Configuration Examples for Control of Firebox-Generated Traffic

You can create a policy that specifies which WAN interface is used for traffic from the Firebox to cloud-based WatchGuard servers. This helps you prevent subscription services traffic to unintended or expensive interfaces.

In this configuration example, the Firebox has two multi-WAN interfaces. One interface is dedicated to VoIP traffic:

• External 1 (203.0.113.2) — Interface for all traffic except VoIP traffic
• External 2 (192.0.2.2) — Interface for only VoIP traffic

In the Global Settings on the Firebox, the Enable configuration of policies for traffic generated by the Firebox option is enabled.

You want traffic from the Firebox to WatchGuard cloud-based subscription services to use the External 1 interface. This makes sure that WatchGuard subscription services traffic does not reduce the amount of available bandwidth for VoIP traffic on the External 2 interface. To do this, you have two options:

• Create a custom policy template and a custom packet filter policy.
• Create two packet filter policies–a TCP port 80 (HTTP) policy for cdn.watchguard.com, and a TCP port 443 (HTTPS) policy for services.watchguard.com.

We recommend the first option.

First, create a custom policy template. In this example, the template is named WatchGuard Subscription Services and has these settings:

• Type: Packet Filter
• Protocol: TCP
• Server Port: 80 and 443

Next, create a new policy with these settings:

• From: Firebox
• To: services.watchguard.com, cdn.watchguard.com
• Policy Type: WatchGuard Subscription Services Tip! This is the custom policy template you created. In this example, it is named WatchGuard Subscription Services.
• Protocol: TCP
• Port: 80 and 443
• SD-WAN: An SD-WAN action that includes the External 1 interface is selected

In this example, the policy is named WatchGuard Subscription Services.

If the Policies list is in auto-order mode, which is the default setting, the WatchGuard Subscription Services policy that you added appears before the built-in Any From Firebox policy. This order occurs because the WatchGuard Subscription Services policy is more granular than the Any From Firebox policy.

You can create a policy that specifies which WAN interface is used for WebBlocker queries generated by the Firebox. This helps you prevent WebBlocker traffic to unintended or expensive interfaces.

In this configuration example, the Firebox has two WAN interfaces:

• External 1 (203.0.113.2)
• External 2 (192.0.2.2)

In the Global Settings on the Firebox, the Enable configuration of policies for traffic generated by the Firebox option is enabled.

To force traffic from the Firebox to WebBlocker cloud services to use the External 2 interface, you create a new policy with these settings:

• From: Firebox
• To: rp.cloud.threatseeker.com
• Policy Type: HTTPS
• Protocol: TCP
• Port: 443
• SD-WAN Action: An SD-WAN action that includes the External 2 interface is selected

In this example, the policy is named HTTPS.WebBlocker-Queries.

If the Policies list is in auto-order mode (the default setting), the HTTPS.WebBlocker-Queries policy that you added appears before the built-in Any From Firebox policy. This order occurs because the HTTPS.WebBlocker-Queries policy is more granular than the Any From Firebox policy.

If you specify a zero route 0.0.0.0 in your BOVPN configuration, Firebox-generated traffic is sent over the BOVPN  tunnel. This behavior occurs because the Firebox automatically sets the source IP address for Firebox-generated traffic to match a VPN tunnel route. For example, if the local Firebox requests signature updates from WatchGuard servers, the request is sent through the tunnel. If the remote Firebox does not allow DNS requests, the signature updates fail.

In Fireware v12.2 or higher, if you enable the Enable configuration of policies for traffic generated by the Firebox global setting, the Firebox no longer sets the source IP address for Firebox-generated traffic to match a BOVPN tunnel route. This means that Firebox-generated traffic uses a WAN interface instead of the BOVPN tunnel.

However, if you want subscription services traffic to use the BOVPN tunnel instead of the WAN interface, you can add a new policy for this traffic. In the policy, you must specify a source IP address that matches a tunnel route for the VPN.

Example

In this example, a Firebox at Site A connects to a remote Firebox at Site B through a BOVPN tunnel. Your network has this configuration:

• The local network at Site A is 10.0.1.0/24.
• The local network at Site B is 10.0.2.0/24.
• The IP address of the Trusted interface at Site A is 10.0.1.10
• The Enable configuration of policies for traffic generated by the Firebox global setting is selected.

In the BOVPN tunnel configuration at Site A, specify these tunnel route settings:

• Local IP — 10.0.1.0/24
• Remote IP — 10.0.2.0/24

The Firebox at Site A generates traffic to cloud-based WatchGuard subscription services. To force this traffic to use the VPN tunnel instead of the WAN interface, you have two options:

• Create a custom policy template and a custom packet filter policy
• Create two packet filter policies–a TCP port 80 (HTTP) policy for cdn.watchguard.com, and a TCP port 443 (HTTPS) policy for services.watchguard.com

We recommend the first option.

First, create a custom policy template. In this example, the template is named WatchGuard Subscription Services and has these settings:

Next, create a new policy with these settings:

• From: Firebox
• To: services.watchguard.com, cdn.watchguard.com
• Policy Type: WatchGuard Subscription Services Tip! This is the custom policy template you created. In this example, we named the policy template WatchGuard Subscription Services, but you can specify a different name.
• Protocol: TCP
• Port: 80 and 443
• Set source IP: 10.0.1.10
  You must specify a source IP address that matches a tunnel route for the VPN. In this case, we specify the IP address of physical Trusted interface on the Site A Firebox.

If the Policies list is in auto-order mode, which is the default setting, the WatchGuard Subscription Services policy that you added appears before the built-in Any From Firebox policy. This order occurs because the WatchGuard Subscription Services policy is more granular than the Any From Firebox policy.

Traffic generated by the Firebox to cloud-based WatchGuard subscription services now uses the BOVPN tunnel. This occurs because the WatchGuard Subscription Services policy sets the source IP address for this traffic to 10.0.1.10, which matches a tunnel route.

If your Firebox configuration includes a zero-route BOVPN tunnel and an SSL Management Tunnel, by default, the SSL Management Tunnel is built over the BOVPN tunnel. This behavior occurs because the Firebox automatically sets the source IP address for Firebox-generated traffic to match a BOVPN tunnel route. As a result, WSM Management server cannot manage remote Fireboxes that connect to each other through a BOVPN tunnel.

In Fireware v12.2 or higher, if you enable the Enable configuration of policies for traffic generated by the Firebox global setting, the Firebox no longer sets the source IP address so that Firebox-generated traffic matches a BOVPN tunnel route. After you enable this setting, the SSL management tunnel is built over the external interface instead of over the BOVPN tunnel. You do not have to configure a new policy.

If you specify a zero route 0.0.0.0 in your BOVPN virtual interface configuration, Firebox-generated traffic is sent over the BOVPN virtual interface tunnel. This behavior occurs because the Firebox automatically sets the source IP address for Firebox-generated traffic to match a BOVPN virtual interface tunnel route. For example, if the local Firebox requests signature updates from WatchGuard servers, the request is sent through the tunnel. If the remote Firebox does not allow DNS requests, the signature updates fail.

In Fireware v12.2 or higher, you can add a policy that allows traffic from the Firebox to WatchGuard subscription services to use a WAN interface instead of the zero-route BOVPN  virtual interface tunnel.

In this example, a Firebox at Site A connects to a remote Firebox at Site B through a BOVPN virtual interface tunnel. The Firebox at Site A has these settings:

• 0.0.0.0 (zero route) is the route specified in the BOVPN virtual interface configuration.
• The Enable configuration of policies for traffic generated by the Firebox global setting is selected.

You have two options:

• Create a custom policy template and a custom packet filter policy
• Create two packet filter policies–a TCP port 80 (HTTP) policy for cdn.watchguard.com, and a TCP port 443 (HTTPS) policy for services.watchguard.com

We recommend the first option.

Create a custom policy template. In this example, the template is named WatchGuard Subscription Services and has these settings:

• Type: Packet Filter
• Protocol: TCP
• Server Port: 80 and 443

Next, create a new policy with these settings:

• From: Firebox
• To: services.watchguard.com, cdn.watchguard.com
• Policy Type: WatchGuard Subscription Services Tip! This is the custom policy template you created. In this example, it is named WatchGuard Subscription Services.
• Protocol: TCP
• Port: 80 and 443
• SD-WAN Action: An SD-WAN action that includes the External 1 interface is selected

In this example, the policy is named WatchGuard Subscription Services.

If the Policies list is in auto-order mode, which is the default setting, the WatchGuard Subscription Services policy that you added appears before the built-in Any From Firebox policy. This order occurs because the WatchGuard Subscription Services policy is more granular than the Any From Firebox policy.

If your Firebox configuration includes a zero-route BOVPN virtual interface tunnel, all traffic, which includes Firebox-generated traffic, is sent over the BOVPN virtual interface.

This occurs because the default distance (metric) for the BOVPN virtual interface tunnel is lower than the distance for the default route. In the BOVPN virtual interface settings , the route distance is 1 by default. The distance for the default route (the external interface) is 5. The virtual interface tunnel route takes precedence over the default route unless you specify a distance greater than 5 for the BOVPN virtual interface route.

In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.

If you have an SSL Management Tunnel, the SSL Management Tunnel is built over the BOVPN virtual interface tunnel if you specify a distance lower than 5 in the BOVPN virtual interface route settings. However, you might want the SSL Management Tunnel to build through the external interface instead of through the BOVPN virtual interface tunnel.

For example, a WSM Management server at Site A cannot manage a remote Firebox at Site B that initiates a zero-route BOVPN virtual interface tunnel to another remote Firebox at Site C. This is because the SSL Management Tunnel is not built from the Firebox at Site B to the WSM Management Server. Instead, the SSL Management Tunnel is built through the zero-route BOVPN virtual interface tunnel to Site C.

In Fireware v12.2 or higher, if you enable the Enable configuration of policies for traffic generated by the Firebox global setting, you can configure policies to control Firebox-generated traffic. To make sure that the SSL Management Tunnel uses a WAN interface and is not built through a BOVPN virtual interface tunnel, you must configure a policy as described in the next section.

Example

In this example, your network has three sites:  

• Site A — WatchGuard Partner office
  A WSM Management Server at this site manages the Fireboxes at Sites B and C through SSL tunnels. The NAT Firebox at this site has an external IP address of 198.51.100.3.
• Site B — Customer office
  The Firebox at this site is configured with a zero-route (0.0.0.0) BOVPN virtual interface tunnel that terminates at Site C. The Enable configuration of policies for traffic generated by the Firebox global setting is selected.
• Site C — Customer datacenter
  

On the Firebox at Site B, a policy named Firebox_DVCP_SSL-Management sends SSL management traffic destined for Site C over the External interface:

• From: Firebox
• To: 198.51.100.3
  This is the external IP address configured on the Site A NAT Firebox. If the Site A NAT Firebox is configured for multi-WAN, you can specify additional IP addresses or Any-External for redundancy.
• Policy Type: Management Traffic Tip! This is the custom policy template you created. In this example, we named the policy template Management Traffic, but you can specify a different name.
• Protocol: TCP
• Port: 443, 4112, and 4113
  Include ports 4112 and 4113 as backup options. If the SSL Management Tunnel fails, the Firebox can try to communicate with the Management Server over these ports.
• SD-WAN Action: An SD-WAN action that includes the External interface is selected
  

If the Policies list is in auto-order mode, which is the default setting, the Firebox_DVCP_SSL-Management policy that you added appears before the built-in Any From Firebox policy. This order occurs because the Firebox_DVCP_SSL-Management policy is more granular than the Any From Firebox policy.

You can create a policy that sends all Firebox-generated traffic destined for the Internet over a specific secondary IP address. This helps in cases when your ISP does not allow you to send or receive traffic on the primary Interface IP address. In regions with limited IPv4 addresses, ISPs might attempt to conserve IP addresses. For example, your ISP might allocate a non-routable IP address for your connection. Or, your ISP might allocate only one routable IP address for your connection.

Depending on the IP provisioning method used by your ISP, you might have to use this configuration to support IPoE deployments.

Example

In this example, the Firebox has one External interface named External-1. The configuration for the External-1 interface includes a secondary IP address on a different network:

• External-1 (192.0.2.2) — Primary interface IP address. Your ISP provides this IP address for the connection between Firebox and the ISP. This IP address might be routable or non-routable.
• External-1 Secondary (203.0.113.1) — Secondary IP address. Your ISP provides this routable IP address for all inbound and outbound traffic through this interface.

In the Global Settings on the Firebox, select the Enable configuration of policies for traffic generated by the Firebox option. For information about this setting, go to Define Firebox Global Settings.

Next, create a new Any packet filter policy. In our example, the policy is named All Firebox-Generated Traffic External-1. In the policy, configure these settings:

• From: Firebox
• To: External-1
• Policy Type: Any

In the Advanced settings, configure these options:

• Select All traffic in this policy.
• Select Set source IP and specify the secondary IP address of the External-1 interface, which is 203.0.113.1 in our example.

If the Policies list is in auto-order mode, which is the default setting, the All Firebox-Generated Traffic External-1 policy that you added appears before the built-in Any From Firebox policy. This order occurs because the All Firebox-Generated Traffic External-1 policy is more granular than the Any From Firebox policy.

For Firebox-generated traffic to route across a BOVPN tunnel, the IP address of the Firebox must be the same as the IP address used in the return route of the BOVPN tunnel. Firebox-generated traffic fails when there is no valid return route from the destination device.

These are the reasons why there might be no valid return route:

• No IP address for an external interface on the source Firebox.
• No IP address for a virtual interface (VIF) on the source Firebox.
• Source Firebox does not map the IP address of its external interface to an IP address that matches the tunnel route (dynamic NAT).

To correct this issue, you can configure a policy-based dynamic NAT on the source device or specify a virtual IP address for the Firebox.

Example (BOVPN)

In this example, you configure policy-based dynamic NAT. When a packet uses the policy to travel through a BOVPN tunnel to the specified IP address, the source IP address of the packet changes to the specified IP address of the NAT. This makes sure that the IP address of the packet matches the IP address of the tunnel route, and traffic flows successfully.

For this example, create an Any packet filter policy. In this example, the name of the policy is All Firebox-Generated Traffic BOVPN.

For a VPN, in the Global Settings on the Firebox, if you disable the Enable configuration of policies for traffic generated by the Firebox setting, the Firebox attempts to match any local interface IP address to a tunnel route, and uses the first IP address it finds that matches the tunnel route. If a match does not exist, network traffic fails. In this example, to fix this issue, you must enable the Enable configuration of policies for traffic generated by the Firebox setting. When you enable this setting, you can use a configured NAT so that Firebox traffic matches a tunnel route.

You must also edit the policy and configure these settings:

• From — Firebox
• To —The IP address of the remote BOVPN resource.
• Policy Type — Any

In the policy Advanced settings, configure these options:

• Dynamic NAT — Select the All Traffic in this Policy option.
• Dynamic NAT — Select the Set Source IP check box and type the IP source address.

The IP address that you provide must match a tunnel route that also uses the same IP address. In this example, the tunnel route uses a local subnet configured to 192.168.50.0/24. For more information, go to Add Routes for a Tunnel.

Example (BOVPN Virtual Interface)

In this example, you assign a virtual IP address to the Firebox. You can then specify the local IP address of the Firebox-generated traffic in the BOVPN virtual interface settings.

To assign a virtual IP address for the Firebox, go to the VPN Routes tab of the BOVPN virtual interface configuration.

Configure these options:

• Assign Virtual Interface IP Addresses — Select the check box.
• Local IP Address —Type the IP address that you configure on the local Firebox interface that the remote site has a return route for.
• Peer IP Address or Netmask — Type the IP address to use for the remote end of the tunnel. If you enter a netmask, it must match the netmask configured on the third-party endpoint at the other end of the tunnel.