Best Of
Re: Heartbeat Unavailable in WSM
Expiring the lease makes the mgmt server reach out to the firewall and effectively poke it, and asks it to check in. May mean that the firewall has incorrect setting (wrong IP, etc) for the mgmt server, or something else.
-On the firewall that isn't checking in, search the traffic monitor logs for "dvcp" -- any errors there might shed some light on what the problem is.
-Make sure that the firewall has the correct management server IP in Setup -> Managed Device Settings.
-Make sure that the firewall in front of the management server is allowing the external traffic into the management server. Many admins will change the policy from any-external to a list of their managed firewalls -- this might need to be updated if you've done that.
If you keep running into the issue, opening a support ticket would probably be the next step to fixing it.
Re: SSL VPN some traffic through VPN
Turn on Logging on any policies which you think will allow this access so that you see access attempts in Traffic Monitor.
You can test this access using the SSLVPN client from behind the firewall.
Make sure that the Dynamic NAT settings still have the 3 private supernets and that one of them includes the SSLVPN virtual IP subnet.
Re: Can Linux be used as a firewall M200 log server, if yes how?
In addition to the above, if you'd like to have a look at a running dimension system with logs running to it, you can do so at
https://demo.watchguard.com
user: demo
password: visibility
Re: SSLVPN via BOVPN
If the BOVPN tunnel is from your WG firewall to some other device on the Internet - yes this is possible.
You need to add the SSLVPN virtual subnet to the BOVPN Tunnel settings on each end.
Allow Mobile VPN with SSL Users to use Resources Through a BOVPN Tunnel
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/manual_bovpn_via_sslvpn_c.html
Re: Why is SSL-VPN answering on different secondary IP Addresses?
Opps - my error.
From: Any-external is correct.
Change the To: field from Firebox to 24.173.163.4
Re: New Management server no backup
Hi @Samad
If you're just managing the one firewall, there really isn't any reason to re-install the management server. You can just use WSM too connect to the firewall directly.
Re: PMTU Settings for IPsec
Hi @grahamo
For managed (DVCP) VPNs, it's not configurable. If you need to configure that setting, I'd suggest building the tunnel manually either in Policy Manager or the WebUI.
Re: Trying to re-purpose an old Firebox x15 edge to access a home computer
Maybe, but a new inexpensive consumer grade router / NAT firewall can do so as well.
What software version is on the X15?
There should be a MUVPN option - which is a client VPN.
As this firewall and firmware is so old, I would not recommend doing this.
There may well be modern client VPN incompatibilities and there could be unpatched exposures in the old software on this unit.
Re: Can Linux be used as a firewall M200 log server, if yes how?
The only log servers that we support are:
-WatchGuard Log/Report server, which runs on Windows.
-WatchGuard Dimension, which is a VMWare/HyperV virtual machine.
You can find more about each here:
(Quick Start — Set Up Logging to a WSM Log Server)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/setup_logging_task_wsm.html
(Get Started with WatchGuard Dimension)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/get-started_dimension_d.html
Some customers have reported success converting a Dimension VMWare image over to Linux KVM (https://www.linux-kvm.org/) however, Dimension is only supported on supported versions of VMWare and HyperV. This means it'd likely work, but if it were to break, you'd be on your own.
Finally, the firewall does support sending log data via syslog, but you'll need to set up your own 3rd party server/service to handle the syslog data stream. You can find more about that here:
(Configure Syslog Server Settings)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/send_logs_to_syslog_c.html