Best Of

Re: IkeV2 mobile VPN - Policy Match Error

Solved - we had an ikev2 bovpn tunnel routing to the same location that this mobile vpn wanted to connect to. Disabling that tunnel is allowing the VPN to work while this server is still on site with us. Through testing we've determined we can readd our bovpn once the server is shipped to its permanent location. Adding this reply in case it helps anyone else in the future.

Ders

Re: Certificates for DPI

Hi @SunsetFett
You can use one cert across all of the firewalls if you wish. The firewall labels it as the "Proxy Authority" certificate.

As an aside, WatchGuard doesn't use the term "DPI," as it's technically trademarked. You'll always see it referred to as "content inspection" in our documentation.

james.carson

Re: IPsec Anti-Replay

Hi @marigold68
The option in the CLI disables the feature globally.

james.carson

Re: Reserved address not applying

If the firewall already has a entry for this MAC addr in its ARP cache, it won't apply a different IP addr.

Clear the ARP table on the firewall, and you should get the device to get the desired IP addr.

You can clear the ARP cache using FSM
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/clear_ARP_cache_wsm.html

Bruce_Briggs

Re: Watchguard NTP configure

See the "Enable the Firebox as an NTP Server" section, here:

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/NTP_server_enable_add_c.html

Bruce_Briggs

Re: log4j get slipping past ips

@Steve_E
It looks like your case already made it to my team, and the feature request was already done -- if anyone else would like to follow this please create a case and mention FBX-23882 -- the tech can set the case up to notify you of any changes to that request.

james.carson

Re: Block Telegram/Whatsapp

This site indicates how to block Telegram:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-Telegram-App-and-Web-on-FortiGate-FortiOS-6/ta-p/215034

You can block WhatsApp using Application Control.

To block some and allow other, then you need 2 sets of policies - 1 which allows it, From: authenticated users or for the IP addrs of their devices, and a 2nd one which blocks it for all not allowed by the 1st policy.

Bruce_Briggs

Re: VPN group/user list

If you go to this document and go to 12.6 or lower for the windows sever directions it is identical to what the steps should be if you do the new AuthPoint integration. The steps you are looking for are 23-27:

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ikev2-vpn-radius_authpoint.html

For some reason they are missing steps 23-27 in the “Firmware 12.7.2 or higher” part of the document which are critical to getting this working with either setup.

(I put in a request for their team to fix this almost a month ago and even gave them screenshots to do this… I’m surprised such simple but important change to the document hasn’t been done yet as it would prevent a lot of issues)

Tristan.Colo

Re: Possible to disable TLS 1.1 in Watchguard System Manager?

Hi @Brad
We're currently working on an option to disable TLS1.1 for the WatchGuard System Center server (WSC). That enhancement is FBX-23887.

In the interim, you can navigate to C:\programdata\watchguard\wmserver\conf\httpd.conf and remove the +TLS1.1 item from the SSLProtocol line. You'll need to restart the server center processes for this to read the new config.

james.carson

Re: Proper way to set up a global local DNS Server

Read my previous post.

Bruce_Briggs