XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.

  • Published on
    29-Dec-2015

  • View
    220

  • Download
    3

Embed Size (px)

Transcript

<p>XTM Networking Tips and Tricks 2012</p> <p>XTM Networking Tips and TricksCarlo AlvarezTechnical Trainer - APACWatchGuard Training1This training material is currently unofficial and may not be redistributed unless cleared by Product Training and Publishing.2WatchGuard TrainingAgendaPublic IP Address Subnet Behind XTMDynamic Routing in FireClusterEnhanced Network Failover (ENF) with Remote WAN FailoverMixed Clientless SSO</p> <p>WatchGuard Training2PUBLIC SUBNET BEHIND XTMWatchGuard Training34WatchGuard TrainingTop 5 Reasons Why End Users Have Public IPs in their NetworkThey care about redundancy in terms of path going into their networkThey care about the IP Address their hosts are going to use when they communicate on the internetThey demanded for Public IPs but they are not going to use itThey were just assigned by their ISP and they dont care about itThey just make up addresses on their own</p> <p>WatchGuard Training45WatchGuard TrainingPublic Subnet Behind XTMGenerally, the concern is the redundancy and the inbound path going to the Public Subnet Works with either static or dynamic routingCan be as simple as Single-WAN and can go as complex as Multi-WAN with Dynamic Routing</p> <p>WatchGuard Training5</p> <p>6WatchGuard TrainingSimple Scenario : Public Subnet behind XTMSingle External InterfaceStatic Routing is sufficientWorks with Subnets of variable sizes</p> <p>WatchGuard Training6</p> <p>7WatchGuard TrainingSimple Scenario : Public Subnet behind XTMConfiguration TipsStatic route must be configured on the router before the XTM deviceIn this example a route to 202.101.21.0/24 with the next hop to 208.82.1.2 (XTMs External Interface)Assign an IP Address from the same subnet to the XTMs Optional InterfaceThe subnet must not be included in the Dynamic NAT configurationUncheck the NAT options on the Policies involving the Optional Network or any host of the Public Subnet</p> <p>Un-checking the NAT option simply free extra process the policy has to take.WatchGuard Training7</p> <p>8WatchGuard TrainingSimple Scenario : Public Subnet behind XTMNetwork Configuration</p> <p>WatchGuard Training8</p> <p>9WatchGuard TrainingSimple Scenario : Public Subnet behind XTMPolicy Example 1 - Outbound</p> <p>WatchGuard Training9</p> <p>10WatchGuard TrainingSimple Scenario : Public Subnet behind XTMPolicy Example 2 - Inbound</p> <p>In this example 202.101.21.25 is the Mail ServerDestination Address is the Mail Server IP AddressWatchGuard Training10</p> <p>11WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMWith Multi-WANStatic Routing onlyWorks similar to the Single-WAN but with failover function using a different IP AddressWorks even with subnet smaller than /24Inbound path to the real Public IP is still on a single pathWatchGuard Training11</p> <p>12WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMConfiguration TipsStatic route must be configured on the router before the XTM device going to XTMs External-1 similar to the Simple Scenario exampleAssign an IP Address from the same subnet to the XTMs Optional InterfaceAdd a Dynamic Nat of the Public Subnet Translating to the IP Address of External-2 for outbound purposesInbound Policies will require two entries going to the same host</p> <p>WatchGuard Training12</p> <p>13WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMNetwork ConfigurationWatchGuard Training13</p> <p>14WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMDNAT ConfigurationAn entry is added for the Public IP subnet to translate to External-2 only</p> <p>WatchGuard Training14</p> <p>15WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMPolicy Example 1 - Outbound</p> <p>WatchGuard Training15</p> <p>16WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMPolicy Example 2 - Inbound</p> <p>In this example 202.101.21.25 is the Mail ServerDestination Address has two entriesThe host as is (202.101.21.25)Static NAT translating the other External IP 122.22.21.2 to 202.101.21.25WatchGuard Training16</p> <p>17WatchGuard TrainingComplex Scenario 1 : Public Subnet behind XTMConfigure the DNS Records for inbound trafficExample NS Records for Email Systemscompany.com IN MX 5 mail1.company.com.company.com IN MX 10 mail2.company.com.mail1 IN A 202.101.21.25mail2 IN A 122.22.21.2</p> <p>Example NS Records for Web ServiceWww1.company.com. IN A 202.101.21.80www2.company.com. IN A 122.22.21.2</p> <p>WatchGuard Training17</p> <p>18WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMWith Multi-WANDynamic Routing supportInbound path to the Public IP can be either of the WAN interfacesLimited to subnets /24 or greaterWatchGuard Training18</p> <p>19WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMConfiguration TipsConfigure External InterfacesAssign an IP Address from the same subnet to the XTMs Optional InterfaceConfigure the Dynamic Routing with the Upstream Peers</p> <p>WatchGuard Training19</p> <p>20WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMNetwork ConfigurationWatchGuard Training20</p> <p>21WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMDynamic Routing Configuration</p> <p>Discuss route objects if neededWatchGuard Training21</p> <p>22WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMPolicy Example 1 - OutboundWatchGuard Training22</p> <p>23WatchGuard TrainingComplex Scenario 2 : Public Subnet behind XTMPolicy Example 2 - Inbound</p> <p>In this example 202.101.21.25 is the Mail ServerDestination Address is the Mail Server IP AddressWatchGuard Training23DYNAMIC ROUTING IN FIRECLUSTERWatchGuard Training2425WatchGuard TrainingDynamic Routing in FireClusterConsider this</p> <p>WatchGuard Training25Lets try it outWatchGuard Training26ENF with REMOTE WAN FAILOVERWatchGuard Training2728WatchGuard TrainingConsider This ScenarioA site can access the other through the Point-to-Point Link (PTP)</p> <p>WatchGuard Training28</p> <p>BOVPN29WatchGuard TrainingConsider This ScenarioA site can access the other through the Point-to-Point Link (PTP)If the Point-to-Point link goes down the traffic routes through BOVPNENFEnhanced Network FailoverWatchGuard Training2930WatchGuard TrainingEnhanced Network FailoverA sites access to any resource on the internet goes through its WAN</p> <p>WatchGuard Training30</p> <p>31WatchGuard TrainingEnhanced Network FailoverA sites access to any resource on the internet goes through the WANIf WAN breaks, it should be able to re-route through the PTP linkWatchGuard Training31</p> <p>32WatchGuard TrainingENF with Remote WAN FailoverThe idea is to be able to use the remote sites WAN for failoverRemote WAN failover can be configured on either or both sitesWatchGuard Training3233WatchGuard TrainingENF with Remote WAN Failover Configuration Network Configuration</p> <p>WatchGuard Training3334WatchGuard TrainingENF with Remote WAN Failover Configuration Dynamic NAT is only on the real WAN interface</p> <p>WatchGuard Training3435WatchGuard TrainingENF with Remote WAN Failover Configuration Dynamic Routing (OSPF)</p> <p>WatchGuard Training3536WatchGuard TrainingENF with Remote WAN Failover Configuration BOVPN Configuration</p> <p>WatchGuard Training36</p> <p>37WatchGuard TrainingENF with Remote WAN Failover Configuration The PoliciesWatchGuard Training3738WatchGuard TrainingENF with Remote WAN Failover TipsThe link between two sites must be Point-to-Point: with HO site set as LAN/OPT, while BO site should be set as WAN.Multi-Hop link is also possible provided the routers used in between can do source based routing to filter the direction of the default routesOn BO site, Dynamic NAT is configured on the real WAN interface only such that traffic from one site to the other is not translated to the interface IP.On BO, the Multi-WAN should be set as Failover .On HO site, you must allow the remote subnet in the Global DNAT settings, and in the outbound rules for WEB access.Ping must be allowed from the opposite end of the Point-to-Point link otherwise the External interface will fail.This can work with Static or Dynamic routes, with classic Site-to-Site VPN.</p> <p>WatchGuard Training38Lets try it outWatchGuard Training39MIXED CLIENTLESS SSOWatchGuard Training4041WatchGuard TrainingMixed Clientless SSO ScenarioNetwork is a combination of AD Joined-Hosts and Disjoined-HostsAD Joined-Host will do Clientless SSOAD Disjoined Hosts such as Macs and Unix will be auto-redirected to authentication page when browsing</p> <p>WatchGuard Training4142WatchGuard TrainingHelpful Hints:Break the trusted subnet for easier policy configurationDHCP Address reservation for AD-Joined HostsDHCP Pool for AD-Disjoined HostsAnother option is to put the AD-Disjoined Hosts to a different subnet such as another Zone or a Wireless Guest networkWebBlocker plays a key role in this scenario since we will block the initial access of the Disjoined Hosts</p> <p>(IP Address Reservations)(IP Pool)WatchGuard Training4243WatchGuard TrainingMixed Clientless SSO ConfigurationConfigure ELMELM should be the top priority on the Clientless SSO Settings</p> <p>WatchGuard Training4344WatchGuard TrainingMixed Clientless SSO ConfigurationCheck the Trusted Interface configurationHost Range should be easily segregatedIn this example the lower half is for the reserved addresses of the AD-Joined HostsThe upper half is for the Disjoined Hosts (DHCP Pool)</p> <p>WatchGuard Training4445WatchGuard TrainingMixed Clientless SSO ConfigurationAdd the Active Directory Domain</p> <p>WatchGuard Training4546WatchGuard TrainingMixed Clientless SSO ConfigurationEnable the Single Sign-OnAdd Exceptions to the SSO Clients ListExceptions here is the host range corresponding to the IP Pool available for the Disjoined Host</p> <p>WatchGuard Training4647WatchGuard TrainingMixed Clientless SSO ConfigurationAdd the Policy for the AD-Joined Hosts and the Authenticated Hosts</p> <p>WatchGuard Training4748WatchGuard TrainingMixed Clientless SSO ConfigurationAdd the Policy for the Disjoined HostsThe Source corresponds to the IP Pool of the Disjoined HostsTake note of the Proxy Action</p> <p>WatchGuard Training4849WatchGuard TrainingMixed Clientless SSO ConfigurationAdd and configure WebBlocker to Deny All Categories</p> <p>WatchGuard Training4950WatchGuard TrainingMixed Clientless SSO ConfigurationEdit the Deny Message</p> <p>WatchGuard Training5051WatchGuard TrainingMixed Clientless SSO ConfigurationNote that the Policies are in Manual Order Mode</p> <p>WatchGuard Training51Lets try it outWatchGuard Training52THANK YOU!WatchGuard Training53</p>

Recommended

View more >