Best Of
Re: VoIP dropping calls (go silent on both ends, but still look connected)
No one uses SIP-ALG, no one. In general you need a packet filter for the needed ports to the IP's or FQDN of the IPT vendor (or system).
A common one...
TCP and UDP 5060->9
UDP - 10,000-30,0000
UDP - 5222
And depending on other things, well, other things. 80 and 443 are already handled in theory.
I also create an alias for my handsets (in general PolyCom) so that I can easily apply rules to the handsets on their subnet.
As a note - "Any" never seems to work. I have to create packet filters with the needed ports to the needed (external) IP's and things work very well. There are a few options for the handsets (option 150 or 66).
Re: LDAP Signing (Not LDAPS)
Hi @ChrisSnape
We don't support LDAP signing (SASL). You'll either need to use LDAPS, or disable signing in your group policy.
Setting:
Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Change - Network security: LDAP client encryption requirements: "Negotiate Sealing"
To - Network security: LDAP client encryption requirements: "None"
Re: upgraded ISP bandwidth, WiFi doesn't see the increase
Hi @bford
You'll see the best performance on 5GHz channels. Generally, 40- or 80-MHz channels perform better when the channel space is clear, and your devices support wide channels. If your air space is congested, sticking to 20MHz channels may be required.
-Your laptop will need to have a 2x2 radio for best performance.
-Your laptop will need to have a WiFi card that supports Wave 2 AC or better for best performance.
Based on the hardware specs you listed, the biggest impact would likely be increasing your channel width on 5GHz. Keep in mind that your other devices on that WiFi network will need to support this for the best performance.
From the hardware guide, the absolute max throughput for the AP325 is:
2.4GHz, 802.11b/g/n. Max datarate: 300Mbps
5GHz, 802.11a/n/ac. Max datarate: 876Mbps
Please keep in mind that this is the total throughput for the AP, not the throughput for a single client.
https://www.watchguard.com/help/docs/hardware guides/AP325_Hardware_Guide.pdf
Thank you,
Re: Detailed report for denied traffic
You can use Log Search for a specific source IP addr AND denied
Log Search (WatchGuard Cloud)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/reports/log_search_wgc.html
Review the WatchGuard Query Language section which should help you set up the desired search
Re: I need help regarding Firebox and regarding customer support
Hi @NicoWG
Your client can add you as a contact under their account so that you have access to the same fireboxes (and serial numbers) in their account. This also allows you to see each other's support cases.
See our policy here:
(WatchGuard support requires all callers to be authorized)
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g4ykSAA
Re: Why are my networks not segmented?
If you have policies with To: and/or From: Any-trusted or Any, those will potentially allow traffic between different firewall interfaces or VLANs.
Options include:
1) reviewing your policies which may allow these undesired connections from 1 firewall interface to another - and replacing Any-trusted or Any with a different From/To interface name or alias.
2) change the interface type from Trusted to something else, such as Optional or Custom on the the Point-Of-Sale interface AND make sure that traffic between your 2 interfaces is allowed as desired by new or modified policies
Re: loopback ip
Alternatively, use the set source IP in a policy specific to that RADIUS traffic to set the source IP as something you already have a tunnel for.
Re: loopback ip
You need to add the external IP addr of the firewall in your BOVPN setup.
Re: Minimum Version Req to upgrade to 12.11.6?
Thanks for the info. I just upgraded my M4600 from 12.3 to 12.11 and all is good.
