Best Of
Re: block rule not working as expected
There is a hidden default policy allowing IPSec, which is prior to your block policy.
Review this:
Configure Inbound IPSec Pass-through with SNAT
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/ipsec_pass-through_c.html
Re: Entra SAML and Security Group Information
Thanks, I was able to identify and correct the issue by inspecting that file in the Diagnostic Logs!
armoli
Re: BOVPN to Fortigate
Hi @Francesco
1:1 NAT will mean the distant end will attempt to contact you via the NAT'ed address, and the firewall will translate the NATed address to the real one.
The first address is available for use since there isn't a network ID/gateway in this scenario.
I'd suggest opening a support case. Our techs can help determine if that traffic is even reaching your firewall. If you'd prefer to troubleshoot yourself, having the distant end send pings is usually the best way since there does not need to be a TCP connection in order for the ping to traverse (meaning you'll see log lines in your traffic monitor if logging is enabled for your bovpn allow.in policy.)
Re: Hit by CVE-2025-14733
Hi @offbyone
If the firewall is passing the integrity check on bootup, or when you check via WebUI, the current install on the firewall should be good.
See:
(System Integrity Checks)
https://www.watchguard.com/help/docs/help-center/en-US/content/en-us/Fireware/system_status/stats_diagnostics_integrity_checks.html
If you are concerned that the system may have been compromised, you can use recovery mode to overwrite the firmware on the firewall:
See:
(Use Recovery Mode)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/other/QSW_recovery_mode_wsm.html
Note: Recovery mode will completely erase everything on your firewall, and it will boot up as if it were powered on for the first time. Any self-signed certificates will be erased and regenerated, and any user-imported certificates will be wiped.
Re: Remote management vis WSM
Depends on what your Firebox policy looks like. Do you see any deny logs for that traffic when you attempt to access via those other IPs?
Mobile VPN with SSL ver 12.11.5 not asking for MFA anymore
We updated the Mobile VPN with SSL client from v12.11.2 to v12.11.5. After the update, users can establish a VPN connection using only a username and password. With v12.11.2, MFA was also required. No changes were made on the Firebox.
ANADIAN
Re: WSM in RDP
Hi @Francesco
I tried accessing the WSM 2025.1.3 app on a Win11 PC across an RDP session. I was able to launch the app, log into a firewall, and edit policies as expected.
If you're seeing a blank tile when you try to launch it, the shortcut may not have been updated. Perhaps try reinstalling the WSM application. If you're still running into this issue I'd suggest opening a support case via the support center link at the top right of this page.
Re: Remote management vis WSM
My best guess is that you have a higher priority policy for 1 of the 3 ports used for WSM access: TCP port 4105, 4117, 4118.
