Solved

How do I open ports on a Firebox x700

Posted on 2010-09-03
19
2,012 Views
Last Modified: 2012-05-10
I have a watchguard firebox x700 that I need to open ports on. I have setup rules to that effect but when I use a port viewer it does show the port as available from the web. We no longer have support from Watchguard as the device is about 5 years old. Any help would be appreciated.
0
Comment
Question by:jbcbussoft
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 2
19 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33603855
>> when I use a port viewer it does show the port as available from the web

Do you mean it does NOT show port as available.

Can you please post sanitized screenshot, after ensuring that the steps you have taken are as below:
http://watchguard.custhelp.com/app/answers/detail/a_id/2029/kw/open%20ports/related/1

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33622143
Sorry I have been busy today. Here are screen shots that show the enabled and allowed 'rule'. You can see ports 1600 and 37260-37270 are open. MXToolBox only sees 1433 as open. Any ideas?
ss1.JPG
ss.JPG
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 400 total points
ID: 33623748
For ports 37260-37270 the Client Port is "Client"; set this to "ignore" and this would work. You would need to delete the existing service, make modification to template and then add the service again.

As you are using version 7.x, for what client port means please read below [detailed with step 6]:
http://watchguard.custhelp.com/app/answers/detail/a_id/2029/kw/client%20port

Please implement and update.

Thank you.
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 

Author Comment

by:jbcbussoft
ID: 33624082
Will do tomorrow am.
0
 

Author Comment

by:jbcbussoft
ID: 33629169
I removed the service and recreated it. The ports to be used are 80 1600 and 37260 - 37263. I added a tcp and udp line for each and all were set to ignore. I was told a port forward had to be setup. I read that static nat is the same as a port forward so I set up a external to internal nat on the service. Their (DVR company) support said to check for open ports using Canyouseeme.org. The only port it shows open is 1433. I tried MXToolBox.com and got similar results. What now?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 400 total points
ID: 33633439
I think I know why you are not seeing all ports open.

In the service you have created as per old screenshots you have put in the To field: 204.16.x.y and 208.101.x.y; and when I did nslookup on Canyouseeme.org got public IP as: 204.16.252.109

So, if you modify the service DVR1 and add IP of Canyouseeme.org in DVR1 to field for testing purposes only and then check again you should see that the ports are open.

If you still do not see the ports as open, then please do following:

 1. Enable logging on the policy for all traffic [allowed/denied].
 2. Now from the external network do port scan as you are already doing; you should see traffic on System Manager->Traffic monitor; and also allow/deny enteries from specific host [Canyouseeme.org] IP to your firebox external IP [as used in the service] on different ports.
 3.If you allow then the port is open for sure; if you see deny; please post the sanitized log here so we know where the problem is.
 4. If you do not see any log entries for some port, for eg, let's say 37260-37263, then please check with your ISP if they are blocking traffic on those specific ports.

Please check and update.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33645671
Sorry about the slow response but I was swapping over a Sql server yesterday. I changed the ip addresses to 'any ' and was able to 'see' 80 and 1600. 37260 and up weren't available. This appears to be what I need to begin to help figure out what is going on. I will post more today.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33659093
No problem; please post updates as this would help with further troubleshooting.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33686675
Sorry about that I got side tracked. I will post the results later this evening.
0
 
LVL 4

Assisted Solution

by:LBACIS
LBACIS earned 100 total points
ID: 33691625
Your from should be ANY if it is public or are you trying to actually lock it down to only those 2 IP addresses? The NAT takes care of the passing of the traffic from the public IP address to the private but you then have to tell the firebox who is allowed through on the from.
0
 

Author Comment

by:jbcbussoft
ID: 33692899
The service was changed to any. This log file shows canyouseeme.org is being allowed. At least that is what I see. The only port that Canyouseeme.org shows as open is 80.
Log.txt
Port-check.txt
0
 
LVL 4

Expert Comment

by:LBACIS
ID: 33693855
Would you be willing to post your xml config file here (of course without sensitive info where possible) ?

I would look at it and let you know why, if it is allowing the traffic now it sounds like a routing issue.
0
 

Author Comment

by:jbcbussoft
ID: 33695715
Ok excuse my ignorance. What are my xml config files? I have the configuration files with a cfg extension. Are these the xml files?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 400 total points
ID: 33698054
In the latest logs you have posted; the firewall is allowing traffic [so I would rule out firewall at this point].

Is your server actually listening on these ports, viz, TCP 1600,37260,37263

If your server is only listening on port 80 and not on other ports, think you would get the result from canyouseeme.

To check if the server is actually listening on these ports, use commands below [on windows]:
netstat -np tcp

You should see all the ports listed.

Something like this [we are interested in Local Address port]:
C:\Documents and Settings\dpk_wal>netstat -np tcp

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:1056         127.0.0.1:2002         ESTABLISHED
  TCP    127.0.0.1:1239         127.0.0.1:1240         ESTABLISHED
  TCP    127.0.0.1:1240         127.0.0.1:1239         ESTABLISHED
  TCP    127.0.0.1:1243         127.0.0.1:1244         ESTABLISHED
  TCP    127.0.0.1:1244         127.0.0.1:1243         ESTABLISHED
  TCP    127.0.0.1:2002         127.0.0.1:1056         ESTABLISHED
  TCP    127.0.0.1:5152         127.0.0.1:1504         CLOSE_WAIT
  TCP    192.168.1.100:2018     x.x.x.x:443     ESTABLISHED
  TCP    192.168.1.100:2106     x.x.x.x:443      TIME_WAIT
  TCP    192.168.1.100:2107     x.x.x.x:443      ESTABLISHED
  TCP    192.168.1.100:2869     x.x.x.x:1052       CLOSE_WAIT

Please check and update.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33698437
Netstat doesn't show the server listening on these ports but the DVR isn't run through the server. It is connected directly to the firebox. So wouldn't the problem be then with the DVR?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33698458
Am not sure about DVR; but for canyouseeme to show ports as open there should be a socket listening to which it would connect and report the port as open.
So, the firebox is properly configured now; check with your remote site if they can connect; if not; then it has to do something with the DVR settings, which I would not be able to help with.

Thank you.
0
 

Author Comment

by:jbcbussoft
ID: 33701095
OK thanks!
0
 

Author Comment

by:jbcbussoft
ID: 33702973
Alright here is the latest update. The DVR has been available most of the time. The problem was I was trying to view the website from within the LAN and I should have been trying from outside the LAN. :)
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 400 total points
ID: 33703303
Good so the problem is non existent now.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question