Best Of
Re: Detailed report for denied traffic
You can use Log Search for a specific source IP addr AND denied
Log Search (WatchGuard Cloud)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/reports/log_search_wgc.html
Review the WatchGuard Query Language section which should help you set up the desired search
Re: I need help regarding Firebox and regarding customer support
Hi @NicoWG
Your client can add you as a contact under their account so that you have access to the same fireboxes (and serial numbers) in their account. This also allows you to see each other's support cases.
See our policy here:
(WatchGuard support requires all callers to be authorized)
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g4ykSAA
Re: Why are my networks not segmented?
If you have policies with To: and/or From: Any-trusted or Any, those will potentially allow traffic between different firewall interfaces or VLANs.
Options include:
1) reviewing your policies which may allow these undesired connections from 1 firewall interface to another - and replacing Any-trusted or Any with a different From/To interface name or alias.
2) change the interface type from Trusted to something else, such as Optional or Custom on the the Point-Of-Sale interface AND make sure that traffic between your 2 interfaces is allowed as desired by new or modified policies
Re: loopback ip
Alternatively, use the set source IP in a policy specific to that RADIUS traffic to set the source IP as something you already have a tunnel for.
Re: loopback ip
You need to add the external IP addr of the firewall in your BOVPN setup.
Re: Minimum Version Req to upgrade to 12.11.6?
Thanks for the info. I just upgraded my M4600 from 12.3 to 12.11 and all is good.
Re: Using IKEv2 Mobile VPN on External IPv6 Interface
Hi @Olix
IPv6 isn't supported via the mobile VPNs at this time.
(IPv6 Support in Fireware)
https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/networksetup/ipv6_supported_features.html
There is an existing feature request for this. It is FBX-17525. If you'd like to follow this request, please open a support case and mention FBX-17525. The technician assigned to the case can set this up for you.
You can also make feature requests and vote on other requests in the Idea Portal inside WatchGuard Cloud. Just go to the Help (?) button in WatchGuard Cloud, and select Give Feedback.
Re: FireCluster - add second firebox
Hi @NexusTK
The best way to do this would be to use the existing gateway IP for that network as the cluster IP, and during the firecluster setup, choose IPs for both devices on the management network. This is how the setup would flow normally, so there isn't anything special you need to do.
If your can run your FireboxV for a bit while you cut over, I would suggest making a new configuration and building out a new set of policies. This gives you a chance to audit all of your firewall policies and remove old/defunct policies that aren't needed anymore.
Re: Automatic Certificate Renewal
Sounds like still need to get added to the ticket. Has anyone else come up with a plan for ACME setup between some sort of official support from WatchGuard?
