Best Of

Re: Adding a optional interface to Azure hosted Firebox

We found the solution with WG suports help (after 20 or so days), against the additional NIC in Azure under IP configuration we needed to enable 'IP Forwarding'

m.relouw

Re: Dose the Watchguard need legal IP to establish the site to site VPN

If your T10 is getting a private IP from your ISP router, then I recommend setting the T10's WAN IP statically with the assigned private IP, then in the ISP router, put that private IP address into the ISP router's DMZ. That is almost as good as being in bridge mode because all external traffic is directed to the WAN IP of the T10 despite it being a private IP. When checking its WAN IP at https://www.myip.com/ or a similar site, that will show the public WAN IP address of the ISP router, and that is what should be used in the BOVPN...I think. It works for SSLVPN and IKEv2 VPN.

[email protected]

Re: can i create site to site VPN with fortigate using DDNS?

There isn't an issue about using a domain name on the WG end.

You can turn on diagnostic logging for IKE which may show something to help:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
In the Web UI: System -> Diagnostic Log
Set the slider to Information or higher

If this doesn't help, consider opening a support incident.
Support will probably want the IKE diagnostic logs in order to help.

Bruce_Briggs

Re: Firebox drop Vpn Mobile Client connection

You need a Feature Key for this and many other things to work.
Also, without a Feature Key, only 1 internal IP addr is allowed to go out External.

I expect that you can get an evaluation Feature Key for a FireboxV, but I'm not sure of the process.
Hopefully James of WG will comment here on how to do this.
@james.carson

Bruce_Briggs

Feature request: SAML-Ressources | multiple attributes that can be claimed by the SP

Hello everyone,

Concerning SAML-Ressources, SSO and Provisioning, I suggest the feature to allow multiple attributes to be send on SAML-based authentication flows.

So far, it is possible to add SAML ressources and can choose between [Email, User Name, Email prefix] as the User ID to be send on redirection to the service provider (SP).
Increasing the number of attributes, that can be claimed by the SP, would mean that more attributes could be send and synchronised in SPs User base. Therefore you don't need to manually do this or set up additional synchronisation of users to the SP user directory, which also could cause IT-security risks.

These additional attributes, I'm speaking from, are for example: phone number, department, location, and so on of an user.

Now, with a SAML-flow that supports multiple attributes to beclaimed by the SP, these attributes can be synchronised at the time the user logs in the SP application.

How would this feature benefit customers or Watchguard?

Customers can provision Users through SAML-flow in SP application
Customers do not need to setup additional user synchronisation - which could also cause IT-security risks
Customers could reduce costs regarding user synchronisation management - the setup is only needed to be done for Authpoint user synchronisation
Many other MFA-/SSO-providers offer this feature - therefore Watchguard / Authpoint could increase their competitiveness and attractiveness

Following Requirements would be necessary to implement the feature

Watchguard adds the possibility to synchronise more attributes in its own user directory.
Watchguard adds the possibility to send more attributes on SAML-based autentication flows.

What do you think of this?
Does any other Authpoint customer could make good use of it?

Kind regards,
Thomas

Thomas_B1

Re: Status Page

They have this now.

https://status.watchguard.com/

Just released this week / last week I think!

Tristan.Colo

Re: VPN SSL - AD authentication users with expired password

> @xxup said:
> Yep. I have been doing more things with AuthPoint. When it first came out I struggled with getting anything to work, but these days it seems to work very well and the WatchGuard integration guides are very useful. I already have one customer on board with AuthPoint and the others are starting to get interested in the solution.

It’s even easier now if your firewall supports 12.7.1 since there is now a direct integration with AuthPoint.

Tristan.Colo

Re: AuthPoint & Multiple Groups Per User

Hi @chagerhg

I'm a bit confused why you wouldn't give your "admins" at least the same access as your "users" group. Ensuring that your admins have access to whatever required resources they need should allow you to access resources as needed.

Most issues have been addressed via the AuthPoint authentication policies since that initial post:
(About AuthPoint Authentication Policies)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/policies_about.html

james.carson

Re: Best way to connect to watchguard?

"unless you use Dimension or Cloud Visibility" or the old but still working WSM Log & Report servers

Bruce_Briggs

Re: A Message from Product Management

Current implementation of DNSWatch prevents one using UDP port 53 for SSLVPN access. I would like to use DNSWatch and use UDP port 53 for SSLVPN access.
I would like to have local DNS firewall policies be used prior to DNSWatch forwarding DNS packets to the cloud. The last time that I tried this, I could not get my DNS policies to work even though they were above the "Any From Firebox" policy.

Bruce_Briggs