Best Of
Re: End-User Control: Activating and Deactivating the FireCloud Solution
Hi @Roger_Minervino
The ability to enforce pre-login connections, and manage if users can exit the application are currently on the roadmap.
Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature
I've followed this guide here and confident I've configured everything correctly - https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html?tocpath=Self-Help Tools|Integration Guides|General|_____1
I downloaded the latest version of the Mobile VPN software which allows the SAML option to be selected. I enter the hostname in the Mobile VPN software, select the SAML option, this triggers the authentication process with Entra which I complete using passwordless MFA which then returns this error:
AADSTS75011: Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Watchguard_SAML application owner.
Doing a quick search it would appear that the watchguard is expecting me to authenticate using a username and password and because I haven't done that (I've authenticated successfully but using Passwordless MFA) it then doesn't accept this method.
Is it likely I have something set wrong, anyone aware of a workaround or setting I could change to allow this? Do we need to wait for Watchguard to accept this as a valid authentication method.
Appreciate any feedback / insight anyone can offer.
Re: Credential prompt on IKEv2
Check https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bpLuSAI&lang=en_US
Better solution would be to use ad nps radius authentication...
Re: SNAT over BOVPN
You can use Dynamic NAT with the Set source IP to change the incoming public IP addr to a private IP addr on the SMTP Policy Advanced tab, which will address the issue.
Choose a private IP addr which will route over the BOVPN - perhaps the trusted interface IP addr.
Re: How to enable email notifications on Multi-WAN Failures?
@ITManager30 said:
Am I right in saying that to set up the loss of cloud connection alert we simply need to enable to "Cloud Connection Status" rule from within WatchGuard cloud?
Correct - if you setup alerting on that rule you'll get a notification when a device either is connected to or loses communication with WatchGuard Cloud itself.
(Adding a new device to WatchGuard Cloud will trigger that alert too as a guide since a device has technically "connected" to WatchGuard Cloud).
V12.11.2 is out as of Mar. 27, 2025
Mobile VPN with SSL Client for macOS and SAML Authentication
On the Fireware Web UI Front Panel page, the System section now shows a notification when a new version of Fireware is available.
Plus fixes etc.
Re: AP200 unable to get feature key after a factory reset
@Francesco81 said:
Hello, sorry for this necropost but it is pertinent.
My M270 with total security subscription failed today and has been replaced with a new one. 2 out of 8 AP got online, the newest AP320 & AP325.
For the older ones, 1 AP102 and 5 AP300 I don't know how to activate them.
Given you had the M270 replaced, if it was updated to a 12.11 release, then this could be the issue (taken from the release notes for 12.11):
"As of Fireware v12.11, only AP125, AP225W, AP325, AP327X, AP420 devices that run the latest v11.0.0-36-4 AP firmware are supported by the Gateway Wireless Controller. Upgrade to the latest AP firmware before you upgrade to Fireware v12.11 or higher."
If your previous M270 was running say 12.10.4 you'd need to downgrade to that version to make those APs work, but as james.carson mentioned the [gateway wireless controller] APs are now end of life per-se.
Re: Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature
Thanks, I've just added a support case referencing the above case IDs