NetXMS Support Forum

Hi,

It appears there is an issue with getting WatchGuard firewalls to show peer connectivity properly.
I noticed that checks on interfaces almost always result in the firewall supposedly being "indirectly" connected to a specific switch port - as more than one MAC appears to be behind the interface in the ARP table and the firewalls do not do LLDP or CDP.

Not sure if there is a way around that? 

Cheers

Hi,

why do you have more than one MAC on a port? Does firewall use multiple MACs?

Best regards,
Victor

Hi,

I am gussing the problem is that the firewall may have other devices connected to it, e.g. a switch on one port a workstation, access point or even another switch on another. Without LLDP/CDP, the firewall in those cases basically looks like an unmanaged switch to the rest of the network.

I have lodged a feature request with WatchGuard to add LLDP/CDP, but not sure what will come of that (security concerns).

Cheers

Hi,

I can certainly confirm that the only way firewalls are discovered for the topology at present is via switch FDB.
But if said firewall has multiple devices behind it, the FDB will show a number of MACs on the same port and at that stage topology discovery fails as it can't tell which of those MACs is indeed the next hop. Most firewalls don't support LLDP for discovery due to security concerns.

At the same time, if event correlation depends on knowing the topology then this would cause issues for alerts when a firewall goes down (as based on the topology none of the devices behind it are actually connected to it)? Correlation would not kick in until the switches report that they are unreachable?
Is there maybe a manual way to force a connection between devices for Topology purposes, i.e. if I know firewall x is directly connected to switch y? Kind of an override for automated discovery?

Cheers

Hi,

we already have request for manually configured connections between devices. Will try to implement it in near time. Am I understood correctly that your firewall is a layer 2 device?

Best regards,
Victor

Yes and no.
The firewalls do allow configuring multiple physical interfaces as a single Bridge or VLAN interface, which in effect turns those physical ports into a switch.
Any traffic that is passed between such physical interfaces is Layer 2 only, and there is no routing involved.
Of course we also have setups where each interface is indeed in another network and then all traffic routed.

Especially smaller sites though will quite often only have one external interface and the remaining ports joined into a single VLAN interface with multiple devices connected to it.

Cheers