Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I open ports on a Firebox x700

Posted on 2010-09-03
19
Medium Priority
?
2,063 Views
Last Modified: 2012-05-10
I have a watchguard firebox x700 that I need to open ports on. I have setup rules to that effect but when I use a port viewer it does show the port as available from the web. We no longer have support from Watchguard as the device is about 5 years old. Any help would be appreciated.
0
Comment
Question by:jbcbussoft
  • 10
  • 7
  • 2
19 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33603855
>> when I use a port viewer it does show the port as available from the web

Do you mean it does NOT show port as available.

Can you please post sanitized screenshot, after ensuring that the steps you have taken are as below:
http://watchguard.custhelp.com/app/answers/detail/a_id/2029/kw/open%20ports/related/1

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33622143
Sorry I have been busy today. Here are screen shots that show the enabled and allowed 'rule'. You can see ports 1600 and 37260-37270 are open. MXToolBox only sees 1433 as open. Any ideas?
ss1.JPG
ss.JPG
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1600 total points
ID: 33623748
For ports 37260-37270 the Client Port is "Client"; set this to "ignore" and this would work. You would need to delete the existing service, make modification to template and then add the service again.

As you are using version 7.x, for what client port means please read below [detailed with step 6]:
http://watchguard.custhelp.com/app/answers/detail/a_id/2029/kw/client%20port

Please implement and update.

Thank you.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:jbcbussoft
ID: 33624082
Will do tomorrow am.
0
 

Author Comment

by:jbcbussoft
ID: 33629169
I removed the service and recreated it. The ports to be used are 80 1600 and 37260 - 37263. I added a tcp and udp line for each and all were set to ignore. I was told a port forward had to be setup. I read that static nat is the same as a port forward so I set up a external to internal nat on the service. Their (DVR company) support said to check for open ports using Canyouseeme.org. The only port it shows open is 1433. I tried MXToolBox.com and got similar results. What now?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 1600 total points
ID: 33633439
I think I know why you are not seeing all ports open.

In the service you have created as per old screenshots you have put in the To field: 204.16.x.y and 208.101.x.y; and when I did nslookup on Canyouseeme.org got public IP as: 204.16.252.109

So, if you modify the service DVR1 and add IP of Canyouseeme.org in DVR1 to field for testing purposes only and then check again you should see that the ports are open.

If you still do not see the ports as open, then please do following:

 1. Enable logging on the policy for all traffic [allowed/denied].
 2. Now from the external network do port scan as you are already doing; you should see traffic on System Manager->Traffic monitor; and also allow/deny enteries from specific host [Canyouseeme.org] IP to your firebox external IP [as used in the service] on different ports.
 3.If you allow then the port is open for sure; if you see deny; please post the sanitized log here so we know where the problem is.
 4. If you do not see any log entries for some port, for eg, let's say 37260-37263, then please check with your ISP if they are blocking traffic on those specific ports.

Please check and update.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33645671
Sorry about the slow response but I was swapping over a Sql server yesterday. I changed the ip addresses to 'any ' and was able to 'see' 80 and 1600. 37260 and up weren't available. This appears to be what I need to begin to help figure out what is going on. I will post more today.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33659093
No problem; please post updates as this would help with further troubleshooting.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33686675
Sorry about that I got side tracked. I will post the results later this evening.
0
 
LVL 4

Assisted Solution

by:LBACIS
LBACIS earned 400 total points
ID: 33691625
Your from should be ANY if it is public or are you trying to actually lock it down to only those 2 IP addresses? The NAT takes care of the passing of the traffic from the public IP address to the private but you then have to tell the firebox who is allowed through on the from.
0
 

Author Comment

by:jbcbussoft
ID: 33692899
The service was changed to any. This log file shows canyouseeme.org is being allowed. At least that is what I see. The only port that Canyouseeme.org shows as open is 80.
Log.txt
Port-check.txt
0
 
LVL 4

Expert Comment

by:LBACIS
ID: 33693855
Would you be willing to post your xml config file here (of course without sensitive info where possible) ?

I would look at it and let you know why, if it is allowing the traffic now it sounds like a routing issue.
0
 

Author Comment

by:jbcbussoft
ID: 33695715
Ok excuse my ignorance. What are my xml config files? I have the configuration files with a cfg extension. Are these the xml files?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 1600 total points
ID: 33698054
In the latest logs you have posted; the firewall is allowing traffic [so I would rule out firewall at this point].

Is your server actually listening on these ports, viz, TCP 1600,37260,37263

If your server is only listening on port 80 and not on other ports, think you would get the result from canyouseeme.

To check if the server is actually listening on these ports, use commands below [on windows]:
netstat -np tcp

You should see all the ports listed.

Something like this [we are interested in Local Address port]:
C:\Documents and Settings\dpk_wal>netstat -np tcp

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:1056         127.0.0.1:2002         ESTABLISHED
  TCP    127.0.0.1:1239         127.0.0.1:1240         ESTABLISHED
  TCP    127.0.0.1:1240         127.0.0.1:1239         ESTABLISHED
  TCP    127.0.0.1:1243         127.0.0.1:1244         ESTABLISHED
  TCP    127.0.0.1:1244         127.0.0.1:1243         ESTABLISHED
  TCP    127.0.0.1:2002         127.0.0.1:1056         ESTABLISHED
  TCP    127.0.0.1:5152         127.0.0.1:1504         CLOSE_WAIT
  TCP    192.168.1.100:2018     x.x.x.x:443     ESTABLISHED
  TCP    192.168.1.100:2106     x.x.x.x:443      TIME_WAIT
  TCP    192.168.1.100:2107     x.x.x.x:443      ESTABLISHED
  TCP    192.168.1.100:2869     x.x.x.x:1052       CLOSE_WAIT

Please check and update.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33698437
Netstat doesn't show the server listening on these ports but the DVR isn't run through the server. It is connected directly to the firebox. So wouldn't the problem be then with the DVR?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33698458
Am not sure about DVR; but for canyouseeme to show ports as open there should be a socket listening to which it would connect and report the port as open.
So, the firebox is properly configured now; check with your remote site if they can connect; if not; then it has to do something with the DVR settings, which I would not be able to help with.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33701095
OK thanks!
0
 

Author Comment

by:jbcbussoft
ID: 33702973
Alright here is the latest update. The DVR has been available most of the time. The problem was I was trying to view the website from within the LAN and I should have been trying from outside the LAN. :)
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 1600 total points
ID: 33703303
Good so the problem is non existent now.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question