XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.
-
Upload
alexander-nelson -
Category
Documents
-
view
221 -
download
3
Transcript of XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.
![Page 1: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/1.jpg)
XTM Networking Tips and Tricks
Carlo AlvarezTechnical Trainer - APAC
![Page 2: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/2.jpg)
2WatchGuard Training
Agenda
Public IP Address Subnet Behind XTM Dynamic Routing in FireCluster Enhanced Network Failover (ENF) with Remote WAN Failover Mixed Clientless SSO
![Page 3: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/3.jpg)
PUBLIC SUBNET BEHIND XTM
![Page 4: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/4.jpg)
4WatchGuard Training
Top 5 Reasons Why End Users Have Public IPs in their Network
1. They care about redundancy in terms of path going into their network
2. They care about the IP Address their hosts are going to use when they communicate on the internet
3. They demanded for Public IPs but they are not going to use it
4. They were just assigned by their ISP and they don’t care about it
5. They just make up addresses on their own
![Page 5: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/5.jpg)
5WatchGuard Training
Public Subnet Behind XTM
Generally, the concern is the redundancy and the inbound path going to the Public Subnet
Works with either static or dynamic routing
Can be as simple as Single-WAN and can go as complex as Multi-WAN with Dynamic Routing
![Page 6: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/6.jpg)
6WatchGuard Training
Simple Scenario : Public Subnet behind XTM
Single External Interface
Static Routing is sufficient
Works with Subnets of variable sizes
![Page 7: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/7.jpg)
7WatchGuard Training
Simple Scenario : Public Subnet behind XTM
Configuration Tips
• Static route must be configured on the router before the XTM device
In this example a route to 202.101.21.0/24 with the next hop to 208.82.1.2 (XTM’s External Interface)
• Assign an IP Address from the same subnet to the XTM’s Optional Interface
• The subnet must not be included in the Dynamic NAT configuration
• Uncheck the NAT options on the Policies involving the Optional Network or any host of the Public Subnet
![Page 8: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/8.jpg)
8WatchGuard Training
Simple Scenario : Public Subnet behind XTM Network Configuration
![Page 9: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/9.jpg)
9WatchGuard Training
Simple Scenario : Public Subnet behind XTM Policy Example 1 - Outbound
![Page 10: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/10.jpg)
10WatchGuard Training
Simple Scenario : Public Subnet behind XTM Policy Example 2 - Inbound
In this example 202.101.21.25 is the Mail Server
Destination Address is the Mail Server IP Address
![Page 11: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/11.jpg)
11WatchGuard Training
Complex Scenario 1 : Public Subnet behind XTM
With Multi-WAN
Static Routing only
Works similar to the Single-WAN but with failover function using a different IP Address
Works even with subnet smaller than /24
Inbound path to the real Public IP is still on a single path
![Page 12: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/12.jpg)
12WatchGuard Training
Complex Scenario 1 : Public Subnet behind XTM
Configuration Tips
• Static route must be configured on the router before the XTM device going to XTM’s External-1 similar to the Simple Scenario example
• Assign an IP Address from the same subnet to the XTM’s Optional Interface
• Add a Dynamic Nat of the Public Subnet Translating to the IP Address of External-2 for outbound purposes
• Inbound Policies will require two entries going to the same host
![Page 13: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/13.jpg)
13WatchGuard Training
Complex Scenario 1 : Public Subnet behind XTM Network Configuration
![Page 14: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/14.jpg)
14WatchGuard Training
Complex Scenario 1 : Public Subnet behind XTM DNAT Configuration
An entry is added for the Public IP subnet to translate to External-2 only
![Page 15: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/15.jpg)
15WatchGuard Training
Complex Scenario 1 : Public Subnet behind XTM Policy Example 1 - Outbound
![Page 16: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/16.jpg)
16WatchGuard Training
Complex Scenario 1 : Public Subnet behind XTM Policy Example 2 - Inbound
In this example 202.101.21.25 is the Mail Server
Destination Address has two entries
• The host as is (202.101.21.25)
• Static NAT translating the other External IP 122.22.21.2 to 202.101.21.25
![Page 17: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/17.jpg)
17WatchGuard Training
Complex Scenario 1 : Public Subnet behind XTM Configure the DNS Records for inbound traffic
Example NS Records for Email Systems
company.com IN MX 5 mail1.company.com.
company.com IN MX 10 mail2.company.com.
mail1 IN A 202.101.21.25
mail2 IN A 122.22.21.2
Example NS Records for Web Service
Www1.company.com. IN A 202.101.21.80
www2.company.com. IN A 122.22.21.2
![Page 18: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/18.jpg)
18WatchGuard Training
Complex Scenario 2 : Public Subnet behind XTM
With Multi-WAN
Dynamic Routing support
Inbound path to the Public IP can be either of the WAN interfaces
Limited to subnets /24 or greater
![Page 19: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/19.jpg)
19WatchGuard Training
Complex Scenario 2 : Public Subnet behind XTM
Configuration Tips
• Configure External Interfaces
• Assign an IP Address from the same subnet to the XTM’s Optional Interface
• Configure the Dynamic Routing with the Upstream Peers
![Page 20: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/20.jpg)
20WatchGuard Training
Complex Scenario 2 : Public Subnet behind XTM Network Configuration
![Page 21: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/21.jpg)
21WatchGuard Training
Complex Scenario 2 : Public Subnet behind XTM Dynamic Routing Configuration
![Page 22: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/22.jpg)
22WatchGuard Training
Complex Scenario 2 : Public Subnet behind XTM Policy Example 1 - Outbound
![Page 23: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/23.jpg)
23WatchGuard Training
Complex Scenario 2 : Public Subnet behind XTM Policy Example 2 - Inbound
In this example 202.101.21.25 is the Mail Server
Destination Address is the Mail Server IP Address
![Page 24: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/24.jpg)
DYNAMIC ROUTING IN FIRECLUSTER
![Page 25: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/25.jpg)
25WatchGuard Training
Dynamic Routing in FireCluster
Consider this…
![Page 26: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/26.jpg)
Let’s try it out…
![Page 27: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/27.jpg)
ENF with REMOTE WAN FAILOVER
![Page 28: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/28.jpg)
28WatchGuard Training
Consider This Scenario A site can access the other through the Point-to-Point Link (PTP)
![Page 29: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/29.jpg)
BOVPN
29WatchGuard Training
Consider This Scenario A site can access the other through the Point-to-Point Link (PTP) If the Point-to-Point link goes down the traffic routes through BOVPN
ENFEnhanced Network Failover
![Page 30: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/30.jpg)
30WatchGuard Training
Enhanced Network Failover A site’s access to any resource on the internet goes through its WAN
![Page 31: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/31.jpg)
31WatchGuard Training
Enhanced Network Failover A site’s access to any resource on the internet goes through the WAN If WAN breaks, it should be able to re-route through the PTP link
![Page 32: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/32.jpg)
32WatchGuard Training
ENF with Remote WAN Failover The idea is to be able to use the remote site’s WAN for failover Remote WAN failover can be configured on either or both sites
![Page 33: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/33.jpg)
33WatchGuard Training
ENF with Remote WAN Failover Configuration Network Configuration
![Page 34: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/34.jpg)
34WatchGuard Training
ENF with Remote WAN Failover Configuration Dynamic NAT is only on the real WAN interface
![Page 35: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/35.jpg)
35WatchGuard Training
ENF with Remote WAN Failover Configuration Dynamic Routing (OSPF)
![Page 36: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/36.jpg)
36WatchGuard Training
ENF with Remote WAN Failover Configuration BOVPN Configuration
![Page 37: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/37.jpg)
37WatchGuard Training
ENF with Remote WAN Failover Configuration The Policies
![Page 38: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/38.jpg)
38WatchGuard Training
ENF with Remote WAN Failover Tips
The link between two sites must be Point-to-Point: with HO site set as LAN/OPT, while BO site should be set as WAN.
Multi-Hop link is also possible provided the routers used in between can do source based routing to filter the direction of the default routes
On BO site, Dynamic NAT is configured on the real WAN interface only such that traffic from one site to the other is not translated to the interface IP.
On BO, the Multi-WAN should be set as Failover .
On HO site, you must allow the remote subnet in the Global DNAT settings, and in the outbound rules for WEB access.
Ping must be allowed from the opposite end of the Point-to-Point link otherwise the External interface will fail.
This can work with Static or Dynamic routes, with classic Site-to-Site VPN.
![Page 39: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/39.jpg)
Let’s try it out…
![Page 40: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/40.jpg)
MIXED CLIENTLESS SSO
![Page 41: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/41.jpg)
41WatchGuard Training
Mixed Clientless SSO Scenario
Network is a combination of AD Joined-Hosts and Disjoined-Hosts
AD Joined-Host will do Clientless SSO
AD Disjoined Hosts such as Macs and Unix will be auto-redirected to authentication page when browsing
![Page 42: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/42.jpg)
42WatchGuard Training
Helpful Hints:
Break the trusted subnet for easier policy configuration
• DHCP Address reservation for AD-Joined Hosts
• DHCP Pool for AD-Disjoined Hosts
Another option is to put the AD-Disjoined Hosts to a different subnet such as another Zone or a Wireless Guest network
WebBlocker plays a key role in this scenario since we will block the initial access of the Disjoined Hosts(IP Address Reservations) (IP Pool)
![Page 43: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/43.jpg)
43WatchGuard Training
Mixed Clientless SSO Configuration
Configure ELM
ELM should be the top priority on the Clientless SSO Settings
![Page 44: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/44.jpg)
44WatchGuard Training
Mixed Clientless SSO Configuration
Check the Trusted Interface configuration
Host Range should be easily segregated
In this example the lower half is for the reserved addresses of the AD-Joined Hosts
The upper half is for the Disjoined Hosts (DHCP Pool)
![Page 45: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/45.jpg)
45WatchGuard Training
Mixed Clientless SSO Configuration
Add the Active Directory Domain
![Page 46: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/46.jpg)
46WatchGuard Training
Mixed Clientless SSO Configuration
Enable the Single Sign-On
Add Exceptions to the SSO Clients List
Exceptions here is the host range corresponding to the IP Pool available for the Disjoined Host
![Page 47: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/47.jpg)
47WatchGuard Training
Mixed Clientless SSO Configuration
Add the Policy for the AD-Joined Hosts and the Authenticated Hosts
![Page 48: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/48.jpg)
48WatchGuard Training
Mixed Clientless SSO Configuration
Add the Policy for the Disjoined Hosts
The Source corresponds to the IP Pool of the Disjoined Hosts
Take note of the Proxy Action
![Page 49: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/49.jpg)
49WatchGuard Training
Mixed Clientless SSO Configuration
Add and configure WebBlocker to Deny All Categories
![Page 50: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/50.jpg)
50WatchGuard Training
Mixed Clientless SSO Configuration
Edit the Deny Message
![Page 51: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/51.jpg)
51WatchGuard Training
Mixed Clientless SSO Configuration
Note that the Policies are in Manual Order Mode
![Page 52: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/52.jpg)
Let’s try it out…
![Page 53: XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.](https://reader036.fdocuments.in/reader036/viewer/2022081513/56649e725503460f94b7201f/html5/thumbnails/53.jpg)
THANK YOU!