Best Of
Re: PureVPN Pup
Hello,
The PureVPN application is likely being blocked due to a false positive detection. I recommend opening a support case so that the false positive can be investigated and corrected. You may open a support case by using the 'Report a problem' link in the AD360 console. The link will also retrieve a PSInfo file from the computer with diagnostic information. The following page describes how to use the 'Report a problem' link.
https://www.pandasecurity.com/en/support/card?id=700000
Sincerely,
Juan Nakasone | Technical Support
WatchGuard Technologies, Inc. | www.watchguard.com
Re: HTTP/S Proxy Blocking Traffic that is not logged?
Solved. Creating the custom packet filter fixed the issue.
Thanks!

Re: Teltonika TRB140
Thank you for your help James.
I apologise for the delay with my response. The past three weeks have been a nightmare and now I have &^%&^$% COVID, so I am quarantined at home! Anyway, I had a whole afternoon of consciousness to work on this problem that crept up to #1 on the to do list.
I dragged out an out of support T35-W NFR box (updated with 12.5.9 Update 2) and factory reset the box, and followed these steps:
1. Obtain the MAC address of a spare (and not a POE port - the Ethernet port supports a non-standard POE and can self-destruct) on the Firebox. You also need to have one port set to the default 10.0.1.1 address so that you can connect via a PC and check that everything is working.
2. Set the Firebox port to Type External and DHCP - no other changes to the default except to give the port a name (e.g. External-4G) and a description.
3. Connect the USB cable from a PC to the TRB140.
4. Log into the TRB 140 portal using the default settings.
5. On the TRB 140, which was previously also factory reset, I set the timezone and changed the Mobile Mode to "Passthrough" and added the MAC address of the FireBox port obtained in step 1. Save these settings and wait for a minute or so.
6. Power down the TRB140 and remove the USB cable.
7. Connect a cat6 cable from the Firebox port to the Ethernet port on the TRB140. Connect a PC to the LAN port on the Firebox and no connection in the WAN port.
8. Switch on the TRB 140 and wait about 5 mins.
9. Switch on the Firebox and wait for it to boot.
10. From the PC log into the WebUI, traverse to Dashboard > Interfaces and you should see the External-4G port is now working with a populated IP address.
So why did it not work when I tried this weeks ago?
1. I attempted to do this in a production environment thinking that this will take 5 minutes - and broke one of my own golden rules. Even when I realised that two hours had passed, I did not fall back to basics.
The Firebox that was used for the original configuration attempt is one that sits in front of three other Fireboxes. The problem is that the second external port will not populate while the External link is up. I did think of this and pulled the External link late at night, but it still did not work.
That Firebox is also configured to autoblock IP addresses that generate unhandled external packets that try to do naughty things. I noticed, while watching the T35-W that the TRB140 sends a port 67 packet briefly and I suspect that the Firebox blocked the TRB140's traffic thereafter.
Anyway, it all works now and I have given myself the "slap of awareness".

Re: V12.8 issues - firewall hangs after 5 - 10 days
V12.8.1 resolves this issue.
Memory issues related to AV scans have been addressed which helps smaller memory firewall models.
Re: DDoS
And the issues are?
If your incoming bandwidth is near maxed out, then there is nothing that you can do other than to talk to your ISP about it - to see if there is anything that they can do to block some of the DDOS packets at their end.
Are your connection counts substantially higher than normal?
If so, and if you can find out what packet type(s) are being sent for the DDoS attack and you allow that packet type through your firewall, then you can set a fairly short custom timeout on TCP policies which are allowing these packet types. The default TCP timeout is 60 mins.
Re: Teltonika TRB140
@xxup
Without any other info to work on, my hunch is that the upstream device is shutting the connection down unless it sees something specific (perhaps a internet connectivity check from windows, or a DNS query) and simply not bringing it back up till it sees that again.
If you're able to, I would suggest querying the manufacturer of that device and asking what specifically it's looking to see /if/ that is the case.
For example, when the firebox is controlling the 4G USB dongle, it will actually hang up the connection (or disconnect it) rather than leaving it on/open at all times. When the connection is needed, the firebox dials the connect command that's specified for that modem type to make the connection start. Since the TRB140 is doing all that transparently, it's likely waiting for something to happen to do that.
Once we know what it is, it should be trivial to make a PBR/SDWAN type rule to force what it's looking for out that connection to get it online.
Re: Mobile SSL VPN + NPS w/ Azure Extension + Azure MFA
We have this working on a number of clients. Push can work with the higher level of encryption (MS-ChapV2), SMS and OTP need to be dropped down to PAP.
Azure NPS Extensions will take over your NPS, so you need an NPS server dedicated for Azure MFA. e.g if you have Wireless 802.1x you will find that the NPS extensions will interfere and prevent your wireless clients from connecting due to "an error with a dll" - meaning the Azure NPS extensions.
RADIUS Client: Add your firewalls IP address
RADIUS Secret: Common password between both.
Connection Request Policy:
- Conditions: Client IPv4 address of the Firewall
- Settings: Radius Attribute -> Filter-ID = The Name of your SSL VPN Users group e.g VPN-Access, VPN-Contractors etc.
Network Policies:
Conditions:
- Client IPv4 address of the Firewall
- User Groups: The Domain Based Security Groups - The name should match the names from your Watchguard.
Settings:
- Access Permission: Grant Access
- Authentication Method: Unencrypted (PAP,SPAP)
Finally remember to review the setting under Change Log File Properties - "If logging fails, discard connection requests". By default this is enabled, and out of the box doesnt work properly. This can also cause logon issues that may not be obvious.
Re: Licensed vs un-licensed
No you normally can't.
There was a recent exception as a result of the cyclops blink exposure, where current firewall models could get upgraded even if there was no active support license.
"All active Standard and Gold Support subscriptions include phone and web-based support, software updates and enhancements, and advance hardware replacement (RMA)."
https://www.watchguard.com/wgrd-support/support-levels/terms-conditions
Without a support license, none of these are available for a firewall.
Re: Licensed vs un-licensed
No it shouldn't.
All functions which are not security add-on licenses should continue to work as before the expiration.
If you haven't done so already, you should upgrade them to the latest Fireware version available for each firewall.
Re: Dimension - Additional CPU / Memory
@richard_c Adding memory and CPUs can help with performance -- but if you're logging many firewalls to one server I'd also suggest opening a case and we can assist with tuning if just adding CPU/RAM isn't helping.