XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.

Slides:



Advertisements
Similar presentations
What’s New in Fireware XTM v11.3.4
Advertisements

What’s New in Fireware XTM v11.3.2
DMZ (De-Militarized Zone)
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Routing and Routing Protocols Introduction to Static Routing.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
What’s New in Fireware XTM v Changes in Fireware XTM v  Routing table changes  Feature key global expiration for some XTMv keys  IP address.
IP ROUTING -1 STATIC ROUTING DEFAULT ROUTING.  A routing protocol is used by routers to dynamically find all the networks in the internetwork and to.
What’s New in Fireware XTM v WatchGuard Training.
1 Enabling Secure Internet Access with ISA Server.
Technical Training: DIR-615
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Network Addressing Networking for Home & Small Business.
Basic Network Training. Cable/DSL Modem The modem is the first link in the chain It is usually provided by the ISP and often has a coax cable connector.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Addressing Networking for Home and Small Businesses – Chapter.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Addressing Networking for Home and Small Businesses – Chapter.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
4: Addressing Working At A Small-to-Medium Business or ISP.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Addressing Networking for Home and Small Businesses – Chapter 5.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
Introduction to Network Address Translation
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
EMEA Partners XTM Network Training
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
Network Addressing Networking for Home & Small Business.
What’s New in Fireware v11.9.5
CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.
PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions.
Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.
What’s New in Fireware XTM v WatchGuard Training ©2014 WatchGuard Technologies, Inc.
Module 1: Configuring Routing by Using Routing and Remote Access.
Security fundamentals Topic 10 Securing the network perimeter.
Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
NETGEAR CONFIDENTIAL FVS338 ProSafe VPN Firewall 50.
IP Addressing.
1 The Network Menu. 2 Static Routing The Static Routing functionality within GD eSeries allows users to easily configure static routes to networks not.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9: Dynamic Host Configuration Protocol (DHCP)
“ is not to be used to pass on information or data. It should used only for company business!” – Memo from IBM Executive The Languages, Methods &
Configure and Security Remote Acess. Chapter 8 Advance Computer Network Lecture Sorn Pisey
Chapter 5. An IP address is simply a series of binary bits (ones and zeros). How many binary bits are used? 32.
Windows Vista Configuration MCTS : Advanced Networking.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Ip addressing: dhcp & dns
Security fundamentals
Networking for Home and Small Businesses – Chapter 5
Internet Protocol Address
Networking for Home and Small Businesses – Chapter 5
Planning and Troubleshooting Routing and Switching
What’s New in Fireware v12.1.1
Networking for Home and Small Businesses – Chapter 5
IIS.
New Solutions For Scaling The Internet Address Space
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Ip addressing: dhcp & dns
AbbottLink™ - IP Address Overview
Presentation transcript:

XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC

2WatchGuard Training Agenda  Public IP Address Subnet Behind XTM  Dynamic Routing in FireCluster  Enhanced Network Failover (ENF) with Remote WAN Failover  Mixed Clientless SSO

PUBLIC SUBNET BEHIND XTM

4WatchGuard Training Top 5 Reasons Why End Users Have Public IPs in their Network 1.They care about redundancy in terms of path going into their network 2.They care about the IP Address their hosts are going to use when they communicate on the internet 3.They demanded for Public IPs but they are not going to use it 4.They were just assigned by their ISP and they don’t care about it 5.They just make up addresses on their own

5WatchGuard Training Public Subnet Behind XTM  Generally, the concern is the redundancy and the inbound path going to the Public Subnet  Works with either static or dynamic routing  Can be as simple as Single-WAN and can go as complex as Multi-WAN with Dynamic Routing

6WatchGuard Training Simple Scenario : Public Subnet behind XTM  Single External Interface  Static Routing is sufficient  Works with Subnets of variable sizes

7WatchGuard Training Simple Scenario : Public Subnet behind XTM  Configuration Tips Static route must be configured on the router before the XTM device  In this example a route to /24 with the next hop to (XTM’s External Interface) Assign an IP Address from the same subnet to the XTM’s Optional Interface The subnet must not be included in the Dynamic NAT configuration Uncheck the NAT options on the Policies involving the Optional Network or any host of the Public Subnet

8WatchGuard Training Simple Scenario : Public Subnet behind XTM  Network Configuration

9WatchGuard Training Simple Scenario : Public Subnet behind XTM  Policy Example 1 - Outbound

10WatchGuard Training Simple Scenario : Public Subnet behind XTM  Policy Example 2 - Inbound  In this example is the Mail Server  Destination Address is the Mail Server IP Address

11WatchGuard Training Complex Scenario 1 : Public Subnet behind XTM  With Multi-WAN  Static Routing only  Works similar to the Single- WAN but with failover function using a different IP Address  Works even with subnet smaller than /24  Inbound path to the real Public IP is still on a single path

12WatchGuard Training Complex Scenario 1 : Public Subnet behind XTM  Configuration Tips Static route must be configured on the router before the XTM device going to XTM’s External-1 similar to the Simple Scenario example Assign an IP Address from the same subnet to the XTM’s Optional Interface Add a Dynamic Nat of the Public Subnet Translating to the IP Address of External-2 for outbound purposes Inbound Policies will require two entries going to the same host

13WatchGuard Training Complex Scenario 1 : Public Subnet behind XTM  Network Configuration

14WatchGuard Training Complex Scenario 1 : Public Subnet behind XTM  DNAT Configuration  An entry is added for the Public IP subnet to translate to External-2 only

15WatchGuard Training Complex Scenario 1 : Public Subnet behind XTM  Policy Example 1 - Outbound

16WatchGuard Training Complex Scenario 1 : Public Subnet behind XTM  Policy Example 2 - Inbound  In this example is the Mail Server  Destination Address has two entries The host as is ( ) Static NAT translating the other External IP to

17WatchGuard Training Complex Scenario 1 : Public Subnet behind XTM  Configure the DNS Records for inbound traffic  Example NS Records for Systems company.com IN MX 5 mail1.company.com. company.com IN MX 10 mail2.company.com. mail1 IN A mail2 IN A  Example NS Records for Web Service Www1.company.com. IN A www2.company.com. IN A

18WatchGuard Training Complex Scenario 2 : Public Subnet behind XTM  With Multi-WAN  Dynamic Routing support  Inbound path to the Public IP can be either of the WAN interfaces  Limited to subnets /24 or greater

19WatchGuard Training Complex Scenario 2 : Public Subnet behind XTM  Configuration Tips Configure External Interfaces Assign an IP Address from the same subnet to the XTM’s Optional Interface Configure the Dynamic Routing with the Upstream Peers

20WatchGuard Training Complex Scenario 2 : Public Subnet behind XTM  Network Configuration

21WatchGuard Training Complex Scenario 2 : Public Subnet behind XTM  Dynamic Routing Configuration

22WatchGuard Training Complex Scenario 2 : Public Subnet behind XTM  Policy Example 1 - Outbound

23WatchGuard Training Complex Scenario 2 : Public Subnet behind XTM  Policy Example 2 - Inbound  In this example is the Mail Server  Destination Address is the Mail Server IP Address

DYNAMIC ROUTING IN FIRECLUSTER

25WatchGuard Training Dynamic Routing in FireCluster  Consider this…

Let’s try it out…

ENF with REMOTE WAN FAILOVER

28WatchGuard Training Consider This Scenario  A site can access the other through the Point-to-Point Link (PTP)

BOVPN 29WatchGuard Training Consider This Scenario  A site can access the other through the Point-to-Point Link (PTP)  If the Point-to-Point link goes down the traffic routes through BOVPN ENF Enhanced Network Failover

30WatchGuard Training Enhanced Network Failover  A site’s access to any resource on the internet goes through its WAN

31WatchGuard Training Enhanced Network Failover  A site’s access to any resource on the internet goes through the WAN  If WAN breaks, it should be able to re-route through the PTP link

32WatchGuard Training ENF with Remote WAN Failover  The idea is to be able to use the remote site’s WAN for failover  Remote WAN failover can be configured on either or both sites

33WatchGuard Training ENF with Remote WAN Failover Configuration  Network Configuration

34WatchGuard Training ENF with Remote WAN Failover Configuration  Dynamic NAT is only on the real WAN interface

35WatchGuard Training ENF with Remote WAN Failover Configuration  Dynamic Routing (OSPF)

36WatchGuard Training ENF with Remote WAN Failover Configuration  BOVPN Configuration

37WatchGuard Training ENF with Remote WAN Failover Configuration  The Policies

38WatchGuard Training ENF with Remote WAN Failover Tips  The link between two sites must be Point-to-Point: with HO site set as LAN/OPT, while BO site should be set as WAN.  Multi-Hop link is also possible provided the routers used in between can do source based routing to filter the direction of the default routes  On BO site, Dynamic NAT is configured on the real WAN interface only such that traffic from one site to the other is not translated to the interface IP.  On BO, the Multi-WAN should be set as Failover.  On HO site, you must allow the remote subnet in the Global DNAT settings, and in the outbound rules for WEB access.  Ping must be allowed from the opposite end of the Point-to-Point link otherwise the External interface will fail.  This can work with Static or Dynamic routes, with classic Site-to-Site VPN.

Let’s try it out…

MIXED CLIENTLESS SSO

41WatchGuard Training Mixed Clientless SSO Scenario  Network is a combination of AD Joined-Hosts and Disjoined-Hosts  AD Joined-Host will do Clientless SSO  AD Disjoined Hosts such as Macs and Unix will be auto- redirected to authentication page when browsing

42WatchGuard Training Helpful Hints:  Break the trusted subnet for easier policy configuration DHCP Address reservation for AD-Joined Hosts DHCP Pool for AD-Disjoined Hosts  Another option is to put the AD- Disjoined Hosts to a different subnet such as another Zone or a Wireless Guest network  WebBlocker plays a key role in this scenario since we will block the initial access of the Disjoined Hosts (IP Address Reservations) (IP Pool)

43WatchGuard Training Mixed Clientless SSO Configuration  Configure ELM  ELM should be the top priority on the Clientless SSO Settings

44WatchGuard Training Mixed Clientless SSO Configuration  Check the Trusted Interface configuration  Host Range should be easily segregated  In this example the lower half is for the reserved addresses of the AD-Joined Hosts  The upper half is for the Disjoined Hosts (DHCP Pool)

45WatchGuard Training Mixed Clientless SSO Configuration  Add the Active Directory Domain

46WatchGuard Training Mixed Clientless SSO Configuration  Enable the Single Sign-On  Add Exceptions to the SSO Clients List  Exceptions here is the host range corresponding to the IP Pool available for the Disjoined Host

47WatchGuard Training Mixed Clientless SSO Configuration  Add the Policy for the AD-Joined Hosts and the Authenticated Hosts

48WatchGuard Training Mixed Clientless SSO Configuration  Add the Policy for the Disjoined Hosts  The Source corresponds to the IP Pool of the Disjoined Hosts  Take note of the Proxy Action

49WatchGuard Training Mixed Clientless SSO Configuration  Add and configure WebBlocker to Deny All Categories

50WatchGuard Training Mixed Clientless SSO Configuration  Edit the Deny Message

51WatchGuard Training Mixed Clientless SSO Configuration  Note that the Policies are in Manual Order Mode

Let’s try it out…

THANK YOU!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.