Best Of
Re: How to configure a Firebox Model T35 to open a port for an alarm system
You need to set up a SNAT and set up a custom packet filter for TCP port 7700.
If you are using the Web UI, you need to log in using the admin userid & password.
Select Firewall -> Firewall SNAT
Add, enter a name for this
Add
select the public IP addr, type = Internal IP addr, & enter the private IP addr. You do not need to select either check box.
OK, SAVE
Select Firewall -> Firewall Policies
Add Policy
Select Custom, select ADD
enter a name, then ADD
select Single port, TCP, Server port = 7700.
OK, ADD Policy
From: - remove Any-trusted, Add Any-external, OK
To: - remove Any-external, Add - select Member Type = Static NAT, select the SNAT name that you created, OK
Save
How to configure a Firebox Model T35 to open a port for an alarm system
My IT guy left me and I need help configuring a policy. I have an alarm company installing an alarm system and I need to open a dedicated port from their public IP Address to the IP address assigned to their alarm system inside my network. I have almost no experience doing this and need help.
I have the public IP, subnet, and gateway of the alarm service.
I have the private internal IP of the alarm system, subnet, and gateway.
The port to open for them to communicate is 7700.
I know this is a basic configuration issue, but I have no idea where to start. I haven't done a firewall configuration in over 15 year. Does anyone have a step by step on how to do this configuration? Thank you in advance for your help!
JeffQ
Re: SSLVPN 12.11.4 Internet connection issues
There is now a public beta with an updated Mobile VPN with SSL Client for Windows and Firebox support for passwordless SAML authentication (Fireware v2025.1.3 and v12.11.5).
Re: preowned AP325 usable?
AP325 units are End of Life on 31 Dec 2026, so you should be able to get a support license for one.
The V12.11.4 Release Notes include this:
WatchGuard AP Firmware AP125, AP225W, AP325, AP327X, AP420: 11.0.0-36-4
so the AP325 units should be supported via the GWC.
Re: Mail when SSL failed login
The general process:
In WSM Firebox System Manager, you can select an already received log message ID, and set for notification when that ID happens again.
See the following:
Enable Notification for Specific Messages
www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/enable_notification_messages_wsm.html
You can look up Log message IDs in the WatchGuard Log Catalog:
https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/12_11_Log-Catalog.pdf
Note that the Log message IDs in the WatchGuard Log Catalog omit the dash from the middle of the log message ID as shown in Traffic Monitor.
A quick search of the WatchGuard Log Catalog shows:
25000000 VPN / SSLVPN User login
25000001 VPN / SSLVPN User log off
I'm sure you can find the log message for a failed login from Traffic Monitor, but it may be also used for other types of failed logins.
The WatchGuard Log Catalog will show the uses for the log message ID that you find.
Re: Mobile SSL VPN - Recent Issues
There is now a public beta with an updated Mobile VPN with SSL Client for Windows and Firebox support for passwordless SAML authentication (Fireware v2025.1.3 and v12.11.5).
Re: How to change the external config to work with the new router?
Hi @eddiebaker
The firebox is the router. Putting the ISP's router in front of the Firebox may cause issues with any VPNs or Static NAT (port forward) rules you have set up, as the ISP's router will not forward those to the Firebox.
I would suggest asking your ISP for your PPPoE credentials and setting the firewall's external interface to use PPPoE.
You can see the steps here in our help article on how to set up a PPPoE interface in the WebUI or using WatchGuard System Manager's policy manager:
(Configure an External Interface)
https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/networksetup/ext_interface_about_c.html survival raceIt's also worth noting that the Firebox T30 has been end-of-life since June 30, 2023. This Firebox has not received any patches for discovered security vulnerabilities since June 2023. I would suggest considering replacing the T30 with a newer model that is still supported.
Thanks for your suggestion. I got it.
Re: VPN Problems with new WG T-Models and Fireware 2025.1.2
@Vuurdoos The command diagnose vpn "/ike/param/set xdo_max_bovpn 0 action now" tells the firebox to disable inline crypto mode. The command does not decrease or disable any BOVPN tunnels on the firebox. Just how they're processed.
Re: VPN Problems with new WG T-Models and Fireware 2025.1.2
We have two ordered T145's here at HQ that need to go to customers with BOVPN tunnels, after reading this topic we'll postpone rollout until there is clarity in this issue
Vuurdoos
Re: SSLVPN 12.11.4 Internet connection issues
I'm seeing users experiencing this now too. When are we going to get an updated client??
feek