User Guide 9
This table shows you the ports you must open on a desktop firewall.
WFS appliance software configuration modes
There are two configuration modes available for users with WFS appliance software: a routed configura-
tion or a drop-in configuration. (If you are using Fireware appliance software, drop-in mode is not avail-
able.) Many networks operate the best with a routed configuration. But we recommend the drop-in mode
• You have a large number of public IP addresses
• You have a static external IP address
• You cannot configure the computers on your trusted and optional networks that have public IP
addresses with private IP addresses
The table below shows three conditions that can help you to select a firewall configuration mode. We
then give more information about each mode.
You use the routed configuration when you have a small number of public IP addresses or when your
Firebox gets its external IP address using PPPoE or DHCP. This configuration also makes it easier to con-
figure virtual private networks.
Server Type/Appliance Software Protocol/Port
Management Server TCP 4109, TCP 4110, TCP 4112, TCP 4113
with Fireware appliance software
with WFS appliance software
WebBlocker Server TCP 5003, UDP 5003
Routed Configuration Drop-in Configuration
Condition 1 All interfaces of the Firebox are on
different networks. The minimum
configured interfaces are external and
All interfaces of the
Firebox are on the same
network and have the same
IP address (Proxy ARP).
Condition 2 Trusted and optional interfaces must be
on different networks. The two interfaces
must have an IP address on their
The computers on the
trusted or optional
interfaces can have a
public IP address.
Condition 3 Use static NAT to map public addresses
to private addresses behind the trusted
or optional interfaces.
The machines that have
public access have public
IP addresses. Thus, no
static NAT is necessary.