Best Of

Re: SSL VPN and Outlook Trying to connect

Try V12.5.3 which is just out.

From the V12.5.3 Release Notes:
To make sure Office 365 traffic uses a full-tunnel SSL VPN, you can now enable the default-route-client CLI option. [FBX-16838]

Known Issue:
Office 365 fails for Mobile VPN with SSL users
https://watchguardsupport.secure.force.com/publicKB?type=Known Issues&SFDCID=kA10H000000g3SPSAY&lang=en_US

Tracking ID: FBX-16838
Status: Resolved
Resolved In: Fireware v12.5.3
Description

Users that connect to your network through Mobile VPN with SSL cannot connect to Office 365. This happens because the Mobile VPN with SSL TAP adapter does not set a default gateway when you connect to the VPN. Because Office365 cannot detect a gateway, Office 365 traffic does not go through the tunnel.
Workaround

To make sure that Office 365 traffic goes through the mobile VPN tunnel, use one of these options:

Enable the default-route-client option in the Fireware CLI (Fireware v12.5.3 or higher)
Manually configure a default gateway on the client
Use a different Fireware mobile VPN method

Option 1—Enable the default-route-client CLI Option (Windows only)

If you select the Force all client traffic through tunnel option in the Mobile VPN with SSL configuration, the Firebox pushes the routes 0.0.0.0/1 and 128.0.0.0/1 to the Windows computer. These routes are added instead of a more general route to avoid replacing existing routes.

In Fireware v12.5.3 or higher, you can enable the default-route-client option in the CLI. When you enable this option, the Firebox pushes the general route 0.0.0.0/0.0.0.0 to Windows computers, and the default gateway of the TAP interface on each Windows computer is set to the VPN gateway IP address. The default-route-client command affects only Windows computers. Computers with other operating systems do not receive the 0.0.0.0/0.0.0.0 route.

To enable this option, specify this command from the Firebox CLI:

WG(config/policy)#sslvpn resource default-route-client

To disable this option, specify this command from the Firebox CLI:

WG(config/policy)#no sslvpn resource default-route-client

By default, the default-route-client option is disabled.
Option 2—Manually Configure a Default Gateway on a Windows Client

From Control Panel, open Network and Internet > View network status and tasks > Change adapter settings.
Find the network adapter with TAP-Windows Adapter V9 in the description.
Right-click the network adapter and select Properties.
Double-click Internet Protocol Version 4 (TCP/IPv4). The properties dialog box appears.
Click Advanced. The Advanced TCP/IP Settings dialog box appears.
Below Default gateways, click Add.
In the Gateway text box, type the Firebox IP address for the virtual IP address range. This is typically the first usable IP address of the virtual pool.
Click Add.
On each open dialog box, click OK.

Option 3—Use a Different Mobile VPN Method

This issue affects only Mobile VPN with SSL. If you do not want to enable the CLI option or manually configure a gateway on the client, you can avoid this issue by using a different mobile VPN method. Fireware supports three other mobile VPN methods: Mobile VPN with IKEv2, Mobile VPN with L2TP, and Mobile VPN with IPSec.

Bruce_Briggs

Re: DHCP Relay on Fireware 12.5.4

https://watchguardsupport.secure.force.com/publicKB?type=Known Issues&SFDCID=kA10H000000bozFSAQ&lang=en_US

Stated Workaround
Disable DHCP relay on the Firebox. If no other DHCP relay server is available, you can set up a local DHCP scope on the affected Firebox interfaces.

Real workaround: downgrade to V12.5.3

Bruce_Briggs

Re: end/terminate active mobile vpn connection

Do note if the user connection has "Automatically reconnect" selected, then the client end will reconnect a new VPN session after you disconnect a VPN session.

Bruce_Briggs

Re: end/terminate active mobile vpn connection

Web UI -> System Status -> Authentication List -> LOG OFF USERS

WSM Firebox System Manager -> Authentication List -> Mobile VPN Users -> select the user -> Right click -> Log Off User

Bruce_Briggs

Re: Feature Request - More SSIDs Per Radio

Hi @jesseg
I've created a feature request for you -- that is AP-711.

If you'd like to follow progress on this request, please make a case in our support portal, and mention AP-711 -- the tech can set that up for you.

The next step is for it to be reviewed by our product managers, and accepted or rejected from there. (There could potentially be hardware limitations, or this could be rejected and made into several requests to cover specific changes that would need to be made, for example.)

Thank you,

James_Carson

Re: IKEv2 - unable to access internal resources and no internet - I can ping internal IPs

Q: How is it working for SSLVPN users?
A: no idea if SSLVPN is set up for routing. If it is set up for bridge, then the SSLVPN IP addrs would get whatever the bridge group is set up for, such as Trusted.

Bruce_Briggs

Re: IKEv2 - unable to access internal resources and no internet - I can ping internal IPs

SSO is only for internal users, not for VPN users.

Yes RADIUS will allow you to use AD users/groups for IKEv2 authentication.
From the docs:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_about_c.html

User Authentication

Mobile VPN with IKEv2 supports local authentication on the Firebox (Firebox-DB) and RADIUS authentication servers.

If your users authenticate to network resources with Active Directory, we recommend that you configure RADIUS authentication so the IKEv2 VPN can pass through Active Directory credentials.

For more information about authentication, see About Mobile VPN with IKEv2 User Authentication.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_user_auth.html

Bruce_Briggs

PM “Certificates do not conform to algorithm constraints”

Hi
I still use a couple of “end of life” X Edge firewalls at non critical sites.
After updating WSM from 12.5.1 to 12.6.1 I got the error “A connection could not be established to the Firebox. Failed to read servers response: Certificates do not conform to algorithm constraints.“ when trying to download/upload configurations.
I thought I’d share a solution if someone else run in to this issue.

Turned out the algorithms MD5 and MD5withRSA that these devices apparently use, is now deprecated and blocked.

If you can live with the security risks these algorithms has you can edit the file "C:\Program Files (x86)\Common Files\WatchGuard\java\jre11.0.4\conf\security\java.security"

Remove MD5 and MD5withRSA from the lines below and PM starts working again.

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL

You will get the error “An error occurred while refreshing ´Front Panel´: java.lang.reflect.InvocationTargetException on the Front Panel tab in WSM but at least you can change configuration.

This tip comes without support, responsibility and is implemented at your own risk

//Johan

JohanFaelth

Re: O365 Connection Connection through Firebox

If you select/open HTTPS-Client.Standard, you will see that Enable Predefined Content Inspection" is selected, which is the default.

Bruce_Briggs

Re: O365 Connection Connection through Firebox

Is your goal to access outlook.office365.com from you Outlook client?
If so, your Outlook client should be set up to use HTTPS for this access, and should work without needing to use a SMTP proxy firewall policy etc.

Bruce_Briggs