Wednesday, July 31, 2013

WatchGuard Best Practice and XTM

Recently atteneded WatchGuard (WG) XTM 101 presented by Bill (William) Larsen.

Helpful Tips:

When naming rules end with: .in/ .out / .passthrough
     Will make life easier to filter traffic when troubleshooting / investigating

Ensure only your Active Directory (AD)servers provide DNS

  • Setup Alias to include only your AD servers
  • Setup DNS-proxy.out
    • Policy Type: DNS-Proxy
    • From: ADServers
    • To: Any-External
Allow guest wifi to use public DNS
  • Setup DNS-proxy.passthrough
    • Policy Type: DNS-Proxy
    • From: Any-Optional
    • To: Any-External
If you have multiple servers/systems that you need to manage through RDP let WG handle the port translation.
  • Create additional Policy Types using following naming scheme:
    • RDP-[Port]
    • Ex. RDP-3391 | RDP-3390
  • When setting up SNAT us following naming scheme(only if SNAT just for RDP)
    • SNAT Name: RDP-[server name]
      • Ex. RDP-WFE01
    • SNAT Member: [External IP] [Internal IP] [Internal Port (3389 unless changed on server)]
      • xx.xx.xx.xx -> 192.168.40.25 : 3389
To prevent SpamBot from sending on your domain ensure only your Exchange server can send
  • Setup Alias to include only you Exchange server (only have a single server not sure how a cluster would function)
  • Setup following rules:
    • Name: SMTP-Exchange.out
    • Policy Type: SMTP
    • From: Exchange
    • To: Any-External (or alias for offsite SpamFiltering, we use Postini)
Now for the Exchange and DNS to work you need to ensure this finally rule is setup as we have not blocked any thing only setup rules to allow.

Setup Deny Rule:
  • Name: MyDenyRule
    • Policy Type: MyDenyRule
      • Ports: 25 (TCP&UDP), 53 (TCP&UDP) and 161
    • From: Any-Trusted, Any-Optional
    • To: Any-External

No comments:

Post a Comment