Re: New configuration - cannot connect now
Is the firewall providing DHCP on the Trusted interface?
It is really hard to help without knowing what you set up for the firewall trusted and external subnets/IP addrs, and what else you conifgured.
Re: Mobile VPN with SSL connection from Trusted LAN
The issue is still present -- it is targeted to be fixed in the next release version
If you are running into the issue, you'll need to follow the directions in the KB to work around it.
Re: Change the email address for alerts etc
Alerts from EPDR/EDR/EPP for detections, or devices found on the network... will be sent to the email specified directly on the online console for the product.
Hope this is what you were looking for!
Re: Add a function to Botnet detection to block TOR exit nodes inbound
It looks like v12.8.1 now has this:
Policies, Proxies, and Subscription Services
- The Firebox now blocks incoming traffic from Tor exit nodes when the Tor Exit Node Blocking service is enabled. [FBX-22863]
On the WatchGuard SSLVPN policy, remove anything from the From: field other than Any-external.
You may also need to make other changes too, depending on if SSLVPN conenctions can still be done from inside the firewall.
Test connections and see.
Re: Wifi 6
WatchGuard is prioritizing the development of the latest technology in the Wi-Fi market. Our goal is to deliver Wi-Fi 6 technology to organizations of all shapes and sizes because the way the world is using wireless networks has changed dramatically since the release of WatchGuard's previous wireless family of products.
We will develop feature sets that directly align with customers' and MSP's needs on our new Wi-Fi 6 product line. Looking forward, we will continue to support our previous wireless devices to ensure our partner's business remains intact.
The manufacturer impacts the deliverability on the expectations of our partners. WatchGuard is committed to delivering deep levels of support through the WatchGuard Support team to ensure our customers and partners have their needs heard and built into the development of the future product family we create.
We want to build a product that aligns with our partner's expectations. The WatchGuard beta program for wireless products is always happy to accept new participants to ensure their needs are heard and built into our products.
The WatchGuard Wi-Fi Team
Re: WatchGuard and Kaspersky
WatchGuard no longer uses Kaspersky components in any of our products. Years ago we used Kaspersky AV on the XCS (email) and Fireclient (mobile) products, both of which are discontinued and EOL now. US federal government issued guidance in 2019 against using Kaspersky products.
WatchGuard Firebox passed the US NSA's Commercial Solutions for Classified use (CSfC) certification in early 2021. We could not have achieved this if we used Kaspersky in our product. https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Components-List/#components-list-index
VP Product Management
Important Detection and Remediation Actions for Cyclops Blink State-Sponsored Botnet
WatchGuard was informed by the FBI and the UK National Cyber Security Centre (NCSC) about their ongoing international investigation regarding Cyclops Blink, a sophisticated state-sponsored botnet that may have affected a limited number of WatchGuard Firebox and XTM devices. If you have a Firebox or XTM device, it is important for you to check your Fireboxes to make sure they are not affected. To learn more about Cyclops Blink and if it might affect you, please see our corporate blog post, which includes key links to detection tools, FAQs, and available resources.
Re: Best Practices for Restricting Outbound Internet Access
I would start by changing the network interface from Trusted to Optional or VLAN if that is really how it's configured.
Next I would set up two outbound policies for the Wi-Fi (Optional) network, one for DNS and the other an tcp-udp any from the Wi-Fi (Optional) to any External and enable logging.
Now test on your own device what ports and IP address the time app uses, and also the ports and IP address for Wi-Fi calling and document all of it.
Once you know where everything is going, create proxy policies for both the time app and wi-fi calling (ports, IP address) and enable logging on those.
Lastly disable the tcp-udp any policy once all traffic is running through the proxy polices you made earlier.
Now allow your users access to the wi-fi.
Hope that helps,
Re: End to Site VPN connection from china
The normal VPN apps could work so long as there's nothing in-between blocking that traffic. As Bruce mentioned, China is known to block most of these connections, so checking with the ISPs involved that it will be allowed is the key part.