XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.

  • Published on
    29-Dec-2015

  • View
    219

  • Download
    3

Transcript

XTM Networking Tips and Tricks 2012

XTM Networking Tips and TricksCarlo AlvarezTechnical Trainer - APACWatchGuard Training1This training material is currently unofficial and may not be redistributed unless cleared by Product Training and Publishing.2WatchGuard TrainingAgendaPublic IP Address Subnet Behind XTMDynamic Routing in FireClusterEnhanced Network Failover (ENF) with Remote WAN FailoverMixed Clientless SSO

WatchGuard Training2PUBLIC SUBNET BEHIND XTMWatchGuard Training34WatchGuard TrainingTop 5 Reasons Why End Users Have Public IPs in their NetworkThey care about redundancy in terms of path going into their networkThey care about the IP Address their hosts are going to use when they communicate on the internetThey demanded for Public IPs but they are not going to use itThey were just assigned by their ISP and they dont care about itThey just make up addresses on their own

WatchGuard Training45WatchGuard TrainingPublic Subnet Behind XTMGenerally, the concern is the redundancy and the inbound path going to the Public Subnet Works with either static or dynamic routingCan be as simple as Single-WAN and can go as complex as Multi-WAN with Dynamic Routing

WatchGuard Training5

6WatchGuard TrainingSimple Scenario : Public Subnet behind XTMSingle External InterfaceStatic Routing is sufficientWorks with Subnets of variable sizes

WatchGuard Training6

7WatchGuard TrainingSimple Scenario : Public Subnet behind XTMConfiguration TipsStatic route must be configured on the router before the XTM deviceIn this example a route to 202.101.21.0/24 with the next hop to 208.82.1.2 (XTMs External Interface)Assign an IP Address from the same subnet to the XTMs Optional InterfaceThe subnet must not be included in the Dynamic NAT configurationUncheck the NAT options on the Policies involving the Optional Network or any host of the Public Subnet

Un-checking the NAT option simply free extra process the policy has to take.WatchGuard Training7

8WatchGuard TrainingSimple Scenario : Public Subnet behind XTMNetwork Configuration

WatchGuard Training8

9WatchGuard TrainingSimple Scenario : Public Subnet behind XTMPolicy Example 1 - Outbound

WatchGuard Training9

10WatchGuard TrainingSimple Scenario : Public Subnet behind XTMPolicy Example 2 - Inbound

In this example 202.101.21.25 is the Mail ServerDestination Address is the Mail Server IP AddressWatchGuard Training10

11WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMWith Multi-WANStatic Routing onlyWorks similar to the Single-WAN but with failover function using a different IP AddressWorks even with subnet smaller than /24Inbound path to the real Public IP is still on a single pathWatchGuard Training11

12WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMConfiguration TipsStatic route must be configured on the router before the XTM device going to XTMs External-1 similar to the Simple Scenario exampleAssign an IP Address from the same subnet to the XTMs Optional InterfaceAdd a Dynamic Nat of the Public Subnet Translating to the IP Address of External-2 for outbound purposesInbound Policies will require two entries going to the same host

WatchGuard Training12

13WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMNetwork ConfigurationWatchGuard Training13

14WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMDNAT ConfigurationAn entry is added for the Public IP subnet to translate to External-2 only

WatchGuard Training14

15WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMPolicy Example 1 - Outbound

WatchGuard Training15

16WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMPolicy Example 2 - Inbound

In this example 202.101.21.25 is the Mail ServerDestination Address has two entriesThe host as is (202.101.21.25)Static NAT translating the other External IP 122.22.21.2 to 202.101.21.25WatchGuard Training16

17WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMConfigure the DNS Records for inbound trafficExample NS Records for Email Systemscompany.com IN MX 5 mail1.company.com.company.com IN MX 10 mail2.company.com.mail1 IN A 202.101.21.25mail2 IN A 122.22.21.2

Example NS Records for Web ServiceWww1.company.com. IN A 202.101.21.80www2.company.com. IN A 122.22.21.2

WatchGuard Training17

18WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMWith Multi-WANDynamic Routing supportInbound path to the Public IP can be either of the WAN interfacesLimited to subnets /24 or greaterWatchGuard Training18

19WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMConfiguration TipsConfigure External InterfacesAssign an IP Address from the same subnet to the XTMs Optional InterfaceConfigure the Dynamic Routing with the Upstream Peers

WatchGuard Training19

20WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMNetwork ConfigurationWatchGuard Training20

21WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMDynamic Routing Configuration

Discuss route objects if neededWatchGuard Training21

22WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMPolicy Example 1 - OutboundWatchGuard Training22

23WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMPolicy Example 2 - Inbound

In this example 202.101.21.25 is the Mail ServerDestination Address is the Mail Server IP AddressWatchGuard Training23DYNAMIC ROUTING IN FIRECLUSTERWatchGuard Training2425WatchGuard TrainingDynamic Routing in FireClusterConsider this

WatchGuard Training25Lets try it outWatchGuard Training26ENF with REMOTE WAN FAILOVERWatchGuard Training2728WatchGuard TrainingConsider This ScenarioA site can access the other through the Point-to-Point Link (PTP)

WatchGuard Training28

BOVPN29WatchGuard TrainingConsider This ScenarioA site can access the other through the Point-to-Point Link (PTP)If the Point-to-Point link goes down the traffic routes through BOVPNENFEnhanced Network FailoverWatchGuard Training2930WatchGuard TrainingEnhanced Network FailoverA sites access to any resource on the internet goes through its WAN

WatchGuard Training30

31WatchGuard TrainingEnhanced Network FailoverA sites access to any resource on the internet goes through the WANIf WAN breaks, it should be able to re-route through the PTP linkWatchGuard Training31

32WatchGuard TrainingENF with Remote WAN FailoverThe idea is to be able to use the remote sites WAN for failoverRemote WAN failover can be configured on either or both sitesWatchGuard Training3233WatchGuard TrainingENF with Remote WAN Failover Configuration Network Configuration

WatchGuard Training3334WatchGuard TrainingENF with Remote WAN Failover Configuration Dynamic NAT is only on the real WAN interface

WatchGuard Training3435WatchGuard TrainingENF with Remote WAN Failover Configuration Dynamic Routing (OSPF)

WatchGuard Training3536WatchGuard TrainingENF with Remote WAN Failover Configuration BOVPN Configuration

WatchGuard Training36

37WatchGuard TrainingENF with Remote WAN Failover Configuration The PoliciesWatchGuard Training3738WatchGuard TrainingENF with Remote WAN Failover TipsThe link between two sites must be Point-to-Point: with HO site set as LAN/OPT, while BO site should be set as WAN.Multi-Hop link is also possible provided the routers used in between can do source based routing to filter the direction of the default routesOn BO site, Dynamic NAT is configured on the real WAN interface only such that traffic from one site to the other is not translated to the interface IP.On BO, the Multi-WAN should be set as Failover .On HO site, you must allow the remote subnet in the Global DNAT settings, and in the outbound rules for WEB access.Ping must be allowed from the opposite end of the Point-to-Point link otherwise the External interface will fail.This can work with Static or Dynamic routes, with classic Site-to-Site VPN.

WatchGuard Training38Lets try it outWatchGuard Training39MIXED CLIENTLESS SSOWatchGuard Training4041WatchGuard TrainingMixed Clientless SSO ScenarioNetwork is a combination of AD Joined-Hosts and Disjoined-HostsAD Joined-Host will do Clientless SSOAD Disjoined Hosts such as Macs and Unix will be auto-redirected to authentication page when browsing

WatchGuard Training4142WatchGuard TrainingHelpful Hints:Break the trusted subnet for easier policy configurationDHCP Address reservation for AD-Joined HostsDHCP Pool for AD-Disjoined HostsAnother option is to put the AD-Disjoined Hosts to a different subnet such as another Zone or a Wireless Guest networkWebBlocker plays a key role in this scenario since we will block the initial access of the Disjoined Hosts

(IP Address Reservations)(IP Pool)WatchGuard Training4243WatchGuard TrainingMixed Clientless SSO ConfigurationConfigure ELMELM should be the top priority on the Clientless SSO Settings

WatchGuard Training4344WatchGuard TrainingMixed Clientless SSO ConfigurationCheck the Trusted Interface configurationHost Range should be easily segregatedIn this example the lower half is for the reserved addresses of the AD-Joined HostsThe upper half is for the Disjoined Hosts (DHCP Pool)

WatchGuard Training4445WatchGuard TrainingMixed Clientless SSO ConfigurationAdd the Active Directory Domain

WatchGuard Training4546WatchGuard TrainingMixed Clientless SSO ConfigurationEnable the Single Sign-OnAdd Exceptions to the SSO Clients ListExceptions here is the host range corresponding to the IP Pool available for the Disjoined Host

WatchGuard Training4647WatchGuard TrainingMixed Clientless SSO ConfigurationAdd the Policy for the AD-Joined Hosts and the Authenticated Hosts

WatchGuard Training4748WatchGuard TrainingMixed Clientless SSO ConfigurationAdd the Policy for the Disjoined HostsThe Source corresponds to the IP Pool of the Disjoined HostsTake note of the Proxy Action

WatchGuard Training4849WatchGuard TrainingMixed Clientless SSO ConfigurationAdd and configure WebBlocker to Deny All Categories

WatchGuard Training4950WatchGuard TrainingMixed Clientless SSO ConfigurationEdit the Deny Message

WatchGuard Training5051WatchGuard TrainingMixed Clientless SSO ConfigurationNote that the Policies are in Manual Order Mode

WatchGuard Training51Lets try it outWatchGuard Training52THANK YOU!WatchGuard Training53

Recommended

View more >