About Policies for Firebox-Generated Traffic

In addition to traffic that passes through the Firebox, the Firebox generates its own traffic. Firebox-generated traffic is also known as self-generated traffic or self-originated traffic.

Examples of Firebox-generated traffic include:

  • Signature updates for WatchGuard services such as Gateway AntiVirus, Intrusion Prevention Service, Application Control, Data Loss Prevention, Botnet Detection, Tor Exit Node Blocking, and Geolocation
  • Queries to WatchGuard servers for services, such as WebBlocker, spamBlocker, and APT Blocker
  • VPN traffic for tunnels not tied to an interface, such as SSL management tunnels and BOVPN over TLS tunnels
  • Log traffic from the Firebox to a Dimension server

In Fireware v12.2 or higher, you can add policies to control traffic generated by the Firebox. For example, you can create an HTTPS packet filter policy for traffic from the Firebox to cloud-based WatchGuard subscription services. In this policy, you can specify which WAN interface the traffic should use. This helps you prevent subscription services traffic to unintended or expensive interfaces. You can create separate policies for different kinds of Firebox-generated traffic.

You can apply global NAT, per-policy NAT, policy-based routing, quality of service (QoS), and traffic management to policies that specify Firebox-generated traffic. For a policy that specifies traffic management, only the forward direction traffic management action is applied.

Unsupported Settings

Settings on the multi-WAN configuration page do not apply to Firebox-generated traffic.

Proxy actions are not supported for Firebox-generated traffic.

These types of Firebox-generated traffic cannot be controlled with a policy:

  • Traffic from 127.0.0.1 to 127.0.0.1
  • Traffic between management IP addresses of FireCluster members
  • Traffic received from or sent out of a FireCluster interface
  • IKE UDP 500/4500 and ESP/AH traffic
  • Ping and trace route diagnostic traffic
  • DNSWatch NAT IP address detection traffic
  • DynDNS updates

About the Internal Interface and IP Address Selection Process

For network traffic with a destination host on a trusted, optional or external network:

  • For the source of Firebox-generated traffic, the Firebox uses the primary IP address of the interface where the destination address exists. The Firebox routing table determines the primary IP address.
  • When the destination address is on an external network, with multiple external interfaces, the Firebox uses the external interface address with the lowest interface index, regardless of multi-WAN settings.

For network traffic with a destination host located across an IKEv1 or IKEv2 BOVPN tunnel:

  • The Firebox evaluates the available tunnel routes. For the source of the Firebox-generated traffic, the Firebox uses the primary IP address of the interface address with the lowest interface index that matches both the source and destination in the tunnel route.
  • The Firebox can use the interface IP addresses of any security zone. This includes VLAN interfaces and cluster management interfaces.
  • When both physical interfaces and VLAN interfaces can meet the tunnel route requirements, the Firebox uses the physical interface IP address.

For network traffic with a destination host located across a virtual interface tunnel:

  • The Firebox uses the virtual interface IP address, defined in the BOVPN gateway configuration, for the source of the Firebox-generated traffic.
  • When no virtual interface IP address is defined, the Firebox chooses the next available interface from its routing table. This is usually the primary IP address of the external interface with the lowest interface index.

Configuration

To control Firebox-generated traffic, you must:

  • Enable the Enable configuration of policies for traffic generated by the Firebox global setting.
  • Add a policy that specifies Firebox-generated traffic.

When you enable the Enable configuration of policies for traffic generated by the Firebox global setting:

  • The Firebox uses the IP address of the outgoing interface that is in the same subnet as the destination address.
  • When no IP address of an outgoing interface is in the same subnet as the destination address, the Firebox uses the primary IP address of the interface with the lowest index.
  • When there is no IP address on the outgoing interface, such as with a BOVPN virtual interface, the Firebox uses the primary IP address of the interface with the lowest index.

The Firebox routing table determines the primary IP address.

When you disable the Enable configuration of policies for traffic generated by the Firebox global setting:

  • The Firebox uses the primary IP address of the interface with the lowest index that matches the VPN tunnel.
  • For a multi-WAN configuration, different multi-WAN configurations could apply a different logic to select the outgoing interface and source address.
  • The Firebox decides which source IP address and interface to use when it sources Firebox-generated connections.

For information about the global setting, go to Define Firebox Global Settings.

To configure polices for Firebox-generated traffic, go to Configure Policies for Firebox-Generated Traffic.

For configuration examples, go to Configuration Examples for Control of Firebox-Generated Traffic.

As a best practice, we recommend that you do not create deny policies for Firebox-generated traffic.

Policy Order

When you enable the Enable configuration of policies for traffic generated by the Firebox setting, the previously hidden Any-From-Firebox policy appears in the list of policies. This policy cannot be modified or removed. If auto-order mode is enabled for the Policies list, which is the default setting, these changes also occur:

  • Policy order number changes for existing policies.
    This occurs because the previously hidden Any-From-Firebox policy now appears.
  • Policies that control Firebox-generated traffic appear before all other policies.
    If no other policies exist that control Firebox-generated traffic, the Any-From-Firebox is first in the list and is numbered 1.
  • Policies that you add for Firebox-generated traffic appear before the Any-From-Firebox policy because they are more granular.

BOVPN and BOVPN Virtual Interfaces

In Fireware v12.2 or higher, when you enable the Enable configuration of policies for traffic generated by the Firebox global setting:

BOVPN

  • The Firebox no longer sets the source IP address for Firebox-generated traffic to match a BOVPN tunnel route. This means that Firebox-generated traffic uses a WAN interface instead of the BOVPN tunnel.
  • If you enable the global setting but want Firebox-generated traffic to use a BOVPN tunnel, you can add a policy.

BOVPN Virtual Interface

  • You can add a policy to force Firebox-generated traffic to use a WAN interface instead of the BOVPN virtual interface tunnel.

To control Firebox-generated traffic when your configuration includes a BOVPN or BOVPN virtual interface, go to Configuration Examples for Control of Firebox-Generated Traffic.

Set Source IP Address

You can set the source IP address in policies for Firebox-generated traffic. Any traffic that uses the policy shows the specified address as the source. You might want to set the source IP address for Firebox-generated traffic if:

  • Your ISP uses a separate subnet for routing and traffic, and you want the Firebox to use the primary IP address for routing, and an IP address on a secondary network for Firebox-generated traffic.
  • You have a provider-independent IP address block, and you want to configure the Firebox to use the IP addresses for Firebox-generated traffic, but not bind them to a specific interface.

You can use the loopback interface to bind IP addresses to the Firebox that are not associated with a specific WAN interface. In Fireware v12.2 or higher, you can specify the primary or secondary IP address of the loopback interface in the dynamic NAT settings for a policy. To use provider-independent addresses for Firebox-generated traffic, set the source IP address in a DNAT rule to one or more IP addresses from the provider-independent block.

To configure a policy that specifies a source IP address for Firebox-generated traffic, go to Configure Policies for Firebox-Generated Traffic.

For information about global dynamic NAT, go to About Dynamic NAT Source IP Addresses.

For information about loopback IP addresses, go to Configure a Loopback Interface.

Log Messages

Logging for the Any-From-Firebox policy is controlled by the Enable logging for traffic sent from this device check box. You can find this check box in the global logging settings:

  • Web UI — System > Logging > Settings
  • Policy Manager — Setup > Logging > Diagnostic Log Level

Logging for policies that you create for Firebox-generated traffic is controlled in those policies.

Related Topics

Configure Policies for Firebox-Generated Traffic

Configuration Examples for Control of Firebox-Generated Traffic

Define Firebox Global Settings