Best Of
Re: Whitelist an external MAC address
You can't.
You can set up a Blocked Sites Exception for an IP addr.
Re: Vigor to Firebox vpn
-Endpoint 1 - Received 'main mode' exchange type. Expecting aggressive mode.
This says that the other end (Vigor) is expecting your end to be Main mode not aggressive in Phase 1.
-No matching tunnel route for peer proposed local:192.168.0.0/24
This suggests that your Tunnel setting do not match what is set up on the Vigor.
Re: Allow BOVPN Failover (aka IKEv2 Multi-Peering) with Third Party Gateways
Define multiple gateway endpoints when creating your VPNs. The firewall will try them one at a time in order. If the first does not respond (e.g., the internet is down on that circuit) it will go on to the next one. When the SA expires, it will start this process over again.
See:
See:
(Configure Manual BOVPN Gateways)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/gateways_config_c.html
Re: FIDO2 support
@KAndersson I'll pass your request onto the product managers.
There is an existing feature request, and that is AAAS-12937. If you'd like to follow that request, please create a support case and mention AAAS-12937 in the case.
Re: Feature Request - Allow Policy Manager to groups several policies or separator line
In WSM Policy Manager, there is an Edit -> Find option, which allows one to search policies for:
Address (IP,, Network, User, Alias, FQDN, etc.), Port number, Protocol, Tag
This is in addition to be able to sort on the columns, such as Protocol, Policy Name, From, To, Port, etc.
Re: Mobile SSL VPN + NPS w/ Azure Extension + Azure MFA
I got this working on my end without much effort. A few notes:
1 - Don't deploy on an existing NPS implementation as the Azure EPS extension will 'break' the local NPS.
2 - Configure as you normally would based on the Watchguard documentation. https://techsearch.watchguard.com/KB/WGKnowledgeBase?lang=en_US&SFDCID=kA22A000000XZlhSAG&type=KBArticle
3 - Make sure AD is syncing to Azure.
4 - Make sure users have licensing for MFA.
Basically, radius does the same checks to validate as usual, but then sends the request to Azure for the MFA portion. There isn't anything to configure for that action.
Re: Routing traffic on Multi-wan by source network
Sure.
The key is specifying a SD-WAN action on a policy, which could be for a single IP addr
Re: Feature Request - Allow Policy Manager to groups several policies or separator line
Hi @Infra
If you are in manual order mode, and if you create a policy to/from "firebox" you can use the policy name to make note lines, if that is helpful for you.
You can also use policy highlighting to color code your rules if that helps you organize
Re: Feature Request - Allow Policy Manager to groups several policies or separator line
Review this, which may address your needs:
About Policy Tags and Filters
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policy_tags-filters_c.html
Re: Disable TCP SYN checking Cloud Managed
@GeorgeWillow Yes. Create a support case and mention FCCM-4622 in the case, and that you'd like to follow that feature request. The technician that is assigned the case can set it up to do that for you.