How to Configure WatchGuard Firebox Series Firewalls for Usage with Appriver Services
This KB article is step by step documentation on how to properly configure Default Packet Handling and create a custom SMTP service on WatchGuard Firebox series firewalls. This simple configuration of Default Packet Handling options and custom SMTP filter will resolve most issues with SMTP communications between Appriver email filtering servers and WatchGuard Firebox series firewalls.
When configuring WatchGuard Firebox series firewalls, most Administrators utilize the SMTP proxy service which incorporates stateful packet inspection. This is the most secure and preferred configuration, but this can also cause communication errors that disallow proper SMTP traffic flow between Appriver’s email filtering servers and the firewall. Unknown content or content type and differing header lengths can cause the WatchGuard firewall’s SMTP proxy service to deny the email or block legitimate traffic by adding the Appriver’s filtering server(s) IP address to the Blocked Sites list. This, in turn, ceases all inbound email flow from Appriver’s server(s).
To overcome this, you will need to remove the SMTP proxy service and create a custom User Filter that will allow secure email flow that is unrestricted. We also need to configure Default Packet Handling to ignore packets not handled. Before following these steps, make certain that you have a current backup of your Firebox’s configuration. Though these changes are simple to implement and normally cause no issue, I cannot stress enough the need for a backup config. Also make certain that you document the current configuration of the SMTP proxy, this includes any stances for Incoming and Outgoing traffic (enabled and allowed, enabled and denied, or disabled), NATs, Aliases, logging options and sources (From / To). You will need to mimic these settings when configuring the newly created custom SMTP service.
Configuring Default Packet Handling Rule
1. To configure Default Packet Handling to ignore unhandled packets, we simply open the Firebox System Manager and then the Policy Manager.
2. From the menu bar click Setup > Intrusion Prevention > Default Packet Handling.
3. At the bottom, clear the Auto-block source of packets not handled box.
4. Click OK and save this change to the Firebox and config.
Create Custom SMTP Filter
To perform this step, we need to first delete the SMTP proxy that is currently in place. (Right click – “Delete”) Remember, we have already documented ALL pertinent information about this service such as NATs, Aliases, stances, sources and logging options…haven’t we? If not, please do so now BEFORE deletion. Failing to do so may cause your downtime to be exorbitant while you try and compile all of the needed information to input into the new SMTP filter.
Now that we have deleted the offending SMTP proxy service, we want to create our new User Defined SMTP filter. To do this we need to open the Firebox System Manager and then the Policy Manager. (That is, if it is not already open from the previous config change)
1. On the menu bar, click the + to add a new service. This will open the Services dialog window.
2. Click the User Filter folder, and then click New. This will open the New Service dialog box.
3. Type an easily recognizable name in the Name field (I use “Company_SMTP” substituting the company name with client organization name.) and then click the Add button. This brings up the Add Port dialog box.
4. Enter 25 into the Port field leaving the Protocol and Client Port fields as the defaults of TCP and Client. (Port 25 is the default SMTP port. If you have configured your mail server to utilize a different port, place that port number into the field instead.)
5. Click OK and then OK again. This takes you back to the Services dialog box.
6. Click Add and then OK.
This brings up the Properties dialogue box for the custom filter that you have just created. Here you will input the information that you documented from the previous SMTP proxy service. Once done, save to the Firebox and to the config. Reboot and you are done.