Is it normal that the available storage on the Firebox M690 is so small? If not, is there any way to increase the capacity of the local storage?

Thanks a lot
Regards

Model T10-W
Version 11.12.1.B522519

1 Trusted General Office 192.168.25.1/24
2 Trusted Point-Of-Sale 192.168.29.1/24

From a computer on 192./168.25.0/24:

zenmap: nmap -sn -T4 192.168.29.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-21 17:28 -0800
Nmap scan report for 192.168.29.1
Host is up (0.0010s latency).
Nmap scan report for 192.168.29.100
Host is up (0.0030s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 11.57 seconds

AAAHHHHH !!!!! These are suppose to be segmented. What am I doing wrong ?????

Setting up the following firewall rule fixed it, but why was it necessary?

Yours in confusion,
-T

If it happened, what I wouldn't want to have to be doing, is wasting time configuring policies. I would much rather have a policy sitting disabled, that all I would have to do is enable - which would block all internet traffic apart from Watchguard VPN

Hope I am making sense?

Thanks
Ryan

wg advisory says this version clears the recent iked problem

https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015

"account lockout" and "block failed logins" are enabled in pm > setup > authentication

deny rules including 147.185.132.0/24 are on top in policy manager and work as expected most of the time

eg

2026-01-03 19:06:09 FWDeny, Denied, pri=4, disp=Deny, policy=EXCEPTION-TOP-Drop-block-paloaltonetworks-00, protocol=webcache/tcp, src_ip=147.185.132.4, src_port=50279, dst_ip=m.y.i.p, dst_port=8080, src_intf=EXT-BUSINESS, dst_intf=Firebox, rc=101, pckt_len=44, ttl=250, pr_info=offset 6 S 2232048525 win 65535, duration=0; sent_bytes=44; rcvd_bytes=0, 3000-0148, geo_src=USA; geo_dst=USA

this concerns me

i think its saying 147.185.132.4 got past the block rule then hit a l2tp rule?

2026-01-03 19:10:29 iked (m.y.i.p<->147.185.132.4)******** RECV an IKE packet at m.y.i.p:500(socket=14 ifIndex=6) from Peer 147.185.132.4:64440 ********

2026-01-03 19:10:29 iked (m.y.i.p<->147.185.132.4)Phase 1 started by peer with policy [L2TP-IPSec_l2] from 147.185.132.4:64440 main mode

no block action after was logged, and im not ready to disable l2tp

Firebox T10-W

I have done several bridges on Fireboxs before with the WebUI, so I know how to do it.

This time I need to bridge Port 1 to Wireless 1. But I need to keep all the configuration that port 1 had. Replacing port 1's rules and configuration would take days.

How do I just add the wireless to port 1 and keep all of port 1's configuration?

Yours in Confusion,
-T

I replaced a Sonicwall device by a WatchGuard this weekend and now I cannot access the NVR behind the firewall with the cell app on a 5G network.

I'm seeing in FSM that the port i'm trying to communicate is blocked but I created a rule that I use Any-External to SNAT (External IP --> Internal IP) with the port that needs to communicate with. To be sure it's not a rule blocking it, I set it 2nd in the list.

Here's what i'm getting as an error
Deny Source_IP Static_IP_External 8000/tcp 56190 8000 External Trusted blocked ports 64 52 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" dst_ip_nat="Internal IP" tcp_info="offset 11 S 3585033702 win 65535" flags="SR" duration="0" sent_pkts="1" rcvd_pkts="0" sent_bytes="64" rcvd_bytes="0" geo_src="CAN" geo_dst="CAN" Traffic

I'm feeling kinda dumb as it's not my first WatchGuard but this one is bugging me

Thanks for the help

I create Firebox users as workaround but I prefer to use AD

We use Mobile VPN with SSL 12.11.2 for Windows

They've been added by the FDQN.
One site example is temu.com which users can still get on.

Under DASHBOARD - Interfaces - Bandwidth I see this.

As far as I understand it is a continuous bandwidth utilization.
How do I find a device that utilizes bandwidth in WebUI?

I just spoke with someone at support who told me that they are not providing any fixes for boxes out of support contracts, even though this is a critical CVE. This seems contrary to what most providers have been doing. As a reseller, we have numerous devices that are not EOL, and often just out of LS, or NFRs - all that we are still using for internal testing/training, and still have use to us. I understand nobody wants to support devices forever, but many of these devices are not that old, and as a reseller who has been selling your products for more than a decade, I am somewhat disappointed in this response.

Can we get some clarification on what the critical CVE patching availability policy is with WatchGuard, and what those of us with these unmanaged devices are supposed to do about these critical issues?

"Basic Device Feedback now sends Trusted Platform Module (TPM) public key data to WatchGuard each time the device reboots."

@WatchGuard: Can you please give back control of the devices back to your customers they own. From a security device which can be managed on prem we expect that sending telemetry data to whoever can be switched off completely!

Can you give us a hint which FW release exactly started to send data to WG and what data exactly is sent to WG.

Thanks.

upgrade system from (location) [yes|no]

upgrade system from ftp://test:testing@1.2.3.4/xtm5_b0.sysa-dl yes

Is there a way to use the CLI to auto-upgrade in the same manner as the Web GUI? Or is there a public FTP/TFTP server that WG provides for these upgrades that I can utilise? Trying to avoid having to manually download the upgrade to my own FTP server first. I do appreciate this problem goes away if the box is cloud managed rather than local managed, but for whatever reason that's not possible (not a technical restriction, just a management one).

Thanks.

sshd-session Connection closed by authenticating user fanbohao 198.55.98.49 port 53538 [preauth]
sshd-session Failed password for taco from 198.55.98.55 port 12342 ssh2
sshd-session Connection closed by authenticating user john 198.55.98.53 port 4650 [preauth]
sshd-session Failed password for fanbohao from 198.55.98.49 port 18836 ssh2
sshd-session Connection closed by authenticating user john 198.55.98.53 port 62744 [preauth]
sshd-session Connection closed by authenticating user john 198.55.98.53 port 16914 [preauth]

Anyone else having this issue? After working through multiple tech support engineers at WG, they have told me that the ability to change ciphers in in a future release, and then the next tech told me that there are NO plans for this and basically I am SOL if I am using SSLVNP as they have no plans to update it.

How is this possible coming from a company that has a product designed around security?

Is anyone else using WG and have PCI DSS compliance?

Has anyone else done their quarterly scans and found this issue?

I feel that support at WG is slowly going downhill. Which is very unfortunate as we were planning to role out some larger Firebox appliances, however this might put a halt on that...

I have a client who was on 12.11.2. They have had scan to email setup for awhile now. After the upgrade to 12.11.3 it stopped working. I checked all the settings and everything looks good in the scanner. I see traffic on port 587 green when I try to do a test scan, but it just isn't working. The only thing that makes me think it's the WG is because it stopped the exact day I did the FW upgrade.

What could it be? Something with TLS? I tried creating an any policy for the printer to get to the net on but that did not seem to help either. Its a pain to troubleshoot as I have to be on site since the printer doesn't have a test button for Scan to email.

A few days ago, I did something stupid. I recently updated my password for watchguard and I had the old password in the password field and the new password just as a note.

Well, I saw that and I'm thinking I need to just move that password to the password field. So, I did that. I overwrote the old password. (All my passwords are auto generated.)

Well, a little later, I made a change to the firebox that messed it all up. I decided, I'll roll back to my old backup. That's where I went wrong. As soon as I did that, it restored my old password. Now I was locked out of the watchguard. I couldn't get back in.

So, I started over with a brand new config. I cannot figure out how to enforce safe search. I've followed a few different tutorials. I remember him saying that you can't see inside of https so I had to set it to inspect and inspect it with http. I set the http to use safe search and then told https to point to that policy. But, once I did that, I started getting errors with certs. I watched a youtube video and they explained the cert error.

But, basically the video said I need to install the cert on all of my PCs to get rid of that error. I did not have to do that the last time. However support configured it, I didn't need to do anything to my clients.

Is it possible to add an object to a Firebox group via API? Basically, I need to keep adding different IP addresses to a group from a Python script.

Thanks in advance!

FWDeny, tcp invalid connection state, pri=4, disp=Deny, policy=Internal-Policy, protocol=8443/tcp, src_ip=192.168.1.67, src_port=51255, dst_ip=80.245.163.164, dst_port=8443, src_intf=WiFi_Public, dst_intf=Firebox, rc=101, pckt_len=40, ttl=64, pr_info=offset 5 R 854996990 win 0, 3000-0148

FWDeny, tcp invalid connection state, pri=4, disp=Deny, policy=Internal-Policy, protocol=xmpp-client/tcp, src_ip=192.168.1.58, src_port=60108, dst_ip=80.245.163.164, dst_port=5222, src_intf=WiFi_Public, dst_intf=Firebox, rc=101, pckt_len=40, ttl=64, pr_info=offset 5 R 778427042 win 0, 3000-0148

FWDeny, tcp invalid connection state, pri=4, disp=Deny, policy=Internal-Policy, protocol=8443/tcp, src_ip=192.168.1.58, src_port=60212, dst_ip=80.245.163.164, dst_port=8443, src_intf=WiFi_Public, dst_intf=Firebox, rc=101, pckt_len=40, ttl=64, pr_info=offset 5 R 3802968821 win 0, 3000-0148

Is there any other way to bring it up without rebooting the firewall box?

Thank you.

There are two servers in the local network called Prod (10.0.0.15) and Test that are running some software.
The vendor need inbound access to both servers from outside.
Conditions as below.
This following will point to the Test server
https:// test.company.com:6544/Test
The following will point to the Production server
https:// production.company.com:6544/Production

I know I need to create a SNAT for that.
The question is since the port number is the same how to make WatchGuard redirect https:// test.company.com:6544/Test to 10.0.0.16 and https:// production.company.com:6544/Production to 10.0.0.15?

I'm facing an issue with the SSO Authentication Gateway on my WatchGuard setup. When I try to install and configure the SSO agent on my Active Directory Domain Controller (DC), I get an error when adding the domain—it says the UPN is not valid, and no account works (not even the administrator account).

However, if I install and configure the SSO agent on another AD member machine, everything works perfectly.

Here’s what I’ve checked so
1. The necessary services are running on the DC.
2. The account permissions should be correct.
3. DNS resolution and network communication between the DC and the Firebox seem fine.
4. Logs don’t provide much useful information.

Has anyone encountered this issue before or has any idea what could be causing this?

Thanks in advance for your help!

i check the website documentation, searched the forum, searched the internet.
could not find a single FAQ, KB or anything.

so, please, point me to the watchguard docs for tailscale?
thanks much, david

I cannot figure out why. They look like port scanning. I cannot find any outbound traffic to these addresses. All connections are of course dropped but they fill up my logfiles. I found out from AbuseIPDB site that others are seeing this also.

Anyone to shed some light on this?