Best Of

Block download .ps1 files

Hi,
has anyone managed to block the download of .ps1 files using “pattern match” ?
With .exe I have succeeded using the string “%0x4d5a%*” but I can't find anything about how to find the relevant string for .ps1 files.

Thanks

Igor

1

Re: M4600 Arm LED red

Hi @markus93

If the reset procedure that Bruce suggested doesn't help, I'd suggest opening a support case.

If you have an RJ45 -> DB9 serial cable, you can plug in and look at the firewall's output via these settings:
Speed: 115200 baud
Data bits: 8
Stop bits: 1
Parity: None
Flow Control: None

If the firewall has an issue (like it won't boot) that may help identify it quickly.

james.carson

1

Re: Policy based routing

2 options:
1) for traffic allowed from a specific policy:
On an outgoing policy, on the Advanced tab, NAT section -> select "All traffic in this policy: and enter the external IP addr to be used

2) For all traffic from a specific IP addr:
You can add a Dynamic NAT entry -

From: the internal IP addr
To: the desired WAN addr
Set source IP: the public IP addr to be used

Bruce_Briggs

2

Re: Access Portal with Authpoint - returning to Login page

did you figure it out? I had same issue where the saml cert on firebox had renewed and i just uploaded the new one to the cloud config.

https://yourfirebox.domain/auth/saml (download cert here)
upload to the cert to saml resource associated in your watchguard cloud configuration.

John_Shawver

1

Re: AuthPoint MFA for Watchguard System manager and Policy Manager

Just to add - this is 100% coming. My insurance company is now forcing MFA for all network equipment on the network (inc network switch which have a GUI - you must enable MFA or remove from the network) I used to be able to place these appliances in a "admin" VLAN but from next year, this will no longer be an option to have cyber / business insurance coverage. Rules state that all equipment must have MFA / 2FA which access is via a GUI / management program.

Bluestone

1

Re: Logmein app control blocks gotowebinar

@phanaaekIT
I filed this under FBX-29846

james.carson

1

Re: multiple ssl vpn on a single machine

@Francesco
This likely will not work. Even if you use another OpenVPN client, the OpenVPN TAP may still conflict.

Consider setting up tunnel switching so that you can access both networks from one firewall's SSLVPN:

(Branch Office VPN Tunnel Switching)
https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/bovpn/manual/manual_bovpn_tunnel_switching_summary_wsm.html

james.carson

1

Re: IKE VPN with AuthPoint RADIUS in remote office.

If you are using BOVPN Vif configuration, try to configure in the branch office BOVPN Vif config a free IP address from your branch office network as a Virtual IP.

BOVPN Vif / VPN Routes / Assign virtual interface IP addresses config.

Firebox is now using this address when it is connecting to the remote radius server through the VPN tunnel. Configure also this virtual IP as the radius client in the NPS server.

Without this virtual IP config the firebox is using its external IP as the source IP when trying to connect to the radius server...

kimmo.pohjoisaho

1

Feature Request: Update SNMPv3 Encryption Algorithms (SHA256, AES128, AES256, etc.)

Dear Watchguard Support Team,

I would like to kindly request the opening of a feature request to update the encryption algorithms available for SNMPv3 on Watchguard devices, specifically to include modern standards such as SHA256, AES128, AES256, and similar options.

Background:
Currently, on a FireboxV running version 12.11.1 (Build B711554), the available options for SNMPv3 encryption are limited to the following:

Authentication Protocol:
- None
- MD5
- SHA
Encryption Protocol:
- None
- DES

These protocols no longer align with current security standards and are widely considered insecure. Additionally, the upcoming Zabbix cluster, based on AlmaLinux 9, no longer supports the DES protocol at all. According to the Red Hat Enterprise Linux 9 documentation (see: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/considerations_in_adopting_rhel_9/assembly_shells-and-command-line-tools_considerations-in-adopting-rhel-9#ref_changes-to-system-management_assembly_shells-and-command-line-tools), the DES algorithm has been removed from net-snmp communication in RHEL 9 due to its insecurity and lack of support in the OpenSSL library.

Impact:
Without updated encryption options, encrypted SNMPv3 monitoring will not be possible with the new Zabbix system unless the firewall is monitored via a proxy running AlmaLinux 8. This limitation could significantly affect secure network management moving forward.

Request:
Please consider adding support for modern encryption algorithms (e.g., SHA256, AES128, AES256) to SNMPv3 in future Watchguard firmware updates to ensure compatibility with current and future systems and to meet modern security standards.

Thank you for your attention to this matter. Please let me know if you need any further details to process this request.

Best regards,
Fabian Öttl

fabianoettl

1

Re: Mobile VPN ipsec on fireware 12.1.3 Firebox T30-W connection OK, but no network access.

Check your AD connection from the firewall.
Seems like it is being denied

Bruce_Briggs

1