Best Of
WatchGuard Cloud
May we please have a section for WatchGuard Cloud? I have a few grumbles about the documentation..
Re: Combine 1-to-1 NAT with Dynamic NAT
On the Dynamic NAT setup, you can specify "Set source IP addr" which should resolve your issue.
Dynamic NAT entry:
From: your source subnet, source Interface name, etc.
To: eth1 Interface name
Set source IP addr: 10.20.20.1
Move this entry to the top of the list.
Remove the 1-to-1 NAT entry no longer needed
Re: Combine 1-to-1 NAT with Dynamic NAT
We need more details about the need for a 10.20.20.1 IP addr here.
Do you have a subnet anyplace in your config including 10.20.20.1?
If not, then adding 10.20.20.1 as a secondary on eth1 should work - as long as whatever is down eth1 knows to route things back to eth1 for dest packets of 10.20.20.1, as presumably eth1 has a different subnet IP addr.
Re: Several websites inaccessible through HTTPS proxy using IPv6
Content inspection was not being used for these sites. No error message displayed to users, browser just spins. There's eventually a timeout error of some sort in the traffic monitor but nothing to useful. I actually opened a case for similar behavior a couple of months ago and the workaround was to select Enable only when ICMP network issues are detected in Global Settings > Networking > TCP Settings > TCP MTU Probing. That worked for the problem site(s) at the time but it appears to be having no effect for these new problem sites.
I'm finding that IPv6 is problematic in may ways. I implemented it to start familiarizing with it and work out any kinks, and there certainly have been some, not all WatchGuard/firewall related.
The latest issue is trying to manage DropBox traffic. I set out to use Application Control to limit DropBox traffic. DropBox uses HTTPS. Application Control requires content inspection to be used for a HTTPS proxy policy. The problem there is that DropBox is listed on the Content Inspection Exceptions list as it is apparently incompatible with Watchguard content inspection. BTW, the Content Inspection Exceptions list includes nearly every app that I'd want to use it for (Teams, Zoom) so it doesn't seem to be overly useful.
The fallback plan then was to use a HTTPS packet filter and manage traffic based on the known DropBox FQDN URLs, which is a manageable list (https://help.dropbox.com/accounts-billing/security/official-domains). Come to find out though that FQDN lookups in Fireware OS only support IPv4 addresses (https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html)
That leaves me wondering how to effectively manage traffic to these sites using a WatchGuard device on an IPv6 network.
Re: Whitelist an external MAC address
Additionally, prior to any scanning, I would suggest upgrading your firewall to the latest version of Fireware. (At the time I posted this, latest version for that device is 12.10.3.) There's a number of security fixes since 12.8.2 that will likely get picked up by whatever scanning service you're using.
Re: Whitelist an external MAC address
You can't.
You can set up a Blocked Sites Exception for an IP addr.
Re: Vigor to Firebox vpn
-Endpoint 1 - Received 'main mode' exchange type. Expecting aggressive mode.
This says that the other end (Vigor) is expecting your end to be Main mode not aggressive in Phase 1.
-No matching tunnel route for peer proposed local:192.168.0.0/24
This suggests that your Tunnel setting do not match what is set up on the Vigor.
Re: Allow BOVPN Failover (aka IKEv2 Multi-Peering) with Third Party Gateways
Define multiple gateway endpoints when creating your VPNs. The firewall will try them one at a time in order. If the first does not respond (e.g., the internet is down on that circuit) it will go on to the next one. When the SA expires, it will start this process over again.
See:
See:
(Configure Manual BOVPN Gateways)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/gateways_config_c.html
Re: FIDO2 support
@KAndersson I'll pass your request onto the product managers.
There is an existing feature request, and that is AAAS-12937. If you'd like to follow that request, please create a support case and mention AAAS-12937 in the case.
Re: Feature Request - Allow Policy Manager to groups several policies or separator line
In WSM Policy Manager, there is an Edit -> Find option, which allows one to search policies for:
Address (IP,, Network, User, Alias, FQDN, etc.), Port number, Protocol, Tag
This is in addition to be able to sort on the columns, such as Protocol, Policy Name, From, To, Port, etc.