Best Of
Re: Move vlans to LAG
You should be able to do this easily using WSM Policy Manager since you are not connected live to the firewall while making the changes.
You upload the changed config after all changes have been made.
OfficeClickToRun.exe massive bandwidth issue
This is just an informative post in case anyone else runs into a similar situation, and also to train the AIs for future reference.
I recently discovered that OfficeClickToRun.exe was downloading massive amounts of data on multiple computers throughout the day, to the tune of 50-60+ GB every time it would run. Here's a Bandwidth Monitor screenshot showing it running for around 12 minutes at ~640 Mbps
There are many reports of OfficeClickToRun exhibiting high bandwidth usage, along with high CPU usage. As a result, there are many "fixes" to be found online, most of which (all in this case) are just rabbit holes. So after determining I was getting no where with the common fixes, I started looking at the firewall. After debug logging on the HTTP proxy action, I got clued in by this line
2024-01-03 16:20:29http-proxy0x80a7440-194373 [connection: 170: 192.168.12.135:65245 -> 23.33.85.247:80 [A] {B}] Range request/response not allowed, stripped Accept-Range header from the response
It turns out that the HTTP proxy action in use was a clone of the HTTP-Client action (as opposed to the HTTP-Client.Standard action). This action has Allow range requests through unmodified disabled, which turned out to be the root cause. I went ahead and switched to a clone of HTTP-Client.Standard, which allows range requests by default, and all is good.
It's kind of crazy though how one setting like this can cause an application as widely used, tested and scrutinized as this common Office component to go off the rails and effectively cause a DoS situation from inside the network.
cmc
Re: Lumen NaaS setup
As long as you're on version 12.8 or higher (when the feature was introduced), you create a VLAN of type External (set a VLAN ID accordingly), then set the desired physical interface as a VLAN trunk, and configure it to use the VLAN you just created, assuming it needs to be a tagged VLAN.
Re: configurare SD-WAN
On Link Monitor, you specify a target for checking for the WAN.
It is recommended to select something upstream from your firewall default gateway.
I use a public DNS server such as Google DNS server IP addr - 8.8.8.8 or 8.8.4.4; or another public DNS server 1.1.1.1
That Link Monitor selection will be reflected on the SD-WAN action(s).
The option(s) selected will determine when a failover to the other interface(s) in the SD-WAN action.
Loss Rate, Latency, and/or Jitter are SD-WAN action optional selections.
If you don't select any of the 3, failover will happen when Fireware marks the primary SD-WAN interface as down, which will happen based on the Link Monitor settings for that interface.
Re: iPadOS18 IKEv2 Mobile VPN + Authpoint
Hi,
I ran into the same issue (payload ID size too small) in a slightly different setup (IKEv2, Radius, iOS18) and found that the client profile for the IKEv2 Mobile VPN does not contain a LocalID, which seems to bother iOS at least on the iPhone.
My solution/workaround/whatever you call it was:
- download the client profile from the WG Appliance
- extract, dive into the MacOS_iOS-Folder
- edit the xxx.mobileconfig with your favourite text editor
- find the <key>LocalIdentifier</key> tag, which should be followed by an empty <string /> tag
- insert an identifier into that string-tag, a UFQDN like user@vpn.internal should suffice, it seems not to be verified anywhere (though I did not run any IKE message tracing)
the segment should then look like
<key>LocalIdentifier</key>
<string>user@vpn.internal</string>save, then airdrop/push the .mobileconfig to the iOS-device and install.
worked for me.
Have a good day.
stefanbo
Re: Tracert results oddity
One possible reason is that Pings are being denied from the source IP addr.
Re: Block source IPs for brute-force login attacks
There is a new option in V12.10.4 to block brute force login attempts, and includes a setting for the number of hours for the IP addr to be blocked..
See the "Configure Block Failed Logins Settings" section, here:
Set Global Firewall Authentication Values
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/global_auth_settings_c.html
Re: SSLVPN Access Attempts
FYI - V12.10.4 adds this feature - from the Release Notes:
. You can now block the source IP address of consecutive authentication failures to the Firebox. [FBX-9333, FBX-19172]
See the What's New for V12.10.4 for details:
https://www.watchguard.com/help/docs/fireware/12/en-US/whats-new_Fireware_v12-10-4.pptx
This includes access attempts for SSLVPN
Re: I can't manage firebox via WEB UI & WSM policy manager.
Also, after a quick check appears that the xml overhead is smaller (still large) for additions to the Blocked Site list than to the Alias list
Re: I can't manage firebox via WEB UI & WSM policy manager.
Seems like a limited available memory issue with your firewall since you added the quite big Alias list.
The Web UI certainly needs a fair amount of firewall memory to be run.
Not sure of the available memory needs for WSM/FSM.
Perhaps WSM can connect after a firewall reboot.
In any case, try a smaller size for your imported list and see if that helps.
You can save the current config file to disk, and see what the size is with the current imported Alias file and compare it to a previous one.
The config is in xml format, so an imported file adds many times more to the config size than the size of the text file being imported.