Watchguard X10e - there are no Auto-Block threshold settings

swb_mct
swb_mct used Ask the Experts™
on
I have a Watchguard X10e Edge XP2e6.  The firmware version is   8.6.1  (sept  19, 2007)

The optional Auto-Block feature on this firewall puts an external host on the "hostile sites list" if the external host attempts a connection where there is no policy to handle the connection.  There is no configurable threshold level available, so if an outside computer sends any SINGLE non-compliant packet to the firewall the host is put on the "hostile sites list" for the configured amount of time.

The problem is, it appears that occassional non-compliant traffic from all friendly remote hosts is normal so they get blocked when you don't want them blocked.

Examples:  Our small business allows a few remote users to use pop3s (995) and smtp-submit (587) to use the Exchange server.   They use Outlook on Windows XP and Vista, and their systems check for mail automatically every 15 minutes all day.  Nothing else is configured on their systems addressing our network address.

Almost Every day, these users gets blocked because their computer sends some non compliant packet to our firewall.

We also use Postini to filter inbound email.  We have an smtp packet filter policy to accept TCP port 25 from the Postini address block.  Every few days, the firewall will put Postini on the Hostile Sites list.  

Since occassional non-compliant traffic seems to come from all hosts as by-product of compliant connection attempts, it makes the Auto-Block feature unusable . . . unless Watchguard has fixed it on a later version, with some tolerances or thresholds to avoid blocking freindly hosts.  (Since these friendly remote hosts are on dynamic connecitons . I have temporarily put auto-block exemptions for the entire Address Block their ISP uses in their region.)  

Does anyone know if this feature has been improved since the firmware version that I have ?  It will cost me at least $200 to get this firewall updated with the latest firmware, and it is not worth it to me if things like this remain a problem.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007
Commented:
There are no major improvements in newer versions.

Can I ask the pressing need to have this feature [I understand it is good to have and can help in keeping system CPU usage low in case of DDoS attack]; even if this feature is disabled and the sites would not be blocked but you still would get the firewall protection.

Please update.

Thank you.

Author

Commented:
We have several inbound port mappings to systems on the LAN . . . which is less than a perfect security arrangement because of potential security vulnerabilties in the exposed applications.  Using Auto-Blocking will blacklist unwanted users from China, Romania and everywhere else who have been scanning our network looking for open ports.  In theory legistmate remote users with a single application targeting an open port on our firewall should not be blocked.  In practice however, it looks like our users are blocked because of tcp rst ack communication from the remote host that triggers the block.  

I have never seen a firewall that does not have threshold settings before blocking a host.   I perform security tests against bank firewalls as my job.  The ones thats have some sort of auto-blocking enabled are more secure if they have inbound services configured.

I suppose there is no solution to this issue with this firewall, as long as the IP addresses of my external users are variable.
Top Expert 2007

Commented:
Unfortunately on this box there is limited set of things which we can do; had it been X Core or Peak we had the option to configure incoming service enabled and allowed based on authentication; where in users would first authenticate to a java applet and then would gain access to a specific service.

If the information is business critical you can configure VPN for the end users; this way it would be secure and you would not need to open specific ports to systems on the LAN.

Thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial