Watchguard policies (really, any firewall's policies) - are some of these not needed?

BeGentleWithMe-INeedHelp used Ask the Experts™
I know very little about watchguards (or really most complex firewalls).  I have 2 watchguards in location A and location B.  looking at the policies on the main office's watchguard, I have 16 rules.  wonder which are needed?  

This is an XTM21 (old unit, right?)

it takes a few seconds to go from screen to screen / get the list of firewall policies, etc. 'retrieving data' on screen for 9 seconds... there's 16 policies in the list.  Is that a long time for pages to load?

a) do you just replace watchguards after x years because they are old?
b) do you reboot them on a schedule? How often? every week? month? year?

This watchguard is set up for:Exchange on the SBS server on the LAN, General surfing from inside the office, VPN to the other location and phones being able to connect to the exchange server from outside.

How many rules should those take?

Looking at the policies, I think this is what are set up. I inherited this network so may be unneeded / defaults that came with the box?
FTP OUTboundSMTP ( to Any external)
GeneralProxy (From HTTP-proxy to ANY  Trusted)
SMTPtoMailSrv (From ANY to 75.127.x.x->
HTTPtoMAILSrv (From ANY to 75.127.x.x->
POP3toMailsrv (From ANY to 75.127.x.x->
IMAPtoMailsrv (From ANY to 75.127.x.x->
HTTPStoMailsrv (From ANY to 75.127.x.x->
RDPtoMAILsrv (From ANY to 75.127.x.x->
Voicecom mail system (From ANY to 75.127.x.x->
Watchguard web UI (from ANY to Firebox tcp:8080)
Ping (From ANY to ANY)
Watchguard (From ANY to Firebox tcp 4105, 4117, 4117)
Outgoing (from any trusted, any optional TO any external, ports 0 on TCP & UDP)
VPN Alllow in (from LocA to any)
VPN Allow Out (from ANY to LocA)

That mailserver IP 75.127.x.x... i don't recognize that.  They've been using SBS 2011 / the exchange in that box which is in the LAN ( for 5+ years.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jeremy WeisingerSenior Network Consultant / Engineer

  • The GeneralProxy I'm not sure what that is used for. The direction on that seems strange.
  • If you are using IMAP or POP then keep those, otherwise you can delete them.
  • I highly recommend deleting the RDP rule as that will allow anyone to try and log on to your server.
  • Not sure what the voicemail rule is. I assume there's application on the SBS server, correct? Any ports associated with it?
  • The 75.127.x.x is probably your public IP address and a SNAT is configured for the SBS server
OOPS, I miswrote that generalproxy.

policy type is http proxyfrom any trusted
to any external
port tcp 80

We're not paying for any services on the box like web filtering.

And being that I don't know what I am doing, it's better to uncheck the enable box on a policy rather than least short term : ) ??

DOH!!! yeah, the 75.127.x.x IS our public IP.  SNAT? had to google that. reading a bit, don't understand it  : )

But those entries are what inbound port forwarding looks like I guess.

you've answered other questions of mine really you / your company help other consultants for $$? what'd it cost to help clean up a watchguard like this?  There's likely things you'd want to ADD or tighten up rules? I know enough to post here and STILL break something : )
any thoughts on the beginning questions I had?

9 seconds to load a page? Is taht just because the box is old? or 16 rules is too many for a box like that?  or...?

Jeremy WeisingerSenior Network Consultant / Engineer

The XTM21 is pretty old. Those load times seem a bit long. But you can more easily manage the firewall if you download and install the Watchguard System Manager on your computer.

Generally there's no need to reboot the Watchguard. Usually installing the updates is frequent enough. I will say that the small boxes like the XTM21 tend to get hot so they need to be kept cool for optimum performance. That could help with the load times.

Do you still have a current Live Security subscription (allows you to get updates and support)?
Along the same lines, here's another issue that's come up.

So at the location (A) with the policies above on the watchguard, users have an app on their phone to get to camera system at location B in another state.

Location B has a watchguard also and VPN between the 2 places (as you see the 2 rules for VPN above).

When on cellular, they get to the cameras at the other location using that location's IP address.

Buw when on wifi at this location they get an error in the app.  Googling the error message, people talk of a password / username issue, but I bet this watchguard isn't letting all the ports out or in?

The camera company saud to open:

8088 TCP/UDP
6036 TCP/UDP
1024 TCP/UDP

in that other location's firewall.  And again, that works for people on cellular.  

But the watchguard here also has to let packets OUT onto the web (since the app has a public IP to connect to, packets are going out over web, not over VPN?)

That one policy with ports 0 TCP and 0 UDP - zero port means all?

So it shoudl work?

To repeat at least 1 of the 16 policies from above, the one called outbound with these details:

Connections are Allowed
Any Trusted
Any optional

Any External

0 / TCP
0 / UDP

1 to 1 is checked
Dynamic NAT is checked

Any thoughts why they can't get to the cameras at the other location when on wifi?
HOT!?  I'll have to feel it.

Live Security?  Probably not.  Have to log into watchguard site to see that, right? or is there a way to tell looking at the box?

System manager.... does that manage the box live or you work locally on the PC then push / apply the changes? I guess it doesn't matter, right?
Jeremy WeisingerSenior Network Consultant / Engineer

There's a lot there...

For the camera rule, you need to make sure it is allowing the wifi network to access through the IP they're trying to connect to.

Live Security status can be found on the Dashboard or in the Feature Key section.

System Manager will make a live readonly connection to the device for monitoring, information gathering, and troubleshooting. The Policy Manager (one of the modules of WSM) is a copy of the config. You edit it then push it to the device.

For the camera rule, you need to make sure it is allowing the wifi network to access through the IP they're trying to connect to.

the wifi is a linksys access point, so the packets coming from the phone to the watchguard at the main office are wired at that point when they get to the watchguard.  Can you tell if the rules would keep some ports from getting out onto the web? I think that's why they are getting that error message.  There's a couple policies (I keep wanting to call them rules...are those synonyms?) related to packets getting out of the LAN onto the web?

The generalproxy (that only talks of port 80.  I guess I could add those 3 other ports the camera guy needed open at the other location with the cameras?
The outgoing policy - that's the port 0 rule.
LiveSecurity expired in 2015 : (

THey let you just start paying from now or want you to pay the 2 unpaid years also?  Cheaper to get a new box?
Do you get watchguards through distribution?  or other site you like?  I bought an XTM25W that is still sitting on my shelf (was going to replace this XTM, but not knowing what I was doing, I didn't want to rock the boat / kept it as a spare).

Bought that one in nov 2014.  it says standard support ends in nov 2017.  the other services ended in Dec 2014 (a trial I think that I never got to experiment with)

Bought that from Virtual Grafitti /  they had good prices back then if I recall.  And I'm too small / don't buy enough to keep D&H / Ingram accounts active : )   and newegg and others have better prices and were easier to find things on the websites (at least way back when and I'd comparison shop).
I found some page that said that any-external doesn't get you out?!  They said to add firebox to the to line on the outbound policy to actually get outside?!

Add "Firebox" to the "To:" list and it should work.
The public IP address on the firewall is assumed as "Firebox" not 'Any External'.


it's working now (after adding firebox to the TO line.... )

so why were they able to surf / do other thigns outbound before this?

Is there a good book / website / pdf to understand / learn these things!?  For Any-external to not get you out makes no sense, at least to me : ) 
Senior Network Consultant / Engineer
Any-External is an alias for anything on the "other side" of External interfaces. I imagine the issue you were facing is known as trombone or hairpin. This is where internal traffic is destine to an external interface which is then routed back internally (basically the traffic does a u-turn).

I'd have to see the config to understand why adding the firebox alias worked. The firebox alias represents all the IP addresses associated with the firebox. It should have only solved the problem if the traffic was destined to the firebox itself.

Are you sure you didn't add Any-Trusted to the source for a SNAT policy? That's the normal way of dealing with hairpins on a Watchguard.
This is an example of someone (me) at their limits of what they know : ) and why that other box is sitting on the shelf.

Any thoughts on the a good book / website / pdf to understand / learn these things!?
Jeremy WeisingerSenior Network Consultant / Engineer

If you have your Watchguard Logon info, I think you can still access the training even if your Live Security is expired.
Click on the courseware link and go through the Firewall Essentials PDF. It will walk you through all the basic concepts and on to some advanced concepts.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial