Best Of
Re: AP432 & WIPS
@koff75
-Being able to change the NTP settings/alerts is a feature that is coming soon. If you're seeing NTP alerts, it's usually because the AP is having trouble connecting to the default NTP servers.
-It isn't possible to manage the newer APs via the old cloud portal, or via GWC. GWC support will likely be dropped once the final Wave2 AC APs go end of life.
Re: AP432 & WIPS
No it isn't.
The wifi-5 and wifi-6 APs can't be managed by the same cloud setup, and the wifi-6 models have no option to be managed by the firewall directly.
Supposedly additional wifi-6 AP functionality will be coming.
To me it is odd that WIPS is not yet available for wi-fi 6 given how much this feature was touted by WG in the past.
I believe that the reasons for the management difference is that the wifi-5 and wifi-6 APs are manufactured by different companies.
See the Tristan.Colo comment here:
Why are WIFI 6 APs cloud managed only?
https://community.watchguard.com/watchguard-community/discussion/2638/why-are-wifi-6-aps-cloud-managed-only
Re: Cloud managed Firebox: How to get load average data / load level ?
-Cloud Managed firewalls are managed by the cloud.
-Locally managed firewalls can log to WatchGuard cloud, but can be logged into locally.
You can still get the status report data from cloud managed firewalls, it's just a but more of a process.
In WatchGuard Cloud, if you go to
-Monitor -> Devices
-Choose a firewall
-Go to Live Status -> Diagnostic Tools
-Choose the Snapshot tab.
-Click to download a snapshot file.
You'll need a program like 7-zip to open a TGZ file.
Navigate to:
Fireware_support.tgz\Fireware_support.tar\Fireware_XTM_Support.tgz\Fireware_XTM_Support.tar\support\system\system_status.txt
(The first few directories are the name of your firewall with stuff appended, may be slightly different than what I typed.)
Load averages and such will be in this file, along with everything else in the status report tab.
Re: Errorcodes authpoint explained
Hi @HansvD
201.015.003 is an error code specific to the logon app, and the error is "invalid request body," likely in the response that the logon app is getting.
I would suggest opening a support case if you're running into this issue, as there's not really enough information in that error alone to suggest what to do next.
Re: Bandwidth Meter Spiking
Also, if you have managed switches, you can use SNMP tools to capture usage of the switch ports, and present historical graphs of use.
In the past, I used MRTG to do this, but there are plenty of other options.
MRTG - The Multi Router Traffic Grapher
https://oss.oetiker.ch/mrtg/
Re: Since update to FireWare 12.9.B672226, FireBox or config. file does not support TDR?
TDR is still working for me in the cloud after I made changes to my config using Policy Manager and saved it to the firewall.
As far as I am concerned, this is just an informational notification.
I have notified the docs team to update the TDR docs related to this, as it clearly scares people unnecessarily.
Re: Migration problems from M200 to M290
@james.carson said:
In almost every situation where I've run into this, it's because the upstream ISP device is holding onto the MAC address of the old firewall/router.If this is the case, you'll see the M290 arping via TCPDUMP and not getting a reply. You can do this in Firebox System Manager under Tools -> diagnostic tasks. Select TCP Dump from the task menu and select advanced options.
assuming your external interface is eth0, you can use an argument like
"-nei eth0"
or
"-nei eth0 arp" if you just wanted to see arp traffic. If you're seeing ARPs from the firewall being broadcast with no response, then your ISP's device is most likely the culprit.If it's easier, you can also set the MAC address on the external interface to be what it was on the old firewall. See:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/interface_speed_set_c.htmlYou can find the MAC address in Firebox System Manager under front panel (just expand your interface) or in the WebUI under Dashboard -> Interfaces.
Just use the MAC from the old firewall on the new one via the override setting.
That's probably not the problem. But I'll give it a try.
The M290 can reach the internet (via Diagnostics pinging google.com/8.8.8.8) and I've also configured (untagged) vlan 100 on eth3. Plugged my laptop into eth3 and set a static IP with the M290 as my default gateway. It could also reach the internet. It couldn't reach the internet when I set it to DHCP.
Support told me the problem is internal routing since traffic doesn't go to the M290. But it all works when I switch back to the M200.
So if the problem is internal routing, the M200 also shouldn't work.. But it does.
Re: Sorting IPs in policy manager
@Steve_E said:
M270 + 12.8.2I'm looking at a rule in policy manager that has a list of unsorted IPs.
How do I sort them?
One of the things that may help "Control the Chaos" is to consolidate IPs into an Alias and go from there... It is traditionally better to use Aliases (Even if for one FQDN or IP Address) so that:
- You know what the IPs are for
- Scalability as you can use the Alias in multiple rules instead of a blob of IPs in multiple rules so that when you update the Alias, it will update all rules with that Alias.
Re: Route Internet Traffic from 1 VLAN (subnet) at site B via site A
Hi Daniel,
You can do this via a zero route on the VPN tunnels.
If you're not doing this for all of your VLANs, I would suggest using a standard BOVPN (Branch Office VPN) gateway/tunnel pair, vice a BOVPN Virtual Interface.
The standard tunnel pair forces you to make a route for each network, but because of this allows you to control the route for each one (meaning you can select the ones you want to zero route across the tunnel.)
Re: Automatic Config Backups
Not specifically what you are asking for - but there is an option in WSM Policy Manager to automatically save a changed config to disk when saving to the Firebox. The file is date & time stamped.
File -> Save -> Always create a backup