Watchguard XTM Internal Policy Denial

watchguard

Question on Watchguard XTM policy not allowing some traffic through. I have setup in Policy Manager named "TCP – NAS" that allows all TCP ports from External to SNAT from 192.168.10.13 -> 192.168.60.4 but am puzzled at why it's blocking some traffic (shown below).

The XTM is setup as Mixed Routing Mode, with external IP 192.168.10.13.
A NAS is setup as 192.168.60.4.
I want to grant traffic coming from outside the XTM to the NAS so when people try to reach 192.168.10.13 it's getting to 192.168.60.4.

Given, the policy is permitting all ports, and is sitting at the top as the first policy (I have switched off Auto Order Mode), can someone explain to me why I'm seeing denials via "Internal Policy"? Thanks.

ftp, http allowed through Policy TCP – NAS

2013-10-04 23:50:29 Allow 192.168.10.1 192.168.10.13 ftp/tcp 2555 21 0-External 0-Optional Bridge Allowed 60 63 (TCP – NAS-00) proc_id="firewall" rc="100" dst_ip_nat="192.168.60.4" tcp_info="offset 10 S 2686556654 win 5840" Traffic
2013-10-04 23:50:29 Allow 192.168.10.1 192.168.10.13 http/tcp 4722 80 0-External 0-Optional Bridge Allowed 60 63 (TCP – NAS-00) proc_id="firewall" rc="100" dst_ip_nat="192.168.60.4" tcp_info="offset 10 S 2687441010 win 5840" Traffic

Port 8000 denied

2013-10-04 23:50:29 Deny 192.168.10.1 192.168.10.13 8000/tcp 4019 8000 0-External 0-Optional Bridge blocked ports 60 63 (Internal Policy) proc_id="firewall" rc="101" dst_ip_nat="192.168.60.4" tcp_info="offset 10 S 2698964068 win 5840" Traffic
2013-10-04 23:50:32 Deny 192.168.10.1 192.168.10.13 8000/tcp 4019 8000 0-External 0-Optional Bridge blocked ports 60 63 (Internal Policy) proc_id="firewall" rc="101" dst_ip_nat="192.168.60.4" tcp_info="offset 10 S 2698964068 win 5840" Traffic

webcache, rdp are allowed through policy TCP – NAS

2013-10-04 23:50:32 Allow 192.168.10.1 192.168.10.13 webcache/tcp 4135 8080 0-External 0-Optional Bridge Allowed 60 63 (TCP – NAS-00) proc_id="firewall" rc="100" dst_ip_nat="192.168.60.4" tcp_info="offset 10 S 2689599964 win 5840" Traffic
2013-10-04 23:50:32 Allow 192.168.10.1 192.168.10.13 rdp/tcp 3896 3389 0-External 0-Optional Bridge Allowed 60 63 (TCP – NAS-00) proc_id="firewall" rc="100" dst_ip_nat="192.168.60.4" tcp_info="offset 10 S 2702431472 win 5840" Traffic

Best Answer

In Policy Manager, go to Setup -> Default Threat Protection -> Blocked Ports.

Ports mentioned there can't get through the firewall, even if you add rules allowing them through. Port 8000 is there by default. Remove it from there.