Best Of
Re: Setting up Logging to remote Dimension
That is all.
There is a predefined WG-Logging packet filter which you can use here.
Re: No internet on specific subnet 192.85.65.X
you need to add a new dynamic NAT config:
192.85.65.0/24 – Any External
Kimmo
Re: HTTPS Proxy - getting a lot of sites that we can't access because SSL cert is bad?
If you are using HTTPS with DPI enabled, that will have enough times to be really frustrating, but not enough times to stop using DPI.
What specific sites got blocked, and if it's a country you block with Geolocation, do you really care?
Gregg
Re: Seeking clarity on FireCluster management as well as the varieties of VPNs
Log into the WatchGuard support portal.
Then select My Watchguard.
You will find a number of options, including:
WatchGuard Cloud
Manage TDR
WatchGuard Cloud includes Authpoint and the Dimension like logging & reporting
"WatchGuard Cloud" is not necessarily an all inclusive location for "cloud" based WG offerings
Re: Seeking clarity on FireCluster management as well as the varieties of VPNs
Regarding the VPN (any type) and the Access Portal, it does seem that the Access Portal MAY be able to replace the need for a VPN. It's really going to depend on the Information Resources that the VPN is providing connectivity to (as the Access Portal OR Reverse Proxy) will need to take on that capability.
Re: Seeking clarity on FireCluster management as well as the varieties of VPNs
My primary comment is about split tunnel VPNs.
This is a potential significant security risk, and you should seriously consider not using split tunneling client VPNs.
You can find many discussions on the security issues related to this.
Here is one:
VPN Split tunnel pros and cons (especially for high bandwidth applications)
https://community.isc2.org/t5/Industry-News/VPN-Split-tunnel-pros-and-cons-especially-for-high-bandwidth/td-p/5471
Next, does your config use any of the proxy policies?
FTP, SMTP, HTTP, HTTPS are significant ones.
Implementing each requires some effort and periodic adjustment, but provide substantial security enhancement compared to using packet filters.
IKEv2 and IPSec are much faster than SSLVPN - higher throughput. They use hardware based encryption in the firewall hardware, whereas SSLVPN does not.
Dimension is a logging & reporting solution implemented on a VM. There is a Watchguard cloud version of this, but the historical records are currently maxed at 30 days (for free), and the reporting etc. is not currently as full functioned as Dimension.
There are Windows server based logging and reporting functions (WSM Server), but those seem to be no longer being enhanced - Dimension and the WG cloud logging & reporting seem to be the future.
I run Dimension and no longer use WSM Server logging & reporting, which I did use many years ago.
While I have access to the logging/reporting in WG cloud, I rarely go there since I use Dimension.
I will let others answer your other questions.
Still want to use DNS policies in my config
I can't use DNSWatch because want to use DNS proxy policies in my config to prevent certain DNS resolutions.
Please have DNSWatch processing be modified so that DNS policies can be processed before DNSWatch forwards packets to the DNSWatch servers.
Re: DNSWatchGO
Sorry for my delayed response here, I've had some issues with notifications and am just getting caught up!
We do not plan to include the DNSWatchGO service in any of the Firebox bundles. It is intended as an entirely standalone service that will eventually be bundled with other user based services.
Re: Want to configure different SSIDs on the same LAN/Subnet with different Webblocker profiles.
The real solution probably is to have different policies based on IP addrs or on user IDs.
If you have an AD domain, then you can implement SSO, and then use AD groups or AD user IDs on selected policies.
If you don't have an AD domain, you can set up DHCP leases for individual PCs so that you know the IP addrs of those PCs and then you can use the list of IP addr on policies. Creating an Alias which those IP addrs is one of the better ways to implement this
Re: Authentication on Radius dont accept quotation mark
Hi guys problem were fixed. AAAS-9068
