Best Of
Re: Traffic Management Limitations
@JohnS I've seen customers with well over 500 rules on small devices. There is a ceiling to how many policies you can have, but it has to do with the amount of memory available on the device, not the number of policies.
For example, if you load each policy with a server load balancing policy that sources from an extensive list of FQDNs, you'd probably max out at around 50.
(When customers find that limit, they're almost always asking more of their firewall than it's capable of, and it's almost always on the smallest devices we sell. The M4800 should reasonably be capable of handling thousands of complex policies if needed.)
Re: Traffic Management Limitations
Not a problem for you.
I have over 100 policies on a T20.
Re: Allocate AP to different subscriber
I "think" the AP retains whatever config it was running, in that reallocation does not reset it, but your control/visibility over that configuration is lost until you Add AP steps which is starting the config. With regards to AP sites you might then have to Add AP and then Add to Site option in the early stage of settings it back up
Devlin_R
Re: Traffic Management Limitations
Hi @JohnS
For traffic management policies per-ip you are correct. There is a limit per-policy.
There's a few ways around this:
-Making rules by subnet (works best with /23s and /24s because of the per IP limitation)
-Using user groups instead of IPs to implement the policy.
See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_quick_start.html
Re: Deploy VPN client with intune: installation failed when wgsslvpnsrc.exe is running
This method would kill a VPN in use. Users may not like that. Instead, for an Intune install, I use the requirements section to run a PowerShell and only succeed if the process is not running. It will then update when the user is back in the office and not using the VPN, so no interruptions and happy users.
Mike
Re: Mobile VPN with SSL certificates expired
@Bruce_Briggs said:
Delete the old expired cert & reboot your firewall.
A new one should be generated.
Thank you very much: it works fine after the delete & reboot as you suggested me.
Thanks again!
Ciao
Re: Video freezes in Teams and Google Meets
Hi @D4rkSeven
It looks like a TCP/UDP proxy is unable to write that specific traffic to the proxy. Considering the source port is 59418 and the destination port is 3478, a TCP-UDP proxy is likely the type of policy this traffic is being sent via.
Is there a reason you are proxying this traffic? Does this traffic work if you create a packet filter to allow it?
I'd suggest opening a support case so that our team can get more details and help find a solution.
Re: SSO Authentication Gateway - Error UPN not valid
Hello,
I haven’t had the chance to properly revisit the issue yet. However, after posting my message, I did try to better understand the problem and attempted a few fixes.
As I had to prepare a demonstration, I had to find a quick solution without really having the time to identify the root cause. Since my project focuses on securing a network infrastructure, I decided to create a dedicated virtual machine for WatchGuard SSO. I also installed a RADIUS server on it, as I needed one for the setup.
I chose not to use my DCs for this, mainly due to security considerations related to the project. That said, I believe the issue likely stems from domain security policies that might be blocking certain types of traffic. I’ve implemented several hardening measures on my Active Directory domain, which probably doesn’t help in this case.
Unfortunately, I haven’t had the time to investigate further, but I hope this information can still be helpful.
Re: Using Ubiquity Cloud Gateways with L2 Fiber Connection to bridge to internet
Thanks, James, unfortunately I do not think the Ubiquity device is that sophisticated, but I will check with their support as well. I inherited this from the previous IT folks that are all gone now. I would have much rather had a full single vendor stack. I do have public IPs available, but they also set it up to use the FW as a router instead of just a FW. So, there is no dynamic routing taking place anywhere on the network.
Re: whitelisting a domain
If that site is being Inspected, then it could be that something (a header etc.) is being stripped which is annoying the software package.
Try adding a HTTPS filter for access to the site & turn on logging on it so that you can see it in Traffic Monitor and find it in the lo.gs