Best Of
Re: IkeV2 mobile VPN - Policy Match Error
Solved - we had an ikev2 bovpn tunnel routing to the same location that this mobile vpn wanted to connect to. Disabling that tunnel is allowing the VPN to work while this server is still on site with us. Through testing we've determined we can readd our bovpn once the server is shipped to its permanent location. Adding this reply in case it helps anyone else in the future.
Re: Certificates for DPI
Hi @SunsetFett
You can use one cert across all of the firewalls if you wish. The firewall labels it as the "Proxy Authority" certificate.
As an aside, WatchGuard doesn't use the term "DPI," as it's technically trademarked. You'll always see it referred to as "content inspection" in our documentation.
Re: IPsec Anti-Replay
Hi @marigold68
The option in the CLI disables the feature globally.
Re: Reserved address not applying
If the firewall already has a entry for this MAC addr in its ARP cache, it won't apply a different IP addr.
Clear the ARP table on the firewall, and you should get the device to get the desired IP addr.
You can clear the ARP cache using FSM
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/clear_ARP_cache_wsm.html
Re: Watchguard NTP configure
See the "Enable the Firebox as an NTP Server" section, here:
Re: log4j get slipping past ips
@Steve_E
It looks like your case already made it to my team, and the feature request was already done -- if anyone else would like to follow this please create a case and mention FBX-23882 -- the tech can set the case up to notify you of any changes to that request.
Re: Block Telegram/Whatsapp
This site indicates how to block Telegram:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-Telegram-App-and-Web-on-FortiGate-FortiOS-6/ta-p/215034
You can block WhatsApp using Application Control.
To block some and allow other, then you need 2 sets of policies - 1 which allows it, From: authenticated users or for the IP addrs of their devices, and a 2nd one which blocks it for all not allowed by the 1st policy.
Re: VPN group/user list
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ikev2-vpn-radius_authpoint.html
For some reason they are missing steps 23-27 in the “Firmware 12.7.2 or higher” part of the document which are critical to getting this working with either setup.
(I put in a request for their team to fix this almost a month ago and even gave them screenshots to do this… I’m surprised such simple but important change to the document hasn’t been done yet as it would prevent a lot of issues)
Re: Possible to disable TLS 1.1 in Watchguard System Manager?
Hi @Brad
We're currently working on an option to disable TLS1.1 for the WatchGuard System Center server (WSC). That enhancement is FBX-23887.
In the interim, you can navigate to C:\programdata\watchguard\wmserver\conf\httpd.conf and remove the +TLS1.1 item from the SSLProtocol line. You'll need to restart the server center processes for this to read the new config.