Solved

How do I open ports on a Firebox x700

Posted on 2010-09-03
19
1,910 Views
Last Modified: 2012-05-10
I have a watchguard firebox x700 that I need to open ports on. I have setup rules to that effect but when I use a port viewer it does show the port as available from the web. We no longer have support from Watchguard as the device is about 5 years old. Any help would be appreciated.
0
Comment
Question by:jbcbussoft
  • 10
  • 7
  • 2
19 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33603855
>> when I use a port viewer it does show the port as available from the web

Do you mean it does NOT show port as available.

Can you please post sanitized screenshot, after ensuring that the steps you have taken are as below:
http://watchguard.custhelp.com/app/answers/detail/a_id/2029/kw/open%20ports/related/1

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33622143
Sorry I have been busy today. Here are screen shots that show the enabled and allowed 'rule'. You can see ports 1600 and 37260-37270 are open. MXToolBox only sees 1433 as open. Any ideas?
ss1.JPG
ss.JPG
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 400 total points
ID: 33623748
For ports 37260-37270 the Client Port is "Client"; set this to "ignore" and this would work. You would need to delete the existing service, make modification to template and then add the service again.

As you are using version 7.x, for what client port means please read below [detailed with step 6]:
http://watchguard.custhelp.com/app/answers/detail/a_id/2029/kw/client%20port

Please implement and update.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33624082
Will do tomorrow am.
0
 

Author Comment

by:jbcbussoft
ID: 33629169
I removed the service and recreated it. The ports to be used are 80 1600 and 37260 - 37263. I added a tcp and udp line for each and all were set to ignore. I was told a port forward had to be setup. I read that static nat is the same as a port forward so I set up a external to internal nat on the service. Their (DVR company) support said to check for open ports using Canyouseeme.org. The only port it shows open is 1433. I tried MXToolBox.com and got similar results. What now?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 400 total points
ID: 33633439
I think I know why you are not seeing all ports open.

In the service you have created as per old screenshots you have put in the To field: 204.16.x.y and 208.101.x.y; and when I did nslookup on Canyouseeme.org got public IP as: 204.16.252.109

So, if you modify the service DVR1 and add IP of Canyouseeme.org in DVR1 to field for testing purposes only and then check again you should see that the ports are open.

If you still do not see the ports as open, then please do following:

 1. Enable logging on the policy for all traffic [allowed/denied].
 2. Now from the external network do port scan as you are already doing; you should see traffic on System Manager->Traffic monitor; and also allow/deny enteries from specific host [Canyouseeme.org] IP to your firebox external IP [as used in the service] on different ports.
 3.If you allow then the port is open for sure; if you see deny; please post the sanitized log here so we know where the problem is.
 4. If you do not see any log entries for some port, for eg, let's say 37260-37263, then please check with your ISP if they are blocking traffic on those specific ports.

Please check and update.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33645671
Sorry about the slow response but I was swapping over a Sql server yesterday. I changed the ip addresses to 'any ' and was able to 'see' 80 and 1600. 37260 and up weren't available. This appears to be what I need to begin to help figure out what is going on. I will post more today.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33659093
No problem; please post updates as this would help with further troubleshooting.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33686675
Sorry about that I got side tracked. I will post the results later this evening.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 4

Assisted Solution

by:LBACIS
LBACIS earned 100 total points
ID: 33691625
Your from should be ANY if it is public or are you trying to actually lock it down to only those 2 IP addresses? The NAT takes care of the passing of the traffic from the public IP address to the private but you then have to tell the firebox who is allowed through on the from.
0
 

Author Comment

by:jbcbussoft
ID: 33692899
The service was changed to any. This log file shows canyouseeme.org is being allowed. At least that is what I see. The only port that Canyouseeme.org shows as open is 80.
Log.txt
Port-check.txt
0
 
LVL 4

Expert Comment

by:LBACIS
ID: 33693855
Would you be willing to post your xml config file here (of course without sensitive info where possible) ?

I would look at it and let you know why, if it is allowing the traffic now it sounds like a routing issue.
0
 

Author Comment

by:jbcbussoft
ID: 33695715
Ok excuse my ignorance. What are my xml config files? I have the configuration files with a cfg extension. Are these the xml files?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 400 total points
ID: 33698054
In the latest logs you have posted; the firewall is allowing traffic [so I would rule out firewall at this point].

Is your server actually listening on these ports, viz, TCP 1600,37260,37263

If your server is only listening on port 80 and not on other ports, think you would get the result from canyouseeme.

To check if the server is actually listening on these ports, use commands below [on windows]:
netstat -np tcp

You should see all the ports listed.

Something like this [we are interested in Local Address port]:
C:\Documents and Settings\dpk_wal>netstat -np tcp

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:1056         127.0.0.1:2002         ESTABLISHED
  TCP    127.0.0.1:1239         127.0.0.1:1240         ESTABLISHED
  TCP    127.0.0.1:1240         127.0.0.1:1239         ESTABLISHED
  TCP    127.0.0.1:1243         127.0.0.1:1244         ESTABLISHED
  TCP    127.0.0.1:1244         127.0.0.1:1243         ESTABLISHED
  TCP    127.0.0.1:2002         127.0.0.1:1056         ESTABLISHED
  TCP    127.0.0.1:5152         127.0.0.1:1504         CLOSE_WAIT
  TCP    192.168.1.100:2018     x.x.x.x:443     ESTABLISHED
  TCP    192.168.1.100:2106     x.x.x.x:443      TIME_WAIT
  TCP    192.168.1.100:2107     x.x.x.x:443      ESTABLISHED
  TCP    192.168.1.100:2869     x.x.x.x:1052       CLOSE_WAIT

Please check and update.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33698437
Netstat doesn't show the server listening on these ports but the DVR isn't run through the server. It is connected directly to the firebox. So wouldn't the problem be then with the DVR?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33698458
Am not sure about DVR; but for canyouseeme to show ports as open there should be a socket listening to which it would connect and report the port as open.
So, the firebox is properly configured now; check with your remote site if they can connect; if not; then it has to do something with the DVR settings, which I would not be able to help with.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33701095
OK thanks!
0
 

Author Comment

by:jbcbussoft
ID: 33702973
Alright here is the latest update. The DVR has been available most of the time. The problem was I was trying to view the website from within the LAN and I should have been trying from outside the LAN. :)
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 400 total points
ID: 33703303
Good so the problem is non existent now.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now