Best Of
Re: Use case of application control
The Webex documentation does specify particular IP ranges if you want to further limit your firewall policy (https://help.webex.com/en-us/article/WBX000028782/Network-Requirements-for-Webex-Services).
In any event you'll need more than just those two ports open outbound.
Assuming it is a whitelist type setup where only specific destinations/apps are permitted access outbound, there is only so much you can do with application control but you could give it a try (noting you'd need to have more than those two ports in said policy).
Re: Use case of application control
Since we have no knowledge of what App Control uses to identify any specific app, it is hard to know it this will work as desired or not.
Re: Multiple wans different use case, what is the best way to procede?
Yes, I would do as you suggest - remove the 2 from Multi-WAN and setting up routes and/or SD-WAN for the others
Re: IPv6 binding Mobile users
We are running into issues with users connecting to the SSL VPN because of this. Our corporate office has a T-Mobile (USA) cell plan with hot spot and T-Mobile passes IPv4 AND IPv6 addresses to the laptop which has joined the hotspot. This causes the SSL VPN connections to fail 50% of the time unless we disable IPv6 on the wireless network adapter in Windows. Also have a user in Denmark whose ISP hands out IPv6 alongside IPv4 and we had to do the same for them.
WatchGuard needs to work on supporting this (Yes, I saw there is already a feature request) as this is going to be more problematic in the future. Even though all the ISPs have not moved us to the great IPv6 that was going to solve all our IP addressing issues years ago.
Re: Loosing connection to LAN while VPN to parent company
It is usually client VPN setting
Re: 12.9.3 or newer version than 12.9.2
12.9.3 is expected to release sometime in the first half of May. It's currently going thru QA testing and some documentation is being finished/finalized. Is there a specific bug you're waiting for a fix on?
Re: Azure 1400 MTU VPN requirement
@NewbieM370 The VIF would be specific to your Azure connection (you set up a different VIF for each endpoint.)
If you had to connect to an AWS endpoint, an Azure endpoint, and a physical firewall (like an HQ somewhere) you'd set up three VIFs, one for each.
Re: DNS watch - suspicious connections
@tantony You can attempt to block those domains, but it's literally playing whack-a-mole. For every one you block, 10 more will pop up.
-If you don't have any legitimate purpose for anything in that top level domain, you can use something like webblocker to deny *.top
-Using the extended protection categories in webblocker (specifically the advertisements and malicious sites,) can also help.
Re: New HP Printer Wireless Access
tcp 54399 80
54399 is the source port
80 is the dest port
TCP port 80 is HTTP.
10.0.1.1 is Firebox - the Trusted firewall interface.
No idea why the local computer has decided to send a HTTP packet to the firewall interface.
Re: Quarantine Server not quaranting
I'm going to close this thread, as the Quarantine, Log, and Report servers are no longer supported.
See:
(Quarantine Server)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/quarantineserver/quar_server_intro_c.html
(Log, Report, and Quarantine Server deprecation)
https://www.watchguard.com/wgrd-blog/wsm-log-report-and-quarantine-server-deprecation
Customers using quarantine server should consider another option like tagging the subject line, which can allow users to manage spam in their normal email client(s) if they're set up to do this.