Best Of
Re: Whitelist an external MAC address
@bford
I'd suggest asking them for clarification. If they're asking you to specifically whitelist a MAC address for a device that's not on the same subnet as your device or your upstream ISP's device, it's not actually possible to do that on any gear, WatchGuard or no.
In TCP/IP, MAC addresses are used to talk to local devices on the same network. If your network is 10.0.0.0/24 (for example) a computer with the IP 10.0.0.100 would talk to 10.0.0.101 via an ARP (to get the device's MAC address) and then directly to each other that way.
Your firebox similarly talks to your upstream ISP device that way. It ARPs to get the MAC of the default gateway IP, and sends traffic to that device.
For external inbound connections, the only MAC address you will see is that ISP device directly upstream of you.
I would suggest whitelisting by FQDN (via blocked sites exceptions) if they are willing to provide a FQDN for you to use. If not, you can also use an IP address.
If they insist on "whitelisting an external MAC address" that is not specifically your upstream ISP device's MAC, they don't know what they're talking about.
Re: Feature Request - Allow Policy Manager to groups several policies or separator line
I would suggest something slightly different: a search for "where used" for objects. This is available e.g. in Cisco ASA devices and proves to be very helpful when you have many firewall rules. I use tags but sometimes I forge to tag new rules and then I cannot find it without looking at all rules by eye.
Re: How to limit MS Office upgrade bandwidth
What are your traffic management settings for this?
Re: How to limit MS Office upgrade bandwidth
Microsoft lists all of their domains they use for those services here:
https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
-I would suggest using a tool like firewatch in the WebUI of your firewall to see where your bandwidth is actively going.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/firewatch_web.html
-If you've made a traffic management setting change, it only affects new connections, and not existing ones. You can reset other open connections in firewatch to force new connections (or reboot the firewall to quickly end all active connections and force them to connect again.)
Re: M370 to M390 | Mobile SSLVPN Fails now? "Waiting for initial response from server"
The OpenVPN TAP driver was updated between those versions -- if you're running into a problem with just the new version, you likely have something blocking that adapter from sending network traffic (local AV, local firewall, etc.) or potentially more than one TAP driver installed.
The older SSLVPN TAP will work, but you will see the driver signing warning when installing it (since the certificate that signed it has expired) and performance may be slightly worse, but it should continue to work if you choose to use it.
Re: M370 to M390 | Mobile SSLVPN Fails now? "Waiting for initial response from server"
Now you have some real facts to provide should you open a support case on this.
Let us know if a firewall reboot resolves the issue with the 12.10 client.
Re: how to set DNS Suffix
You can set this on the WINS/DNS tab of Network Configuration
"In the Domain Name text box, type a domain name that a DHCP client adds to unqualified host names. This setting corresponds to DHCP option 15."
This is the domain name suffix.
Above quote from here in the Configure Network DNS and WINS Servers section:
Configure Network DNS and WINS Servers
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/wins_dns_add.html
There is a similar setting on each DHCP setup page in the "Configure WINS/DNS Servers" area
Re: Mobile VPN through 2 firewalls on the same network
To get to the Firebox V, the SSLVPN port needs to be different than the SSLVPN port on your M590.
On your M590 you need to set up an incoming policy for the Firebox V SSLVPN port with a SNAT which points to 10.0.5.5.
Re: Received N(TS_UNACCEPTABLE) message
Hello together
I had this error (TS_UNACCEPTABLE) too , after a change from old BOVPN style to BOVPN-VIF + IKEv2
The problem was the external IP, which was a private IP.
The ISP router get only one external fixed IP and to internal a private range (192.168.178.0/24 ).
Seems that the Firebox tries to establish a VPN tunnel with the external IP from that range
There was a conflict with local IPs with a similar ISP connect.
At the beginning, I did not assign virtual interface IP addresses under "VPN Routes".
After doing so, the tunnel comes up stable.
I used APIPA addresses (Out of 169.254.0.0/16) for it.
regards Markus
Re: Rules and BOVPN Priority
Do you have a ping policy near the top of your policy list?