In addition to traffic that passes through the Firebox, the Firebox generates its own traffic. Firebox-generated traffic is also known as self-generated traffic or self-originated traffic.
Examples of Firebox-generated traffic include:
- Signature updates for WatchGuard services such as Gateway AntiVirus, Intrusion Prevention Service, Application Control, Data Loss Prevention, Botnet Detection, and Geolocation
- Queries to WatchGuard servers for services such as WebBlocker, spamBlocker, and APT Blocker
- VPN traffic for tunnels not tied to an interface such as SSL management tunnels and BOVPN over TLS tunnels
- Log traffic from the Firebox to a Dimension server
In Fireware v12.2 or higher, you can add policies to control traffic generated by the Firebox. For example, you can create an HTTPS packet filter policy for traffic from the Firebox to cloud-based WatchGuard subscription services. In this policy, you can specify which WAN interface the traffic should use. This helps you prevent subscription services traffic to unintended or expensive interfaces. You can create separate policies for different kinds of Firebox-generated traffic.
You can apply global NAT, per-policy NAT, policy-based routing, quality of service (QoS), and traffic management to policies that specify Firebox-generated traffic. For a policy that specifies traffic management, only the forward direction traffic management action is applied.
Settings on the multi-WAN configuration page do not apply to Firebox-generated traffic.
Proxy actions are not supported for Firebox-generated traffic.
These kinds of Firebox-generated traffic cannot be controlled with a policy:
- Traffic from 127.0.0.1 to 127.0.0.1
- Traffic between management IP addresses of FireCluster members
- Traffic received from or sent out of a FireCluster interface
- IKE UDP 500/4500 and ESP/AH traffic
To control Firebox-generated traffic, you must:
- Enable the Enable configuration of policies for traffic generated by the Firebox global setting.
- Add a policy that specifies Firebox-generated traffic.
For information about the global setting, see Define Firebox Global Settings.
To configure polices for Firebox-generated traffic, see Configure Policies for Firebox-Generated Traffic.
For configuration examples, see Configuration Examples for Control of Firebox-Generated Traffic.
As a best practice, we recommend that you do not create deny policies for Firebox-generated traffic.
When you enable the Enable configuration of policies for traffic generated by the Firebox setting, the previously hidden Any-From-Firebox policy appears in the list of policies. This policy cannot be modified or removed. If auto-order mode is enabled for the Policies list, which is the default setting, these changes also occur:
- Policy order number changes for existing policies.
This occurs because the previously hidden Any-From-Firebox policy now appears.
- Policies that control Firebox-generated traffic appear before all other policies.
If no other policies exist that control Firebox-generated traffic, the Any-From-Firebox is first in the list and is numbered 1.
- Policies that you add for Firebox-generated traffic appear before the Any-From-Firebox policy because they are more granular.
BOVPN and BOVPN Virtual Interfaces
In Fireware v12.2 or higher, when you enable the Enable configuration of policies for traffic generated by the Firebox global setting:
- The Firebox no longer sets the source IP address for Firebox-generated traffic to match a BOVPN tunnel route. This means that Firebox-generated traffic uses a WAN interface instead of the BOVPN tunnel.
- If you enable the global setting but want Firebox-generated traffic to use a BOVPN tunnel, you can add a policy.
BOVPN Virtual Interface
- You can add a policy to force Firebox-generated traffic to use a WAN interface instead of the BOVPN virtual interface tunnel.
To control Firebox-generated traffic when your configuration includes a BOVPN or BOVPN virtual interface, see Configuration Examples for Control of Firebox-Generated Traffic.
Set Source IP Address
You can set the source IP address in policies for Firebox-generated traffic. Any traffic that uses the policy shows the specified address as the source. You might want to set the source IP address for Firebox-generated traffic if:
- Your ISP uses a separate subnet for routing and traffic, and you want the Firebox to use the primary IP address for routing, and an IP address on a secondary network for Firebox-generated traffic.
- You have a provider-independent IP address block, and you want to configure the Firebox to use the IP addresses for Firebox-generated traffic, but not bind them to a specific interface.
You can use the loopback interface to bind IP addresses to the Firebox that are not associated with a specific WAN interface. In Fireware v12.2 or higher, you can specify the primary or secondary IP address of the loopback interface in the dynamic NAT settings for a policy. To use provider-independent addresses for Firebox-generated traffic, set the source IP address in a DNAT rule to one or more IP addresses from the provider-independent block.
To configure a policy that specifies a source IP address for Firebox-generated traffic, see Configure Policies for Firebox-Generated Traffic.
For information about global dynamic NAT, see About Dynamic NAT Source IP Addresses.
For information about loopback IP addresses, see Configure a Loopback Interface.
Logging for the Any-From-Firebox policy is controlled by the Enable logging for traffic sent from this device check box. You can find this check box in the global logging settings:
- Web UI — System > Logging > Settings
- Policy Manager — Setup > Logging > Diagnostic Log Level
Logging for policies that you create for Firebox-generated traffic is controlled in those policies.