Best Of
Re: SSL VPN some traffic through VPN
Turn on Logging on any policies which you think will allow this access so that you see access attempts in Traffic Monitor.
You can test this access using the SSLVPN client from behind the firewall.
Make sure that the Dynamic NAT settings still have the 3 private supernets and that one of them includes the SSLVPN virtual IP subnet.
Re: Can Linux be used as a firewall M200 log server, if yes how?
In addition to the above, if you'd like to have a look at a running dimension system with logs running to it, you can do so at
https://demo.watchguard.com
user: demo
password: visibility
Re: SSLVPN via BOVPN
If the BOVPN tunnel is from your WG firewall to some other device on the Internet - yes this is possible.
You need to add the SSLVPN virtual subnet to the BOVPN Tunnel settings on each end.
Allow Mobile VPN with SSL Users to use Resources Through a BOVPN Tunnel
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/manual_bovpn_via_sslvpn_c.html
Re: Why is SSL-VPN answering on different secondary IP Addresses?
Opps - my error.
From: Any-external is correct.
Change the To: field from Firebox to 24.173.163.4
Re: New Management server no backup
Hi @Samad
If you're just managing the one firewall, there really isn't any reason to re-install the management server. You can just use WSM too connect to the firewall directly.
Re: PMTU Settings for IPsec
Hi @grahamo
For managed (DVCP) VPNs, it's not configurable. If you need to configure that setting, I'd suggest building the tunnel manually either in Policy Manager or the WebUI.
Re: Trying to re-purpose an old Firebox x15 edge to access a home computer
Maybe, but a new inexpensive consumer grade router / NAT firewall can do so as well.
What software version is on the X15?
There should be a MUVPN option - which is a client VPN.
As this firewall and firmware is so old, I would not recommend doing this.
There may well be modern client VPN incompatibilities and there could be unpatched exposures in the old software on this unit.
Re: Can Linux be used as a firewall M200 log server, if yes how?
The only log servers that we support are:
-WatchGuard Log/Report server, which runs on Windows.
-WatchGuard Dimension, which is a VMWare/HyperV virtual machine.
You can find more about each here:
(Quick Start — Set Up Logging to a WSM Log Server)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/setup_logging_task_wsm.html
(Get Started with WatchGuard Dimension)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/get-started_dimension_d.html
Some customers have reported success converting a Dimension VMWare image over to Linux KVM (https://www.linux-kvm.org/) however, Dimension is only supported on supported versions of VMWare and HyperV. This means it'd likely work, but if it were to break, you'd be on your own.
Finally, the firewall does support sending log data via syslog, but you'll need to set up your own 3rd party server/service to handle the syslog data stream. You can find more about that here:
(Configure Syslog Server Settings)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/send_logs_to_syslog_c.html
Re: IKEv2 - unable to access internal resources and no internet - I can ping internal IPs
And, even if the Allow IKEv2-Users policy was lower in the list, your HTTPS-ADFS does not include IKEv2-Users so it would not apply.