Best Of

Re: SSL VPN 12.11.4 SAML issue

Please see the proposed workaround here:

@Dave_Daniels said:
Hi @sega2k6 and @BetterInvesting,

Can you try this possible workaround?

On Entra
Create a conditional access policy
On the Users, add the user you are testing with that is having the issue. (Later you can add the full sslvpn group if it works for you)
On Target resources, add the sslvpn application that was created for the SAML integration.
On Session, set the sign-in frequency to Every time
Set policy to ON position
Click Create

Wait for about 30 mins for Entra to apply the changes. There seems to be a delay on this.

Then test. Does this allow your user to manually sign into the mini saml browser now?

james.carson

1

Re: Setting up SAML with Entra

just to update this post. I opened a case with WatchGuard direct and managed to get it working. The solution was to follow through this link:

https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr000000DQKrKAO&lang=en_US

Latest version of the MUVPN software and a manual tweak for non-admin users.

All working now.

Kind Regards,
Chris Snape

ChrisSnape

1

Re: Firecluster with Multiwan - Layer 2 switch recommendations

In general, for an active/backup cluster, any layer 2 switch will do just fine. Using two separate switches (one for each ISP) is the best way to do this, because trying to do both ISPs on one switch will create a single point of failure.

I can't recommend any specific brands as an employee, but make sure that whatever device you choose has a management interface, is only accessible via a management port, or is locked down so it can't be accessed internally. Many customers choose dumb L2 switches on their external side for this reason.

james.carson

1

Re: VPN users having issues connecting on Wifi but able to connect on hotspot

Quick update, this turned out to be a strange one. I’ve been working on this with support tickets open to WG, and several engineers and techs reviewed the system and assured me the issue wasn’t on our end.

However, I just discovered that a user experiencing the problem was listed under "Blocked Sites" in FSM. It turns out there’s a setting that automatically blocks an IP for 24 hours if it attempts more than 10 connections within an hour.

Now that I’m aware of this, I can manually unblock affected users going forward. I’m just surprised none of the engineers noticed this or suggested I check that setting.

All good, thanks for the help!

KLAW

1

Re: Mobile VPN Client with SSLVPN v 12.11.3 SAML broken following Edge Update on Windows Systems

@phanaaekIT yes, it will be fixed on a later version. I am assuming the next version we release. There is discussion on putting the required folder in some location that is not user specific. A machine-wide directory like %Program Data%.
No ETA on when this will be done though. Its in testing phase now.

Dave_Daniels

1

Re: Routing between two local networks

Turns out that the vendor had a misconfiguration in their routing table.
They only allowed traffic from 10.74.3.226, after their change we can ping from 10.20.1.0/24.
Thank you for your help.

hbengtsson

1

Re: Firebox sending data to WatchGuard

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/other/QSW_device_feedback_wsm.html

kimmo.pohjoisaho

1

CVE-2025-9242 update for unmanaged devices?

We've all gotten the emails about this CVE and the need to update our devices to remediate the issue, but in the email it makes reference to "unmanaged" devices out of subscription, and it says WatchGuard would contact us with information about updating those devices separately. Okay, HOW?

I just spoke with someone at support who told me that they are not providing any fixes for boxes out of support contracts, even though this is a critical CVE. This seems contrary to what most providers have been doing. As a reseller, we have numerous devices that are not EOL, and often just out of LS, or NFRs - all that we are still using for internal testing/training, and still have use to us. I understand nobody wants to support devices forever, but many of these devices are not that old, and as a reseller who has been selling your products for more than a decade, I am somewhat disappointed in this response.

Can we get some clarification on what the critical CVE patching availability policy is with WatchGuard, and what those of us with these unmanaged devices are supposed to do about these critical issues?

ITPartners

2

Re: "the Mobile VPN with SSL Client installer can now close a running client during an update."

Hi @feek

It's /autokill
You can use it with the other options, like /verysilent, if you need to.

I asked our docs team to please update a few articles to reflect that change, so it should be documented soon.

james.carson

1

Announcing the WatchGuard Idea Portal

WatchGuard community users and customers,

We've listened to your feedback about product enhancement requests and have been hard at work to provide you with a better system. The WatchGuard Idea Portal allows you to submit ideas directly to our Product Management team and receive feedback on your requests.

You can navigate to the Idea Portal by logging into WatchGuard Cloud. https://cloud.watchguard.com

-Click the question mark at the top right of the page and select Give Feedback.
-The idea portal will load and allow you to make submissions for new ideas or upvote existing requests.

Thank you,

james.carson

6