How do I open ports on a Firebox x700

I have a watchguard firebox x700 that I need to open ports on. I have setup rules to that effect but when I use a port viewer it does show the port as available from the web. We no longer have support from Watchguard as the device is about 5 years old. Any help would be appreciated.
jbcbussoftAsked:
Who is Participating?
 
dpk_walConnect With a Mentor Commented:
For ports 37260-37270 the Client Port is "Client"; set this to "ignore" and this would work. You would need to delete the existing service, make modification to template and then add the service again.

As you are using version 7.x, for what client port means please read below [detailed with step 6]:
http://watchguard.custhelp.com/app/answers/detail/a_id/2029/kw/client%20port

Please implement and update.

Thank you.
0
 
dpk_walCommented:
>> when I use a port viewer it does show the port as available from the web

Do you mean it does NOT show port as available.

Can you please post sanitized screenshot, after ensuring that the steps you have taken are as below:
http://watchguard.custhelp.com/app/answers/detail/a_id/2029/kw/open%20ports/related/1

Thank you.
0
 
jbcbussoftAuthor Commented:
Sorry I have been busy today. Here are screen shots that show the enabled and allowed 'rule'. You can see ports 1600 and 37260-37270 are open. MXToolBox only sees 1433 as open. Any ideas?
ss1.JPG
ss.JPG
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
jbcbussoftAuthor Commented:
Will do tomorrow am.
0
 
jbcbussoftAuthor Commented:
I removed the service and recreated it. The ports to be used are 80 1600 and 37260 - 37263. I added a tcp and udp line for each and all were set to ignore. I was told a port forward had to be setup. I read that static nat is the same as a port forward so I set up a external to internal nat on the service. Their (DVR company) support said to check for open ports using Canyouseeme.org. The only port it shows open is 1433. I tried MXToolBox.com and got similar results. What now?
0
 
dpk_walConnect With a Mentor Commented:
I think I know why you are not seeing all ports open.

In the service you have created as per old screenshots you have put in the To field: 204.16.x.y and 208.101.x.y; and when I did nslookup on Canyouseeme.org got public IP as: 204.16.252.109

So, if you modify the service DVR1 and add IP of Canyouseeme.org in DVR1 to field for testing purposes only and then check again you should see that the ports are open.

If you still do not see the ports as open, then please do following:

 1. Enable logging on the policy for all traffic [allowed/denied].
 2. Now from the external network do port scan as you are already doing; you should see traffic on System Manager->Traffic monitor; and also allow/deny enteries from specific host [Canyouseeme.org] IP to your firebox external IP [as used in the service] on different ports.
 3.If you allow then the port is open for sure; if you see deny; please post the sanitized log here so we know where the problem is.
 4. If you do not see any log entries for some port, for eg, let's say 37260-37263, then please check with your ISP if they are blocking traffic on those specific ports.

Please check and update.

Thank you.
0
 
jbcbussoftAuthor Commented:
Sorry about the slow response but I was swapping over a Sql server yesterday. I changed the ip addresses to 'any ' and was able to 'see' 80 and 1600. 37260 and up weren't available. This appears to be what I need to begin to help figure out what is going on. I will post more today.
0
 
dpk_walCommented:
No problem; please post updates as this would help with further troubleshooting.

Thank you.
0
 
jbcbussoftAuthor Commented:
Sorry about that I got side tracked. I will post the results later this evening.
0
 
LBACISConnect With a Mentor Commented:
Your from should be ANY if it is public or are you trying to actually lock it down to only those 2 IP addresses? The NAT takes care of the passing of the traffic from the public IP address to the private but you then have to tell the firebox who is allowed through on the from.
0
 
jbcbussoftAuthor Commented:
The service was changed to any. This log file shows canyouseeme.org is being allowed. At least that is what I see. The only port that Canyouseeme.org shows as open is 80.
Log.txt
Port-check.txt
0
 
LBACISCommented:
Would you be willing to post your xml config file here (of course without sensitive info where possible) ?

I would look at it and let you know why, if it is allowing the traffic now it sounds like a routing issue.
0
 
jbcbussoftAuthor Commented:
Ok excuse my ignorance. What are my xml config files? I have the configuration files with a cfg extension. Are these the xml files?
0
 
dpk_walConnect With a Mentor Commented:
In the latest logs you have posted; the firewall is allowing traffic [so I would rule out firewall at this point].

Is your server actually listening on these ports, viz, TCP 1600,37260,37263

If your server is only listening on port 80 and not on other ports, think you would get the result from canyouseeme.

To check if the server is actually listening on these ports, use commands below [on windows]:
netstat -np tcp

You should see all the ports listed.

Something like this [we are interested in Local Address port]:
C:\Documents and Settings\dpk_wal>netstat -np tcp

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:1056         127.0.0.1:2002         ESTABLISHED
  TCP    127.0.0.1:1239         127.0.0.1:1240         ESTABLISHED
  TCP    127.0.0.1:1240         127.0.0.1:1239         ESTABLISHED
  TCP    127.0.0.1:1243         127.0.0.1:1244         ESTABLISHED
  TCP    127.0.0.1:1244         127.0.0.1:1243         ESTABLISHED
  TCP    127.0.0.1:2002         127.0.0.1:1056         ESTABLISHED
  TCP    127.0.0.1:5152         127.0.0.1:1504         CLOSE_WAIT
  TCP    192.168.1.100:2018     x.x.x.x:443     ESTABLISHED
  TCP    192.168.1.100:2106     x.x.x.x:443      TIME_WAIT
  TCP    192.168.1.100:2107     x.x.x.x:443      ESTABLISHED
  TCP    192.168.1.100:2869     x.x.x.x:1052       CLOSE_WAIT

Please check and update.

Thank you.
0
 
jbcbussoftAuthor Commented:
Netstat doesn't show the server listening on these ports but the DVR isn't run through the server. It is connected directly to the firebox. So wouldn't the problem be then with the DVR?
0
 
dpk_walCommented:
Am not sure about DVR; but for canyouseeme to show ports as open there should be a socket listening to which it would connect and report the port as open.
So, the firebox is properly configured now; check with your remote site if they can connect; if not; then it has to do something with the DVR settings, which I would not be able to help with.

Thank you.
0
 
jbcbussoftAuthor Commented:
OK thanks!
0
 
jbcbussoftAuthor Commented:
Alright here is the latest update. The DVR has been available most of the time. The problem was I was trying to view the website from within the LAN and I should have been trying from outside the LAN. :)
0
 
dpk_walConnect With a Mentor Commented:
Good so the problem is non existent now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.