Best Of
Re: BOVPN problem between XTM 35 and Forti gate 60E
No log messages beyond the last one posted?
Consider opening a support incident on this.
Re: Allow SSLVPN-Users Policy - Security Issue?
If you have a proxy From: VPN user group, then that proxy will apply to the VPN traffic prior to the firewall forwarding it out an interface, such as to a LAN interface.
Re: Allow SSLVPN-Users Policy - Security Issue?
I already apply my proxies to my VPN traffic, but I am wondering if there is a way to filter the VPN traffic through GAV or whatever before it hits a LAN. I fear something on a home PC crawling up the VPN pipe.
Re: Allow SSLVPN-Users Policy - Security Issue?
It is the default behavior.
You can set this policy to Disabled and add any desired policies for SSLVPN-Users
Re: performance tuning for RDP over mobile user VPN
Try using UDP for SSLVPN instead of TCP
Re: vpn client software with windows 10
@WGM shrew can technically still work with windows 10. However, as they haven't updated their client in years, it's not something WatchGuard recommends. Both IKEv2 and L2TP use clients that are built into most operating systems.
VPN stability will be dependent on where your data is going, and what's between points A and B. I'd suggest setting up multiple options, and going with the one that performs best in your instance.
Re: vpn client software with windows 10
SSLVPN agent (installation required) works but is slow and not very stable (drops a lot), at least from Starbucks. IKEv2 VPN is faster and MUCH more stable, even from Starbucks. IKEv2 VPN is built into Windows 10.
I protect mine with two-factor authentication.
Re: blocking teamviewer
TeamViewer normally uses 5938 outbound and needs no open inbound ports, i.e., no SNAT to internal systems. It will try 443, too, if 5938 is not open. TV can be set to force UDP which can help with blocking. I don't allow UDP 443 outbound.
Assuming you do egress filtering, an outbound packet filter on a schedule may work, going from Any-Trusted (or a specific computer IP or range) on TCP & UDP ports 5938, set to Allow, and going To Any-External. You also could add an HTTPS proxy To the TeamViewer domains and allow on a schedule.
Maybe put policies above these that are Deny to the same things, on a schedule of time when you want to block.
Re: blocking teamviewer
I would set up a Custom Packet Filter for TCP & UDP port 5938.
Assuming that this in incoming connections from the Internet, you would need to set up a SNAT for this access, and than apply the SNAT in the From: field of the above policy.
You can then apply the desired Schedule on this policy.
TCP/UDP Port 5938
TeamViewer prefers to make outbound TCP and UDP connections over port 5938 – this is the primary port it uses, and TeamViewer performs best using this port. Your firewall should allow this at a minimum.
TCP Port 443
If TeamViewer can’t connect over port 5938, it will next try to connect over TCP port 443.
However, our mobile apps running on Android, iOS and Windows Mobile don't use port 443.
https://community.teamviewer.com/t5/Knowledge-Base/Which-ports-are-used-by-TeamViewer/ta-p/4139
Re: Issue with SSLVPN 12.2 and latest Outlook Office 365
@Bruce_Briggs said:
Gregg - what issue are you having with a blank default gateway?
I also see a blank gateway IP addr in V12.5.1 U1, but I don't have any issues with my setting of all traffic going over SSLVPN.
Bruce,
The SSLVPN worked fine with everything except for Outlook 2016 connecting to Office 365 with multi-factor authentication and Modern Authentication enabled on the Office 365 tenant. The fix is the TAP adapter change of adding the gateway address to it. My SSLVPN subnet is 192.168.35.0, so the gateway manually added on the TAP adapter of the remote client is 192.168.35.1. That setup allows Outlook to connect. I never had the problem until I enabled MFA with Modern Authentication on my Office 365 tenant account.
Gregg