Best Of
Re: EDR core - Network Access Enforcement requirements.
Hi Norman,
There's a few reasons network access enforcement may fail. By far the most common I run into is due to missing the host sensor component on the workstation.
If you're running into an issue with this, I'd suggest opening a support case via the support center button at the top right of this page. One of our team will be able to help look at logs and provide a better explination of what's happening based on them.
Re: Feature Request - Retrieval of ThreatSync Status of Devices
The Cookie requirements for the Resources / Idea Portal et al, are listed here:
Submit feedback and feature requests through the WatchGuard Idea Portal
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA1Vr000000EgnNKAS&lang=en_US
Re: Access to external Website with outgoing static IP from company
@VGBH
A reverse proxy action in the access portal can work in that situation, but you'll need to ensure that users can access the site via both the URL configured in the access portal and the actual URL. This generally requires that you have control over the site's DNS.
If the external site isn't yours, one of the VPNs will be the best way to accomplish this.
Re: OpenVPN for MacOS Tahoe
Thank you @james.carson . We have updated our Fireboxes to the latest firmware and should be able to use the latest SSL client for Mac. Will try it out and report back to close out this thread.
MarcC
Re: Access to external Website with outgoing static IP from company
@VGBH
You can add a single IP as a /32
The reverse proxy could potentially work, provided the website is compatible with it.
Re: block rule not working as expected
There is a hidden default policy allowing IPSec, which is prior to your block policy.
Review this:
Configure Inbound IPSec Pass-through with SNAT
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/ipsec_pass-through_c.html
Re: Entra SAML and Security Group Information
Thanks, I was able to identify and correct the issue by inspecting that file in the Diagnostic Logs!
armoli
Re: BOVPN to Fortigate
Hi @Francesco
1:1 NAT will mean the distant end will attempt to contact you via the NAT'ed address, and the firewall will translate the NATed address to the real one.
The first address is available for use since there isn't a network ID/gateway in this scenario.
I'd suggest opening a support case. Our techs can help determine if that traffic is even reaching your firewall. If you'd prefer to troubleshoot yourself, having the distant end send pings is usually the best way since there does not need to be a TCP connection in order for the ping to traverse (meaning you'll see log lines in your traffic monitor if logging is enabled for your bovpn allow.in policy.)
Re: Hit by CVE-2025-14733
Hi @offbyone
If the firewall is passing the integrity check on bootup, or when you check via WebUI, the current install on the firewall should be good.
See:
(System Integrity Checks)
https://www.watchguard.com/help/docs/help-center/en-US/content/en-us/Fireware/system_status/stats_diagnostics_integrity_checks.html
If you are concerned that the system may have been compromised, you can use recovery mode to overwrite the firmware on the firewall:
See:
(Use Recovery Mode)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/other/QSW_recovery_mode_wsm.html
Note: Recovery mode will completely erase everything on your firewall, and it will boot up as if it were powered on for the first time. Any self-signed certificates will be erased and regenerated, and any user-imported certificates will be wiped.