WatchGuard Policy Optimisation for Proxy Connection Limitations

WatchGuard Firebox/XTM applicances have a finite limit of Proxy Connections available. THe XTM series has a very high limit and should not present a problem. However, we do hear reports of e-Series hardware hitting the limit, and malware outbreaks have been known to trigger the same problem as they 'phone home' or try to spread. To prevent hardware lock-ups and frequently having to reboot appliances, policy should be optimised with a view to limiting the number of connections that get proxied. Frequently, it is a TCP-UDP proxy being used as a 'catch-all' rule that will cause the problem. While it is okay to use the TCP-UDP Proxy in this manner, it is best to deal with unwanted traffic, or traffic that can be allowed through a packet filter rule, prior to reaching the TCP-UDP Proxy Catch-All rule.
If you must use the TCP-UDP Proxy (to allow MSN IM, for example), consider adding packet filter rules to handle:
  • Allow NTP (TCP/UDP 123)
  • Allow Media Servers, such as RTSP (TCP/UDP 554), MMS (TCP/UDP 1755) and RTMP (TCP 1935)
  • Control Ping
  • Deny Microsoft Traffic such as SMB (TCP 445), NetBIOS (UDP 137,138, TCP 139), RPC (TCP/UDP 135), LDAP (TCP/UDP 389) from going to the internet
  • P2P - Block other unneccessary ports
  • Consider a Packet Filter for incoming Web Server traffic, unless users upload content that needs to be virus scanned
  • Consider using a Packet Filter for DNS, rather than the DNS Proxy
  • Use Packet Filters for traffic between internal zones (eg Trusted to Optional, LAN to DMZ)
  • If you are lucky enough to have 11.4 and Application Control, then you can use Application Control on a Packet Filter to allow authorised applications and deny unauthorised applications.
An example policy using the above advice:
 
If all else fails, there is a scheduled reboot feature in Version 11 onwards. Setup>> Global Settings>> Automatic Reboot.

Add Feedback