Best Of
Re: Image of SD-WAN
Hi @XYLITOL
Any policy that has SD-WAN action will show the SD-WAN action in the "SD-WAN" column of Policy Manager or WebUI. If you're looking for a way to identify if a policy has SD-WAN turned on, I'd suggest that column.
Re: configurare SD-WAN
@XYLITOL said:
How can I check if SD-WAN is working properly?
I checked the firewall policy to send logs but it did not show up in the traffic monitor.
For the policy that specifies the SD-WAN rule, make sure that logging is enabled for it - once done all "allowed" traffic will also show up in the Traffic Monitor window and any related logs.
Re: configurare SD-WAN
For example - create 2 HTTPS policies - 1 for WAN 1, the other for WAN 2
On the policy for WAN 1 - you specify in the From and/or To fields the traffic that you want to use WAN 1. The To: field can include IP addrs, subnets and/or FQDNs.
The policy for WAN 2 needs to be below WAN 1, and the To: field can be Any-external, the From: field could be Any-trusted for whatever is appropriate.
And you need to create a SD-WAN action for WAN 1 primary with WAN 2 as secondary and apply that to the WAN -1 policy. And do the similar for the WAN 2 policy.
Review this to understand how FDQN works in a From: or To: field
About Policies by Domain Name (FQDN)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html
Note that may sites use CDN (Content Delivery Network) URLs etc., so you would need to also ferret out those and add them to the appropriate policy To: field.
Turning on Logging on the WAN2 policy may help you locate those initially.
Also an Internet search for domain name used by selected sites (ie. YouTube) can help too.
Re: Feature Request: User Access to Patch Status and Ability to Trigger Updates
Hello, San.
Please send an email with your request for enhancement, and client id to:
support@watchguard.com
Kind regards,
Re: Do I need a RADIUS server?
Hi @ChrisSnape
For SSLVPN on 12.10.x, you can set up the SSLVPN to use RADIUS or a built in AuthPoint connector.
You need a RADIUS server if you are using RADIUS to authenticate. This is usually windows NPS, which is what actually verifies the user's password since AuthPoint can't do that itself for a windows domain. The hashed password that is included with the RADIUS traffic is forwarded directly to the Windows NPS server to verify.
You do not need a RADIUS server if you are using the built in AuthPoint connector. AuthPoint will use the AuthPoint Gateway to verify the user's password with Active Directory.
If you are using SSLVPN, I would suggest using the built in AuthPoint connector. It'll allow you to offer several authentication methods (such as push or OTP) that are selectable by the user if you enable them, whereas RADIUS only allows you to offer one option.
If you would prefer to not connect your firebox to the cloud (the firebox can be connected to WatchGuard Cloud even if it is locally managed) you'll want to choose the RADIUS option, as the built-in authpoint connector uses that cloud connection to communicate with AuthPoint.
Re: Firebox cluster public IP
Yes.
For A/P, just one firewall is active and holds the the external IP. This is done using VRRP.
Active/Passive Cluster ID and the Virtual MAC Address
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_ap_cluster_id_wsm.html
For A/A, Multicast MAC Addresses is used to share the interface IP addr.
Find the Multicast MAC Addresses for an Active/Active Cluster
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_view_multicast_mac.html
Also see:
Switch and Router Requirements for an Active/Active FireCluster
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_aa_multicast_wsm.html
Re: 2 watchguards on VLAN 1 but different network
Will your switch allow 2 different subnets to be defined as on the same VLAN???
On the firewall, a VLAN has a specific subnet defined to it.
If traffic comes in tagged for that VLAN but from a different subnet, I would expect those packets to be denied as spoofed source.
Re: 2 watchguards on VLAN 1 but different network
It depends on the switch. Some may be perfectly ok with that, some may monitor traffic and refuse to pass it.
I would suggest for the sake of your sanity to put the networks onto separate VLANs if you can. The two networks won't be able to talk to each other (on the same VLAN) unless a static route is set up or machines on that specific network are multi-IPed.
Re: VPN SSL vs Bridge
Can the VPN client ping 172.16.111.254?
Add an Any packet filter on site B From: 172.16.113.0/24 to 172.16.111.0/24
Move this policy to the top of your policies list.
Turn on Logging on this policy.
Test access from the VPN client & see what shows up in site B Traffic Monitor