Best Of
Re: Feature Request - Watchguard Cloud - Firebox Templates, SD-WAN editing
Hi @seanhht
There is an existing feature request (FCCM-6507) to show the SD-WAN status in the policy overview.
I'll mention a toggle to the project management team, but they may want to avoid adding that function there as there may be some situations where SD-WAN isn't as straightforward as on or off.
Feature Request - Watchguard Cloud - Firebox Templates, SD-WAN editing
I would like to request a feature in Watchguard Cloud Configuration.
My suggestion is to add an allow/disallow slider for SD-WAN actions, in each firewall policy in Firebox templates. Much like you have for content actions. This would allow us to turn on and select a SD-WAN action at the device level.
There may be some policies we don't want this. There may be some policies that we want this enabled. That is why I don't think it should be an all or nothing approach.
If you are not an MSP, you cannot copy a firebox template to your cloud-managed firebox. You can only subscribe the firebox to the template. While this is a fine way to handle things, there is a problem with doing it this way. You cannot "tell" the template that you will want to use an SD-WAN, You cannot allow or deny an sd-wan action. If you deploy the template with Firewall Policies, those policies are not editable, at all.
I would prefer this option to copying the policy, for ease of updating and making it easier to deploy templates to multiple sites and fireboxes. This is a template, the name indicates that it should be able to be changed at the device level.
seanhht
Re: AP330 connection issues
Thank you for your response. Despite the tickets we had opened and the troubleshooting done, we felt like we were going in circles for a while. However, after extensive testing and tweaking, we finally found a solution that seems to work for us and stabilizes our Wi-Fi network.
I wanted to share this in case it helps others experiencing similar issues.
--> link
JC_P
Re: Wi-Fi Mesh Networking
Yeah, WatchGuard hasn't been focused on Mesh solution due to how Mesh degrades performance. It's better than nothing when you can't get a wire out but is still not optimal
Re: PC freeze up issue
check if your HP machines came with preinstalled HP Wolf Security EDR software.
https://enterprisesecurity.hp.com/s/article/How-to-uninstall-HP-Wolf-Pro-Security
Re: End-User Control: Activating and Deactivating the FireCloud Solution
Hi @Roger_Minervino
The ability to enforce pre-login connections, and manage if users can exit the application are currently on the roadmap.
Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature
I've followed this guide here and confident I've configured everything correctly - https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html?tocpath=Self-Help Tools|Integration Guides|General|_____1
I downloaded the latest version of the Mobile VPN software which allows the SAML option to be selected. I enter the hostname in the Mobile VPN software, select the SAML option, this triggers the authentication process with Entra which I complete using passwordless MFA which then returns this error:
AADSTS75011: Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Watchguard_SAML application owner.
Doing a quick search it would appear that the watchguard is expecting me to authenticate using a username and password and because I haven't done that (I've authenticated successfully but using Passwordless MFA) it then doesn't accept this method.
Is it likely I have something set wrong, anyone aware of a workaround or setting I could change to allow this? Do we need to wait for Watchguard to accept this as a valid authentication method.
Appreciate any feedback / insight anyone can offer.
Re: Credential prompt on IKEv2
Check https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bpLuSAI&lang=en_US
Better solution would be to use ad nps radius authentication...
Re: SNAT over BOVPN
You can use Dynamic NAT with the Set source IP to change the incoming public IP addr to a private IP addr on the SMTP Policy Advanced tab, which will address the issue.
Choose a private IP addr which will route over the BOVPN - perhaps the trusted interface IP addr.
