Best Of
Re: Dimension on Proxmox ?
Hi @markpcom
Work is being done on proxmox support for Dimension.
Re: Windows update and VPN
Hi @tantony
Windows sometimes unregisters SSLVPN's TAP driver. This can be caused by other applications trying to use that same TAP driver or by updates to your network drivers via Windows update.
If you'd like to use Windows' built-in VPN client, we support that via IKEv2 and L2TP. We generally recommend IKEv2 for Windows 10 and 11. L2TP is usually used with legacy versions of Windows and other devices that don't support IKEv2.
See:
(Mobile VPN with IKEv2)
https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_about_c.html
Re: IKEv2 Mobile VPN Problems Authorization AD
if you use Firebox-DB credentials to connect to IKEv2 VPN and have problems connecting to AD resources,
check: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bpLuSAI&lang=en_US
better solution would be that you change the IKEv2 to use radius (NPS) AD authentication:
https://techsearch.watchguard.com/KB/WGKnowledgeBase?lang=en_US&SFDCID=kA22A000000XZlhSAG&type=KBArticle
NPS radius server install and configuration:
https://www.screencast.com/t/YhZSg5LMZ3ow
Firebox radius and IKEv2 configuration:
https://www.screencast.com/t/1qJkEtot6zUw
If you want to configure Windows IKEv2 to use ”Automatically use my Windows logon name...”
You need to give the radius server name in the Firebox radius settings the same name as your on-prem AD domain name and it needs to be with capital letters!
In the video the on-prem AD domain name is domain1.com, so the radius server name in the Firebox needs to be DOMAIN1.
This is because the Windows IKEv2 client is sending the credentials in “DOMAIN\user” format.
If you don’t configure ”Automatically use my Windows logon name...” option, then the radius name can be whatever in the Firebox radius settings, uppercase or lowercase letters…
Windows 10 & 11 IKEv2 configuration with the IKEv2 *. bat file:
https://www.screencast.com/t/F8opfvqa1Q
IKEv2 Mobile VPN Problems Authorization AD
Hello,
I configured Mobile VPN with IKEv2 on the Firebox M370. For authentification, in the first step we configured users of the Firebox-DB. After installing the batch file on a Windows 10 client, the connection was successful. I'm able to ping all Clients and Server (including domain controller), that I want to reach. But there is still a problem with the connection to the domain controller. I can't authentificate my AD user. If I want to access shares, outlook (exchange), printserver etc. I have to authenficate with username and password. Also I can't update user group policies with gpupdate.
After a new Windows login, everthing works fine.
We use DNS server of the domain controller at the IKEv2 VPN profile.
Does somebody have any idea?
Re: IKEv2 Mobile VPN Problems Authorization AD
That's odd. I have never been asked to authenticate to AD after establishing IKEv2 VPN connection and I can access network resources just fine. The login to the AD domain happens before establishing VPN (I suppose by cached credential).
I'm only asked to authenticate when IKEv2 username is different than AD username, for example: JohnDoe (Firebox-DB username), JDoe (AD username). For that reason, I create the same username but different password on Firebox-DB.
Block download .ps1 files
Hi,
has anyone managed to block the download of .ps1 files using “pattern match” ?
With .exe I have succeeded using the string “%0x4d5a%*” but I can't find anything about how to find the relevant string for .ps1 files.
Thanks
Re: M4600 Arm LED red
Hi @markus93
If the reset procedure that Bruce suggested doesn't help, I'd suggest opening a support case.
If you have an RJ45 -> DB9 serial cable, you can plug in and look at the firewall's output via these settings:
Speed: 115200 baud
Data bits: 8
Stop bits: 1
Parity: None
Flow Control: None
If the firewall has an issue (like it won't boot) that may help identify it quickly.
Re: Policy based routing
2 options:
1) for traffic allowed from a specific policy:
On an outgoing policy, on the Advanced tab, NAT section -> select "All traffic in this policy: and enter the external IP addr to be used
2) For all traffic from a specific IP addr:
You can add a Dynamic NAT entry -
- From: the internal IP addr
- To: the desired WAN addr
- Set source IP: the public IP addr to be used
Re: Access Portal with Authpoint - returning to Login page
did you figure it out? I had same issue where the saml cert on firebox had renewed and i just uploaded the new one to the cloud config.
https://yourfirebox.domain/auth/saml (download cert here)
upload to the cert to saml resource associated in your watchguard cloud configuration.
Re: AuthPoint MFA for Watchguard System manager and Policy Manager
Just to add - this is 100% coming. My insurance company is now forcing MFA for all network equipment on the network (inc network switch which have a GUI - you must enable MFA or remove from the network) I used to be able to place these appliances in a "admin" VLAN but from next year, this will no longer be an option to have cyber / business insurance coverage. Rules state that all equipment must have MFA / 2FA which access is via a GUI / management program.