Best Of
Re: Mobile VPN Client with SSLVPN v 12.11.3 SAML broken following Edge Update on Windows Systems
If you’re having issues with the WatchGuard SSL VPN client due to WebView2 runtime compatibility with SAML, you can force the client to use a specific WebView2 version. This is useful when downgrading the client or using a local user account is not an option.
Steps:
- Download the Fixed Version (x86) from Microsoft Edge WebView2
=> https://developer.microsoft.com/en-us/microsoft-edge/webview2/?form=MA13LH#download - Extract the archive and move the folder (e.g., 138.0.3351.121) to: C:\WebView2_Fixed\
- Create a batch file with the following content:
@echo off setlocal rem Use Fixed WebView2 138 (x86) only for this process set "WEBVIEW2_BROWSER_EXECUTABLE_FOLDER=C:\WebView2_Fixed\138.0.3351.121" start "" /D "C:\Program Files (x86)\WatchGuard\WatchGuard Mobile VPN with SSL" "wgsslvpnc.exe" endlocal
What this does:
- Sets the environment variable WEBVIEW2_BROWSER_EXECUTABLE_FOLDER so the WatchGuard VPN client uses the specified WebView2 runtime.
- Launches wgsslvpnc.exe from its installation directory.
- The setting applies only to this process and ends after the script finishes.
Hope this helps someone facing the same issue.
Cheers
Maik_G
Re: Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature
Hi @JamminJoe
There isn't a release date yet; that generally comes after a public beta (which will often be wrapped up with a few other features in a release.)
Passwordless auth is most likely to appear in FireCloud before it appears in SSLVPN.
If you're looking for more progress info aside from a notification when the feature is done, I'd suggest checking out watchguard.centercode.com. This is where all of our beta opportunities are posted for customers and partners. (Note that passwordless auth isn't currently posted in centercode, but it may be in the future.)
Re: Mobile VPN ipsec on fireware 12.1.3 Firebox T30-W connection OK, but no network access.
The "Unhandled MUVPN Packet.in-00" means that the firewall is not getting the user's group back from your authentication server or the user has the wrong IPSec profile selected in their VPN client.
Whatever the profile name is for your VPN should match the group name in AD. Make sure that your user is a member of that security group.
You can use the server connection tool in the WebUI to see if you're getting group information back from your AD server:
(Server Connection)
https://www.watchguard.com/help/docs/help-center/en-US/content/en-US/Fireware/system_status/test_server_connection_web.html
Re: Wifi not Passing all Traffic?
Hi @AJK_2023
The proxy logs are saying that the proxy is failing on B channel (which is the firebox talking to the destination.)
The details suggest that the firebox is either getting a cert it doesn't trust, or a completely invalid certificate. This is the cert on the firewall itself, and not the one that you have installed on your PC.
If you attempt this connection via a packet filter as a test instead of the proxy, can you get to the site? This tells us if the certificates on the firewall are the problem, or if the firebox is being presented certs that it can't decode.
It may also be worth checking if your firewall's trusted proxy certs are up to date. The steps in this article (even though it's talking about letsencrypt) show where those settings are:
(Certificate warnings when you browse to websites that use Let's Encrypt certificates through HTTPS proxies with content inspection)
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SNIXSA4&lang=en_US
If none of that helps, I'd suggest opening a support case via the support center link at the top right of this page.
Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature
I've followed this guide here and confident I've configured everything correctly - https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html?tocpath=Self-Help Tools|Integration Guides|General|_____1
I downloaded the latest version of the Mobile VPN software which allows the SAML option to be selected. I enter the hostname in the Mobile VPN software, select the SAML option, this triggers the authentication process with Entra which I complete using passwordless MFA which then returns this error:
AADSTS75011: Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Watchguard_SAML application owner.
Doing a quick search it would appear that the watchguard is expecting me to authenticate using a username and password and because I haven't done that (I've authenticated successfully but using Passwordless MFA) it then doesn't accept this method.
Is it likely I have something set wrong, anyone aware of a workaround or setting I could change to allow this? Do we need to wait for Watchguard to accept this as a valid authentication method.
Appreciate any feedback / insight anyone can offer.
Re: Watchguard SAML autoLogout after 8 Hours
This is a known bug and is tracked as:
FBX-28797 Session/idle timeouts do not take effect for SAML logins to the SSL VPN
We reported this issue in January 2025 and provided logs with various Watchguard and Azure SAML token changes, and it was determined that 8 hours is a hardcoded expiration for the samld process in the Fireware.
I was hoping to see a fix in 12.11.1, but it has not been resolved.
Re: Lan to Lan has a strange issue.
Have you selected Route Mode on the Draytek VPN setup?
Re: Azure AD Joined SSO Client
So I have a little update on this regard:
I know it's been over a year now, but I hope this can still help people.
if you go into the Watchguard Authentication gateway, and add a file there in the "c:\Program Files (x86)\WatchGuard\WatchGuard Authentication Gateway"
add a file called wagsrvc.ini
now add the following lines to this file:
[config]
forcedAdGroups=Gemiddeld verplicht niveau|Medium Mandatory Level|Niveau obligatoire moyen|Střední povinná úroveň|Mellem obligatorisk niveau|Mittlere Verbindlichkeitsstufe
This wil effectively add the SSO working for:
Dutch
German
English
Italien
Danish
however: Tjechie "Střední povinná úroveň" <-- does not work 
source: https://portal.watchguard.com/wgknowledgebase?SFDCID=kA1Vr0000004Tt3KAE&lang=en_US
This is the ONLY documentation I was able to find ANYWHERE regarding this online. ( apart from a senior tech I spoke with
Louis
Feature Request: SSL VPN SAML Support for standard OpenVPN Client
Please change the SSL VPN Implementation for support of standard, non Watchguard OpenVPN Clients.
Alternative give us Watchguard SSL-VPN Clients with SAML support for Android and iOS!
Jürgen
Re: ikev2 mobile VPN stopped working - certificate expired on live logs
UPDATE:
Following case with support team,
we found that an ike2 certificate was not being renewed on the firebox
by doing "show certificates" on CLI :
-- Total 1 Expired Certificate(s)
Id Name Purpose Algorithm Key Length Subject
29200 RSA 2048 o=WatchGuard ou=Fireware cn=ike2muvpn Server
the following command help to resolve the issue :
diagnose vpn "/ike/restart"
the cert was renewed and ikev2 VPN started working again without re-deploying new vpn clients 
Yugal_R