Best Of

Re: Google login issue

You can set up email notifications for port scans, which could help get Google site access back quicker.

Bruce_Briggs

1

Re: Google login issue

Well support suggested that it was our gateway AV reading packets that may have been causing the issue, and also suggested restarting the server if we hadn't already.

We messed with the gateway AV some, ultimately toggling off the "When a scan error occurs -> drop" setting. After this our issues seemingly vanished.

Until today that is, now after this post I am assuming it was not the Gateway AV change that solved our issue but the restart.

WgPanda_Man

1

Re: Google login issue

For others, what did you change which did not end up helping at your site?

Bruce_Briggs

1

We are having an issue where users cannot log into Google, both personal and Workspace accounts. If I bypass the firewall, a user can connect. If I restart the firewall, users can connect again but by the next day the issue is back. We first had an issue with downloads from Google on the 23rd. The problem cleared up on its own, while I was troubleshooting the issue. I went ahead and updated the firewall to 12.11.8 anyways. Yesterday the login issue appeared. It doesn't matter what computer or browser we use. I've tried having the NAT connection go out of different IP addresses, I've tried switching from a proxy rule to just a packet filter rule.

MeOMy

2

Re: VoIP dropping calls (go silent on both ends, but still look connected)

No one uses SIP-ALG, no one. In general you need a packet filter for the needed ports to the IP's or FQDN of the IPT vendor (or system).

A common one...

TCP and UDP 5060->9
UDP - 10,000-30,0000
UDP - 5222

And depending on other things, well, other things. 80 and 443 are already handled in theory.

I also create an alias for my handsets (in general PolyCom) so that I can easily apply rules to the handsets on their subnet.

As a note - "Any" never seems to work. I have to create packet filters with the needed ports to the needed (external) IP's and things work very well. There are a few options for the handsets (option 150 or 66).

TestingTester

1

Re: LDAP Signing (Not LDAPS)

Hi @ChrisSnape
We don't support LDAP signing (SASL). You'll either need to use LDAPS, or disable signing in your group policy.

Setting:
Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Change - Network security: LDAP client encryption requirements: "Negotiate Sealing"
To - Network security: LDAP client encryption requirements: "None"

james.carson

1

Re: upgraded ISP bandwidth, WiFi doesn't see the increase

Hi @bford

You'll see the best performance on 5GHz channels. Generally, 40- or 80-MHz channels perform better when the channel space is clear, and your devices support wide channels. If your air space is congested, sticking to 20MHz channels may be required.

-Your laptop will need to have a 2x2 radio for best performance.
-Your laptop will need to have a WiFi card that supports Wave 2 AC or better for best performance.

Based on the hardware specs you listed, the biggest impact would likely be increasing your channel width on 5GHz. Keep in mind that your other devices on that WiFi network will need to support this for the best performance.

From the hardware guide, the absolute max throughput for the AP325 is:
2.4GHz, 802.11b/g/n. Max datarate: 300Mbps
5GHz, 802.11a/n/ac. Max datarate: 876Mbps
Please keep in mind that this is the total throughput for the AP, not the throughput for a single client.

https://www.watchguard.com/help/docs/hardware guides/AP325_Hardware_Guide.pdf

Thank you,

james.carson

1

Re: Detailed report for denied traffic

You can use Log Search for a specific source IP addr AND denied

Log Search (WatchGuard Cloud)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/reports/log_search_wgc.html

Review the WatchGuard Query Language section which should help you set up the desired search

Bruce_Briggs

2

Re: I need help regarding Firebox and regarding customer support

Hi @NicoWG
Your client can add you as a contact under their account so that you have access to the same fireboxes (and serial numbers) in their account. This also allows you to see each other's support cases.

See our policy here:
(WatchGuard support requires all callers to be authorized)
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g4ykSAA

james.carson

1

Re: Why are my networks not segmented?

If you have policies with To: and/or From: Any-trusted or Any, those will potentially allow traffic between different firewall interfaces or VLANs.

Options include:
1) reviewing your policies which may allow these undesired connections from 1 firewall interface to another - and replacing Any-trusted or Any with a different From/To interface name or alias.

2) change the interface type from Trusted to something else, such as Optional or Custom on the the Point-Of-Sale interface AND make sure that traffic between your 2 interfaces is allowed as desired by new or modified policies

Bruce_Briggs

1