You would need to add new HTTP & HTTPS policies From: the desired domain names, with App Control not enabled or with an App Control action which does not include DROP on Web File Transfer.
Make sure that the new policies are above the existing polieis so that they will be evaluated first.
Giving credit where due:
KevCar (https://community.watchguard.com/watchguard-community/profile/KevCar) is the one who suggested deleting the folder. So far, my connection has been flawless for the first time in many months.
WatchGuard doesn't have any program like that (we do offer significant discounts on new firewalls to schools, however.)
My apologies, but I used a online translation tool to read your question. Please feel free to correct me if I have any part of your issue wrong.
You said that you want to test using your Mobile VPN without having to use a Hotspot or similar "other" external connection.
My assumption is that you're using SSLVPN, as this VPN is policy bound to only listen to what is listed in the "WatchGuard SSLVPN" policy.
-Find that policy in your policy list.
-If you see a warning that you're modifying a automatically generated policy, click OK.
-In the from field, add "Any-Trusted" and/or "Any-Optional."
-Save your configuration to the firewall.
This should allow the customer to connect to the SSLVPN from the internal network.
There's no way to rename the action, but you can clone it and name the cloned one whatever you want (then deleting the old one.)
Use this button in the policy in policy manager to do that:https://imgur.com/a/yBuRpeJ
Thanks for writing.
The access portal is a bit complex, so there's not a video quite yet. Any video produced would likely be specific to an integration, as a general example video would be very long, and not touch on any specific points.
I'd suggest starting here, if you haven't already:
(Reverse Proxy for the Access Portal)https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/access portal/access_portal_reverse-proxy.html
In the future, please do not post connection (port) and domain info here, as this forum is accessible and search-able via the general Internet. If you need help that requires posting specific information, I'd suggest creating a support case with WatchGuard's support center button (top right of the page) instead. That'll help keep your information safe.
These errors always indicate the proxy was unable to pre-validate the chain using certificates presented by the server and its own root CA bundle. Kind of like a browser would.
The server is misconfigured. It is not sending the intermediate certificate in its response.
1 Sent by server www.matrixgames.com
2 Extra download Go Daddy Secure Certificate Authority - G2
3 In trust store Go Daddy Root Certificate Authority - G2 Self-signed
2 is the responsibility of the server. Both, Firefox and Chrome, have 2 cert in their bundles.
To mitigate, you can append the intermediate certificate to Firebox's CA bundle. Import it as a General Use certificate via FSM / View / Certificates / Import Certificate. Link to the certificate from GoDaddy's certificate repository: https://ssl-ccp.godaddy.com/repository/gdig2.crt.pem
I'll recommend that we add it to the next CA bundle update.
I see the same.
Add an Allow entry on your HTTPS proxy for this
I see this related to the cert issue:
CN = www.matrixgames.com
Fireware HTTPS Proxy: Unrecognized Certificate
I'm running XTM V12.5.1
It's likely that's the only traffic that was logging -- since the reports will likely contain sensitive data -- I'd suggest opening a case with support. Include both the report and access to the firewall or a copy of your config so they can investigate what's happening.
If you're just looking to limit inbound traffic, you can make a seperate firewall rule for that inbound traffic and apply a traffic management action to it.
You could create an alias (under setup -> aliases) and use that in the from field instead of any external.
Rule - Name - From - To
1 - Webserver From TOR nodes - TOR Node Alias - SNAT external -> 192.168.10.252
2 - Webserver All Others - Any External - SNAT external -> 192.168.10.252
For Traffic management action, you could rate limit per IP address (so multiple clients using the same TOR node would effectively divide up whatever you assigned/gave them.)