Best Of
Re: WatchGuard Firebox Link Monitor Issue with 8.8.8.8
DNS servers don't guarantee they will respond to pings. There have been instances where 8.8.8.8 has specifically stopped responding to pings before.
Global DNS servers (like 8.8.8.8) are actually groups of load balanced servers -- a different one may have been replying to you or unreachable.
Re: How to Configure SD-WAN to Ensure All Phone System Traffic Uses the Same External Interface?
SD-WAN is much more powerful and flexible than your previous method, but is a little more difficult for simple implementations such as yours.
Re: ikev2 mobile VPN stopped working - certificate expired on live logs
I really appreciate it! Same thing for me, VPN users could no longer connect, same messages in the log. I used Putty and signed into the Watchguard as admin, did the same:
diagnose vpn "/ike/restart"
And everything worked like a charm right off the bat, this was after rebooting, updating firmware, re-importing certificates on a client, then I stumbled across this discussion.
February 26, 2025 - Worked perfect!
QCW_TM
Re: Branch Office filter traffic by MAC
- Use DHCP & limit the DHCP pool to the max connected devices at that site.
- use static IP addrs
In either case, only allow known IP addrs from the remote site via policies
Re: Branch Office filter traffic by MAC
Given the concern is for the remote site physical network access, that's where I would start - if it's that big a concern, you'd have to go down the path of MAC address filtering at switch level which has its own limitations as well
(eg. if you use a dock that has an Ethernet port, some docks don't do MAC address passthrough so every device plugged into that same dock shows up as the same MAC address...).
MAC addresses don't traverse VPN tunnels so wouldn't be able to use any firewall in that regard.
If the branch office only has the T25, then it comes down to physical security (ie. make sure it's in a locked cabinet etc).
Re: Site to Site VPN between Ubiquiti and WatchGuard IKEv2 "No Proposal Chosen"
Hi @kiffin
There's a number of encryption/authentication schemes in both IKEv1 and IKEv2. It's very likely that the Ubiquiti side is changing another setting when you move to IKEv2. The settings for both Phase 1 and Phase 2 must match.
The Ubiquiti is responding back to the WatchGuard that it doesn't like something in the proposal -- I'd suggest checking the logs on the Ubiquiti side -- it should be outputting what proposal it is getting, and potentially what it wants. If the settings match between the two sides, the tunnel should come up.
Re: Product Enhancement - Locked Token Notifications
Hi @bmccorkle
I created a feature request for this - it is AAAS-25745. Please open a support case and mention AAAS-25745 if you'd like to track it.
Re: Mobile VPN with SSL: 403 Forbidden error
I think this issue is still not resolved - in the logs I am getting the following and we have v12.11.1 installed and rebooted
2025-02-19 16:04:30 M2-ORIGINAL-PASSIVE wrapper nginx: 2025/02/19 16:04:30 [error] 4910#0: *58980 directory index of "/usr/share/web/none/" is forbidden, client: xxxxxxxxxxx server: Debug
Gee
Re: Mobile VPN with SSL: 403 Forbidden error
Hi @Gee,
I'd suggest opening a support case via the support center button at the top right of the page.
Re: How to configure XTM515 interface from bridge to bridge mode or other way?
If you don't need any of the features not available in Bridge Mode, then that will presumably have somewhat lower overhead, and will not cause possible double NAT from the firewall and the Omada router.
Best to make this change using WSM Policy Manager as you can make multiple changes prior to uploading the final config to the firewall, and you can easily save the old config back should their be issues with your changes.