WatchGuard NAT

Client called me with an FTP issue on Monday.  His FTP server was blocking all traffic for security reasons.

Turned out the Watchguard firewall (750e) dynamic NAT was relabeling traffic with the IP address of the firewall, so the FTP server saw all traffic with a single source.  Too many failed login attempts (automated hacking) and it blocked that source (the firewall) which blocked everything.

First Watchguard denied it was happening and said if the Watchguard was relabeling packets then FTP traffic would never work from the internet.

And closed the ticket.

After the client insisted, they reopened the ticket and spent an hour showing the client how ti use Wireshark on the FTP server… and proved that the firewall was in fact relabeling packets.

The Watchguard tech then delared that was the way it was supposed to work, there was no other way for it to work without removing the fireawall, suggested the client using a DMZ (which would also have required a NAT FYI)

and closed the ticket.

I connected in that night and spent 5 minutes creating a 1-to-1 NAT rule and disabling dynamic NAT.

Which fixed the problem. (interestingly I should not have had to disable dynamic NAT – if a 1-to-1 exists it should use that first.  But it didn’t)

This entry was posted in Computing, Firewall, Security, Vendor rant and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.