Best Of
Re: recycle old fireboxes - X750e and XTM515
Sorry - the reset for the X750e came from WG AI. I stupidly believed that it gave the correct answer, and I did not verify it before posting it.
Since the X750e is a LCD model, you need to run in Safe Mode, and then run the Quick Setup Wizard to install a default config.
Safe mode allows you to run the Quick Setup Wizard only.
Safe mode does not remove the current config or license key from the firewall.
Re: recycle old fireboxes - X750e and XTM515
To reset the WatchGuard X750e to factory-default settings, follow these steps:
Power Off the Device: Ensure the X750e is turned off. Locate the Reset Button: Find the reset button on the back of the device. Press and Hold the Reset Button: Press and hold the reset button for at least 11 seconds. Release the Button: After holding for 11 seconds, release the button. Observe the LEDs: The LEDs will turn off for a few seconds and then turn solid orange or red, indicating the device is resetting. Reboot to Factory-Default Settings: The device will reboot to factory-default settings.
For the XTM 515 - you can't easily
You need to run in Safe Mode, and then run the Quick Setup Wizard to install a default config.
From the Hardware Guide page 8:
https://www.boc.de/pub/media/documents/xtm525/25_Hardware-Guide-WatchGuard-XTM-515-525-535-545.pdf?srsltid=AfmBOorwqVjr6-5UoVafr2xQQhv60ZUiG43QpfH_yGuekCFf9_KXf0y2
Safe Mode
In safe mode, you can get access to an XTM 5 Series device when normal access to the device is lost.
You can also use safe mode to reset device passphrases when you do not know or have forgotten them. To recover the device while started from safe mode, you must use the WSM Quick Setup Wizard or the Web Setup Wizard.
You must put the XTM 5 Series device in safe mode to use the setup wizards. In safe mode, the device runs Fireware XTM and is configured with factory-default IP addresses. When you put the device in safe mode, the license files and certificates are saved. You can then use the saved files if you reconfigure a device with one of the setup wizards.
To put an XTM 5 Series device into safe mode, press and hold the down arrow button on the device front panel when you power on the device. Hold down the button until “Safe Mode Starting” appears on the LCD screen. When the device is in safe mode, the model number followed by the word “Safe” appears on the LCD screen and the factory default IP address for Eth1 is 10.0.1.1/24.
Re: Client can't connect from one site with Public-WiFi but can from others
You can have multiple client VPN types enabled on your firewall and on client PCs.
I have SSLVPN, IKEv2 & (the old) IPSec set up on my firewall and have the clients set up on my laptop. I can use the one I want.
Re: are there plans for wireguard protocol for muvpn ?
See this:
WireGuard vpn
https://community.watchguard.com/watchguard-community/discussion/comment/17893#Comment_17893
Re: WireGuard vpn
Hi @rgloor @Norman
While you're welcome to add your voices here, I'd suggest creating a support case (mention FBX-19543 somewhere in the case) and the tech assigned the case can set it up to watch that request for you.
The project management team uses cases open under specific requests as a metric to see how much interest there is in a specific feature.
Re: Google login issue
I've found in the past that QUIC through the firewalls caused all sorts of issues with our Google Workspace. I have a custom policy defined for UDP 80 and UDP 443, which is used to block QUIC access from the internal and optional networks out to the external interfaces. This rule has been in place since around 2015 and we have not had any further Workspace issues caused by the firewalls.
JMH
Re: Missing feature keys
Include pics of the model & serial numbers of your firewalls.
Ask to have these devices registered to your account.
You should get Feature Keys as a result of this process.
How to inject "classic" IPSec VPN routes into OSPF
Apologies if this is already a well known thing, but I failed to find info about it when I was researching it.
I was looking how a firebox could inject "classic" IPSec routes into OSPF, so that the rest of our network could use the routes, rather than having to declare them as static routes on internal routers behind the firebox. This is easy for BOVPN virtual interfaces, but appears not to be a supported option for "classic" VPNs, as the remote end of the VPN isn't seen as a connected network for inclusion in the OSPF calculations.
The Status Report section of System Manager shows the network at the far end of the VPN in the "Run-time IPSec Routes" section, with the "Out Interface" being the physical interface of the external connection.
Static routes on the firebox can be injected into the OSPF table using the "redistribute static" command in the OSPF configuration.
On the firebox, I configured a static route to the far end of the VPN via the default gateway of the external interface. This did not affect the routing down the VPN within the firebox, and the traffic for the remote end of the VPN continued being sent down the IPSec tunnel.
The result is a static route to the VPN destination that can be injected into OSPF which doesn't affect how the Firebox handles the VPN traffic. (I used a route map to control which static routes get redistributed, but this isn't necessary if all your static routes should be injected into OSPF.)
The internal routers now see the "classic" VPN destinations in the OSPF tables and there is no longer the need to configure the static routes within the internal network. The route seen in OSPF isn't via the external default gateway, but via the firebox itself. (The routes you see on the routers connected to the firebox will show via the firebox, and for the routers behind the routers connected to the firebox, you will see the route via the connected router, etc.)
How useful this is depends on your network, but for ours, this ability to have the routes in the OSPF tables has been extremely helpful.
Hopefully this info will be useful for someone else.
James
JMH
Re: Google login issue
You can set up email notifications for port scans, which could help get Google site access back quicker.