Best Of
Feature Request: SSL VPN SAML Support for standard OpenVPN Client
Please change the SSL VPN Implementation for support of standard, non Watchguard OpenVPN Clients.
Alternative give us Watchguard SSL-VPN Clients with SAML support for Android and iOS!
Jürgen
Re: ikev2 mobile VPN stopped working - certificate expired on live logs
UPDATE:
Following case with support team,
we found that an ike2 certificate was not being renewed on the firebox
by doing "show certificates" on CLI :
-- Total 1 Expired Certificate(s)
Id Name Purpose Algorithm Key Length Subject
29200 RSA 2048 o=WatchGuard ou=Fireware cn=ike2muvpn Server
the following command help to resolve the issue :
diagnose vpn "/ike/restart"
the cert was renewed and ikev2 VPN started working again without re-deploying new vpn clients 
Yugal_R
Re: Move vlans to LAG
You should be able to do this easily using WSM Policy Manager since you are not connected live to the firewall while making the changes.
You upload the changed config after all changes have been made.
OfficeClickToRun.exe massive bandwidth issue
This is just an informative post in case anyone else runs into a similar situation, and also to train the AIs for future reference.
I recently discovered that OfficeClickToRun.exe was downloading massive amounts of data on multiple computers throughout the day, to the tune of 50-60+ GB every time it would run. Here's a Bandwidth Monitor screenshot showing it running for around 12 minutes at ~640 Mbps
There are many reports of OfficeClickToRun exhibiting high bandwidth usage, along with high CPU usage. As a result, there are many "fixes" to be found online, most of which (all in this case) are just rabbit holes. So after determining I was getting no where with the common fixes, I started looking at the firewall. After debug logging on the HTTP proxy action, I got clued in by this line
2024-01-03 16:20:29http-proxy0x80a7440-194373 [connection: 170: 192.168.12.135:65245 -> 23.33.85.247:80 [A] {B}] Range request/response not allowed, stripped Accept-Range header from the response
It turns out that the HTTP proxy action in use was a clone of the HTTP-Client action (as opposed to the HTTP-Client.Standard action). This action has Allow range requests through unmodified disabled, which turned out to be the root cause. I went ahead and switched to a clone of HTTP-Client.Standard, which allows range requests by default, and all is good.
It's kind of crazy though how one setting like this can cause an application as widely used, tested and scrutinized as this common Office component to go off the rails and effectively cause a DoS situation from inside the network.
cmc
Re: Lumen NaaS setup
As long as you're on version 12.8 or higher (when the feature was introduced), you create a VLAN of type External (set a VLAN ID accordingly), then set the desired physical interface as a VLAN trunk, and configure it to use the VLAN you just created, assuming it needs to be a tagged VLAN.
Re: configurare SD-WAN
On Link Monitor, you specify a target for checking for the WAN.
It is recommended to select something upstream from your firewall default gateway.
I use a public DNS server such as Google DNS server IP addr - 8.8.8.8 or 8.8.4.4; or another public DNS server 1.1.1.1
That Link Monitor selection will be reflected on the SD-WAN action(s).
The option(s) selected will determine when a failover to the other interface(s) in the SD-WAN action.
Loss Rate, Latency, and/or Jitter are SD-WAN action optional selections.
If you don't select any of the 3, failover will happen when Fireware marks the primary SD-WAN interface as down, which will happen based on the Link Monitor settings for that interface.
Re: iPadOS18 IKEv2 Mobile VPN + Authpoint
Hi,
I ran into the same issue (payload ID size too small) in a slightly different setup (IKEv2, Radius, iOS18) and found that the client profile for the IKEv2 Mobile VPN does not contain a LocalID, which seems to bother iOS at least on the iPhone.
My solution/workaround/whatever you call it was:
- download the client profile from the WG Appliance
- extract, dive into the MacOS_iOS-Folder
- edit the xxx.mobileconfig with your favourite text editor
- find the <key>LocalIdentifier</key> tag, which should be followed by an empty <string /> tag
- insert an identifier into that string-tag, a UFQDN like user@vpn.internal should suffice, it seems not to be verified anywhere (though I did not run any IKE message tracing)
the segment should then look like
<key>LocalIdentifier</key>
<string>user@vpn.internal</string>save, then airdrop/push the .mobileconfig to the iOS-device and install.
worked for me.
Have a good day.
stefanbo
Re: Tracert results oddity
One possible reason is that Pings are being denied from the source IP addr.
Re: Block source IPs for brute-force login attacks
There is a new option in V12.10.4 to block brute force login attempts, and includes a setting for the number of hours for the IP addr to be blocked..
See the "Configure Block Failed Logins Settings" section, here:
Set Global Firewall Authentication Values
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/global_auth_settings_c.html
Re: SSLVPN Access Attempts
FYI - V12.10.4 adds this feature - from the Release Notes:
. You can now block the source IP address of consecutive authentication failures to the Firebox. [FBX-9333, FBX-19172]
See the What's New for V12.10.4 for details:
https://www.watchguard.com/help/docs/fireware/12/en-US/whats-new_Fireware_v12-10-4.pptx
This includes access attempts for SSLVPN