Has anyone successfully configured an OVPN file for use with OpenVPN on MacOS Tahoe. For us, name resolution will not work unless we manually enter DNS servers and domain name search in MacOS settings. And even then, browsing SMB shares is iffy. Previous MacOS versions work without issue using the Watchguard SSL VPN client. We moved to OpenVPN for our Tahoe user as the Watchguard client just would not work.

Thanks.

I have a primary and backup ISP, 2x M390s in a Firecluster configuration and want to introduce 2x layer-2 switches ahead of the Firecluster. This will allow me to patch both primary and backup ISP into each M390 (right now both ISPs are patched into the primary M390 directly which doesn't do us much good in the event of a failover).

Question is, has anyone else actually implemented this and do you have any recommendations for a solid but cost effective layer-2 switch? Note that I need 3x SFP+ ports.

Many thanks.

I have a vrrp redundant configuration with watchguard. Is it possible to have each watchguard configured with a different IP address?
Is it ok to use the same global IP address for static WAN?

In the Watchguard interface, the setting is type[Cluster],
I could not change the settings in the WebGUI.

I installed WSM and saw that I could change the settings,
However, I could not log in.

What is the username and password for logging in with WSM?
I tried the following

(1)
PC:10.0.1.2
login IP:10.0.1.1
username:admin
password:Same password as WebGUI

(2)
PC:10.0.1.2
login IP:10.0.1.1
username:status
password:readwrite

(3)
PC:DHCP
login IP:IP to enter WebGUI
username:admin
password:Same password as WebGUI

(4)
PC: DHCP
login IP: IP to enter WebGUI
username:status
password:readwrite

from last week on i cannot see any confugured BOVPNs or VPNs.in WatchGuard Cloud under LiveStatus for my WG Cluster- The page shows not data, no connections, no tunnels. . In WSM i only see the configured gateways, tunnels are not shown anyway . On WSM i alos cannot see any VPN connections as well.
This i very strange. Only way i can see valid data is when in connect via Web UI on the cluster.
Any Ideas what caused the problem?

On other Fireboxes everything is fine, i see connections.

Greetings

HN

However, I found from the manual that "FireCluster does not support bridge mode." Would it be a problem connecting the bridged Cisco ports to the firecluster?

Can I setup the Cisco router using the following configuration:

bridge irb
!
interface FastEthernet0/0
no ip address
bridge-group 1
!
interface FastEthernet0/1
no ip address
bridge-group 1
!
interface BVI1
ip address 192.168.0.1 255.255.255.252
!
bridge 1 protocol ieee
bridge 1 route ip

I've been struggling the last few days with trying to setup a pair of T85s in an active/passive cluster.

I've setup several other Watchguards in a cluster config before, and it all went fairly smoothly. The only difference is, they were on a flat network, and I really don't have much experience with setting up VLANs.

The new site we acquired has 2 VLANs setup, one untagged for the corporate network, and one tagged for the guest network.

I am able to access the management interface on the primary FW, but I'm not able to access the interface on the secondary FW...I can't even ping it. I tried to do a fail-over, just to check, and it did grab the external IP and the gateway IP, but no one was able to access the Internet.

I have the ports on the switches for both the primary and secondary FW adapters linked to both the untagged VLAN and the tagged public VLAN.

I've recently upgraded to a pair of M590 (12.10.2) devices for my A/P FireCluster and I'm looking to implement some network segmentation for additional security.

We currently have a very flat 192.168 subnet with PCs, Servers and printers all on vlan1.

To ensure I don't introduce any bottle necks I would like to move the vlan1 subnet from the trusted interface to an untagged vlan on a 10G interface.

I realise that i will need to change the trusted interface to another subnet but when I try and create a vlan called VLAN1 on the Watchgaurd, I get the following error.

"The FireCluster management IP address 192.168.... cannot be on the same subnet as the primary IP of interface VLAN1"

Am I able to change the FireCluster management IP addresses to move them to a different subnet and interface, so they are not on the same subnet as vlan1. Or is there a better way to achieve what I need?

Any advise would be welcome.

Thanks

Phil

We are setting up a new monitoring tool in our environment. We have several sites that are connected to our main site with a BOVPN connection. I'd like to be able to monitor the active and passive firewalls for port status, ping status, and the like.

I can, right now, access the gateway and get the stats from the firewall (10.0.0.1) from our hub office. I can also get the status from the firewall that's currently acting as the master (10.0.0.2). However, I cannot get the stats from the firewall that's the backup (10.0.0.3).

I can ping it and get the info from the 10.0.0.1 network, but not from the other network.

It would be helpful to know if the secondary firewall is up and alive from a remote site.

we have an A/P Cluster of XTM330s 12.1.3 B608021 and it's around third time we had a schedule power maintenance and when power backups up, one of the members (Firewall "A") don't sync back to the cluster, it stays "inactive". Strangely, we'd go to connect to that member on FSM, the member status appears "idle". We use WSM 12.5.1 to manage those appliances.

THE FIRST TIME, besides having an inactive member, Cluster would operate fine, despite having this look on FSM, unable to login in Web UI.
https://snipboard.io/LvVhse.jpg

After some back and forth, we realized the inactive member was able to play as master after getting it apart from the network and managing it individually. Since this member showing as "inactive" inside the cluster was not showing same strange behahior as Firewall "A", then we grab all network cords and plugged them to this device - Firewall "B".

Somehow Firewall "A" was glitching FSM, even 'thou it wasn't playing as master member.

On firewall A we completely default factory it, re-applied 12.1.3 B60821 (to match what we have in this cluster scenario), put it safe mode and cluster were once again synced fine.

THE SECOND TIME, it was a bit nasty, but we were lucky, this time after power maintenance and power backup up, Firewall "A" did not synced, same status as "inactive". Strangely, we'd go to connect to that member on FSM, the member status appears "idle" again.

There's no glitch on FSM not showing no status at all, neither Web UI giving HTTP Server error. After some back and forth, we discover the management IP address for Firewall "A" was responding to another host in the network. Since local network manager wasn't aware of each host it was, we decide to grab a a newer used IP address for management IP for this Firewall "A" member. Firewalls were synced after that, nice!

Now, we are on the THIRD TIME, it seems, we do not have an IP conflict this time, once again, there's no glitch on FSM/Web UI, but a power maintenance, when power went back up, Firewall "A" once again did not synced to the cluster, remaining as "inactive" state. Strangely, we'd go to connect to that member on FSM, the member status appears "idle" again. I am starting to think it's just a normal regular behavior this one.

We put Firewall "A" into safe mode and the rejoined it to the Cluster sucessfully. Rebooting Firewall "A" or asking for Discover member, even if we've got a successful message on FSM, the member would sit "inactive" until we forced it into safe mode.

This next sunday we'll have another power maintenance, it seems a routine task and we're waiting cluster to not go back normal after power backs up.

Things i am researching right now:
1) WatchGuard Fórum
I haven't found similar issue here, that's because i'm posting my own.

2) UserMac log
We have several logs with following pattern, that i'm clueless about
024-01-17 11:17:57 Secundario firewall sess_event: Session event "Add" has no "UserMac" parameter Debug 2024-01-17 11:17:57 Secundario firewall sess_event: Session event "Del" has no "UserMac" parameter

3) I've seen, we are using ID 5 for Cluster
Where standard is 1. I'll ask if there's another MAC multicast in the network, i don't recall why it's set to 5

4) Strange local subnetting
Firewall management interface and local network is 10.0.0.1/23, but when i access some local computers that are on 10.0.0.0/24 or 10.0.1.0/24 subnet - i don't recall applying this strange setting to stations, where firewall could just have secondary networks, if they are willing to avoid brodcast storms, but need more local IPs and don't want to deal with VLANs

5) Cluster log messages
The first three times, i did a look at event logs next to the incident hour, but reviewing firewall log settings, Cluster logs were off, i've set them to error now.
I'm also tried letting an ongoing tcpdump with Wireshark over CLI saving packets to files filtering DHCP logs (their DHCP sedrver or another one in the network may be leasing IPs that would conflict with management IPs?) and trying to see on dump IP conflict (i still have to try it out, to see which pattern should i look for within Wireshark to filter that), but for some reason, local network manager has not allowed me to run this dump capture from a local computer, i'll see how good could it be running this from firewall perspective, since at least DHCP logs that i want to grab will be (at least some of them) be broadcasted so i can grab them without port mirroring or similar feature

6) Look for cluster bugs in upcoming Fireware versions

At last, but not least, i'll look through release notes for cluster bugs in upcoming Fireware versions that could match what i'm experiencing right here. I know XTM330 is EOL, but if there an uncorrect bug like this, it'll help an ongoing work this network to update their hardware. But they are considering openning a new office, this old Cluster could be reallocated there and new one would stay in the HQ.

Any hint, guys?

Regards,
Rafael da Costa

Is there any way to get the cluster working remotely?

...or am I going to have to rebuild the cluster from scratch? (using Policy Manager - which we dont use currently)

Just wondered if anyone had any experience of building the cluster retrospectively like this?

Thanks

On a cluster with one unit having total security and the other having standard support there is different retension time for the logning.

One has 365 days, the other 0.

Is this a cloud bug?

Webshop-HA2
Standard SupportStatusValidExpiration2023-10-08Log Data Retention0 DayReport Data Retention0 Day

Webshop-HA1
Total Security SuiteStatusValidExpiration2023-10-08Log Data Retention365 DaysReport Data Retention30 Days

/Robert

M370 cluster A/P running 12.9.4

Been running for a very long time with current setup.
Both units has been rebooted.
No Nic CRC errors
Cluster status is all good.

When using FSM i get a lot of disconnects and reconnect a the below log shows.
This is more prone in front panel and status report.

Any good ideas why i get connection refused?

It seems it only happens when the cluster is healthy running a/p. If i power of one of the units i do not see this issue.

09/08/23 18:45:57[Thread-5] VclassMessenger : (2.2.2.2) java.io.IOException: Message processing timeout. Please try again.
09/08/23 18:45:57[Thread-5] java.io.IOException: Message processing timeout. Please try again.

09/08/23 18:56:01[Thread-11] VclassMessenger : (2.2.2.2) ProcessMessage --------
09/08/23 18:56:01[Thread-11] VclassMessenger : (2.2.2.2) ProcessMessageXmlRpc --------
09/08/23 18:56:01[Thread-11] VclassMessenger : (2.2.2.2) XML-RPC Sent (timeout=30)(sid=0F9EF6624807634B95ECC3174CBBC2A2D04E7E0E): /agent/status (status=/cluster/member_8013049EB4D39/syslog/xml) [seq=-1, cnt=-1]
09/08/23 18:56:04[..Thread (xmlrpc)] code=500; message=org.apache.xmlrpc.XmlRpcException: Connection refused
09/08/23 18:56:04[..Thread (xmlrpc)] Exception: org.apache.xmlrpc.XmlRpcException: Connection refused
09/08/23 18:56:04[Thread-11] VclassMessenger : (2.2.2.2) Messanger::processMessage(XmlRpcException) - Connection refused (500)
09/08/23 18:56:04[Thread-11] org.apache.xmlrpc.XmlRpcException: Connection refused
at org.apache.xmlrpc.client.XmlRpcStreamTransport.readResponse(XmlRpcStreamTransport.java:186)
at org.apache.xmlrpc.client.XmlRpcStreamTransport.sendRequest(XmlRpcStreamTransport.java:145)
at org.apache.xmlrpc.client.XmlRpcHttpTransport.sendRequest(XmlRpcHttpTransport.java:94)
at org.apache.xmlrpc.client.XmlRpcSunHttpTransport.sendRequest(XmlRpcSunHttpTransport.java:44)
at org.apache.xmlrpc.client.XmlRpcClientWorker.execute(XmlRpcClientWorker.java:53)
at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:166)
at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:136)
at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:125)
at com.watchguard.util.comm.cmm.HttpConnect.sendXmlRpc(Unknown Source)
at com.watchguard.util.comm.cmm.TimedProcessMessageThread.run(Unknown Source)

/Robert

In the web documentation https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_diagnostics.html
is written
To quickly determine whether cluster operations are normal, look for these color-coded icons on tabs and sections:

Green check mark icon — A green check mark indicates normal operation.
Red X icon — A red "x" indicates an issue that requires your attention.

My FireCluster View the FireCluster Diagnostics Page in Web UI there red X icons in diagnostcs view Is there problem and where to look what is the problem

Thanks!
~Jon

That's the way I use to do it before the Web UI and Cloud ctlr came along? If so I'll have to build out a new WSM Server.

But when I connected my laptop to member A port 4, I don't get any DHCP. Is this supposed to be this way? I thought the point of cluster is to be redundant.

Presently I have an M470 which I will need to replace with either two M390's or M590's
as the 470's are no longer made. I'm thinking M390's, but that's another discussion.

Anyhow, my question is for the switch on the WAN (External) interface side should I use one switch or two?

I'm thinking one would work best and just create two VLAN's on that switch with each VLAN being Untagged (Aruba / HP lingo there) and each VLAN using the same IP Subnet as the FB external interfaces.
This setup may also alleviate any potential issues with the ISP hardware only wanting to connect to a single device.

This I realize still does not eliminate the single point of failure, just moves it upstream a bit, but it's cleaner and easy to implement.

What does the community think? Pro's, Con's?

Thanks!

• Doug

My question is: if the switch to which the active firewall is connected goes faultly, would the cluster activate the passive node even if it continues to hear the other node via heartbeat? if not, my network will be isolated.

Since each firewall is connected to only one switch, how can I configure the infrastructure to support the faults of a switch? Do I connect the heartbeat interfaces to the switches so that if they fail, the firewalls can't hear anymore?

Thanks a lot
Paolo

WSM 12.8

If you modify a existing cluster policy and want to view or modify one of the ha members then when you click ok you get a message saying:

The Firecluster management IP address x.x.x.x cannot be on the same subnet as the primary IP address of interface xxx

The same message pop ups if you fiddle around with the management interface under network configuration.

Even for fun if you assign secondary ip addresses to the interface holding the management for vrrp you will get the same result using secondary addresses.

/Robert

1. take the passive member offline, reset to factory default, reload it with the existing XML
2. does the passive member have to rejoin the cluster?
3. will there be downtime if I regain admin access this way?

I've been trying to figure out the correct hardware configuration for our new firecluster. I'm pretty new to this, so wanted to ask for some feedback.

I want to set up a new active/active cluster. I'm pretty much there to make sure the cluster on itself works in a test setup, but of course it needs to go to our datacenter, where we have two IP adresses for our use. I tried to make up some scheme about what I think it will look like.

Can I have some feedback on how the external interfaces (int 1 and int 2 on each firewall) should be configured and if this is pretty much the right thing to do? My thoughts on the interfaces is this:
0. Management IP
1. IP address of external IP 1
2. IP address of external IP 2
3. 192.168.45.254
4. 192.168.45.254 -> I don't think this is possible though. So I guess better 192.168.45.253?
5. disabled -> not needed
6. and 7 as said in the drawing.

I guess Both members of the cluster will have the exact copy (apart from cluster interfaces).

Thanks!

I had to move one of the firewalls to another circuit and the same thing happened.

The only thing different between the users is the SSL users use an LDAP server, the other users use the firewall database.

However, is this worded correctly? Surely it means that the cluster interfaces must be connected by their own VLAN, separate from all other interfaces? Because otherwise how would the fireboxes communicate across the cluster interfaces?

Many thanks,
Ross