WatchGuard Firebox/XTM applicances have a finite limit of Proxy Connections available. THe XTM series has a very high limit and should not present a problem. However, we do hear reports of e-Series hardware hitting the limit, and malware outbreaks have been known to trigger the same problem as they 'phone home' or try to spread. To prevent hardware lock-ups and frequently having to reboot appliances, policy should be optimised with a view to limiting the number of connections that get proxied. Frequently, it is a TCP-UDP proxy being used as a 'catch-all' rule that will cause the problem. While it is okay to use the TCP-UDP Proxy in this manner, it is best to deal with unwanted traffic, or traffic that can be allowed through a packet filter rule, prior to reaching the TCP-UDP Proxy Catch-All rule.
If you must use the TCP-UDP Proxy (to allow MSN IM, for example), consider adding packet filter rules to handle:
- Allow NTP (TCP/UDP 123)
- Allow Media Servers, such as RTSP (TCP/UDP 554), MMS (TCP/UDP 1755) and RTMP (TCP 1935)
- Control Ping
- Deny Microsoft Traffic such as SMB (TCP 445), NetBIOS (UDP 137,138, TCP 139), RPC (TCP/UDP 135), LDAP (TCP/UDP 389) from going to the internet
- P2P - Block other unneccessary ports
- Consider a Packet Filter for incoming Web Server traffic, unless users upload content that needs to be virus scanned
- Consider using a Packet Filter for DNS, rather than the DNS Proxy
- Use Packet Filters for traffic between internal zones (eg Trusted to Optional, LAN to DMZ)
- If you are lucky enough to have 11.4 and Application Control, then you can use Application Control on a Packet Filter to allow authorised applications and deny unauthorised applications.
An example policy using the above advice:
If all else fails, there is a scheduled reboot feature in Version 11 onwards. Setup>> Global Settings>> Automatic Reboot.