Opps - my error.
From: Any-external is correct.
Change the To: field from Firebox to 220.127.116.11
If you're just managing the one firewall, there really isn't any reason to re-install the management server. You can just use WSM too connect to the firewall directly.
For managed (DVCP) VPNs, it's not configurable. If you need to configure that setting, I'd suggest building the tunnel manually either in Policy Manager or the WebUI.
Maybe, but a new inexpensive consumer grade router / NAT firewall can do so as well.
What software version is on the X15?
There should be a MUVPN option - which is a client VPN.
As this firewall and firmware is so old, I would not recommend doing this.
There may well be modern client VPN incompatibilities and there could be unpatched exposures in the old software on this unit.
The only log servers that we support are:
-WatchGuard Log/Report server, which runs on Windows.
-WatchGuard Dimension, which is a VMWare/HyperV virtual machine.
You can find more about each here:
(Quick Start — Set Up Logging to a WSM Log Server)https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/setup_logging_task_wsm.html
(Get Started with WatchGuard Dimension)https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/get-started_dimension_d.html
Some customers have reported success converting a Dimension VMWare image over to Linux KVM (https://www.linux-kvm.org/) however, Dimension is only supported on supported versions of VMWare and HyperV. This means it'd likely work, but if it were to break, you'd be on your own.
Finally, the firewall does support sending log data via syslog, but you'll need to set up your own 3rd party server/service to handle the syslog data stream. You can find more about that here:
(Configure Syslog Server Settings)https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/send_logs_to_syslog_c.html
And, even if the Allow IKEv2-Users policy was lower in the list, your HTTPS-ADFS does not include IKEv2-Users so it would not apply.
It's likely that the IP that the WatchGuard is receiving in the traffic is not what's actually in the VPN gateway/endpoint settings. If the WatchGuard is turning around and initiating the tunnel after receiving that, and it works, it'd keep the tunnel up.
compare the (SITE.IP<->REMOTE.IP) to what's actually in your VPN gateway settings, do they match exactly?
In theory, "*.anydesk.com" should cover all subdomains, such as abc.net.anydesk.com and the ones you posted.
The docs show that these FQDNs types should work, as long as a DNS request for them are going though the firewall:
You can also use subdomain wildcards, for example:
Since this does not seem to be working for you, consider opening a support incident on it.
You could add a DNS proxy policy From: the Anydesk client IP adddr, with Query Names -> Default set to Log, to see the DNS queries in Traffic Monitor.