER
Because I had to get something working; I had to roll back to the original firebox and took the new one offline. I could see the traffic in the logs between the two ports and all was green but when i tried to enter my id and pw into the logon screen I would get page could not be display errors. I am hoping to bring the new firebox online this evening to try again.
i have setup the optional interface as 192.168.1.1/24. the servers are within that range and use 192.168.1.1 as the gateway. Yes it was a typo. We are using 192.168.1.1/24 on the optional side.
On the trusted side, we have the trusted interface setup as 10.0.2.1 and the servers using this as it gateway.
thanks for your help
i have setup the optional interface as 192.168.1.1/24. the servers are within that range and use 192.168.1.1 as the gateway. Yes it was a typo. We are using 192.168.1.1/24 on the optional side.
On the trusted side, we have the trusted interface setup as 10.0.2.1 and the servers using this as it gateway.
thanks for your help
Can you connect two computers to test if not possible to throw the FB into network; In the policy can you change from trust to any-trusted and optional to any-optional instead and check if this makes any difference.
If the traffic monitor shows allow then the things are good; also, have you checked if any personal firewall is blocking anything.
I would also like to know if you have fireware or just WSM on the new unit.
Please update.
Thank you.
If the traffic monitor shows allow then the things are good; also, have you checked if any personal firewall is blocking anything.
I would also like to know if you have fireware or just WSM on the new unit.
Please update.
Thank you.
ASKER
i should be able to hook up two computers but how would I test if they are truly talking to each other. I was able to ping from all direction.
I will change the policy and see if it helps tonight.
We did not have any personal firewalls running. I tested on 3 computers here in the network and 3 differnet computers on the Net and we could not log in to those dmz servers.
we are using WSM
thanks
Leslie
I will change the policy and see if it helps tonight.
We did not have any personal firewalls running. I tested on 3 computers here in the network and 3 differnet computers on the Net and we could not log in to those dmz servers.
we are using WSM
thanks
Leslie
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had to remove a smart switch that was in front of the firebox. Once I remove the switch things worked fine
ASKER
thanks for your help
You are welcome, thank you for the update.
By default the traffic between optional and trusted port is blocked. Trusted machines can send traffic to machines on optional but any traffic originating from optional destined for trusted would be blocked.
Please define a policy which would allows the traffic from optional to trusted.
You can defined custom made specific services or can open ANY service and then later tone it down [caution: ANY opens communication on all ports and protocols]
Please let know if you need details.
Thank you.