We are looking into using the Watchguard app portal as our RDP gateway and its all working, but the framerate is very bad.
On a blank desktop you dont notice it too much, but run a webgl test like 'fishtank' and it looks like its managing 5FPS when the render speed on the device is showing 60FPS.
I've tried this via an M690 and an M4800 and both are the same.
Native Windows RDP still isnt amazing , but its at least double the framerate and doesnt lock the browser up preventing you from clicking anything.
Is there any way to tune this in Watchguard?
I've tried running 256 colours, but it doesnt help.

ps. Its not network. We have 10Gb/s and the client tested at 900Mb/s. Latency is good too and we've tried three clients on different subnets.
Client CPU is running about 10% and pleny of RAM.

thanks.

locally managed M270 +fw 12.11.8

fsm dashboard says subsciptions outdated going on awhile

https://services.watchguard.com from a web browser says healthy

log says

2026-03-08 06:54:00 sigd Server response code for register: 502
2026-03-08 06:54:00 sigd register failed
2026-03-08 06:54:00 sigd URL string for update status report: https://services.watchguard.com/ServiceJoined/ServiceJoined.asmx/RegisterResultJoined
2026-03-08 06:54:00 sigd POSTDATA for update status report: sSerialNumber=xxx&sApplianceVersionNumber=12.11.8&sModelNumber=M270&sServiceType=AVService&sResultCode=5

manual update button on fsm sometimes works

Are there other update servers to try?

Is this worth a shot? Do you use it? Does it cost extra?

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/botnet/botnet_updates_c.html

WatchGuard offers Offline Signature Updates that enable you to download the latest signatures for these services directly from WatchGuard, and then use a script to manually install these files on your Fireboxes.

I'm using WebBlocker to restrict Internet Access from my servers so in the WebBlocker Action I'm denying all categories and using Exceptions to allow traffic when needed.

Using pattern matching seems to work as expected but when I use Exact Match the exception is still blocking the traffic.

For example, I have an exception to allow enterpriseregistration.windows.net, but in the logs I can see the following:

ProxyHTTPSReq
HTTPS Request
disp=Deny
pri=6
policy=HTTPS-proxy-GSA-00
protocol=https/tcp
src_ip=10.10.8.3
src_port=49890
dst_ip=20.190.159.67
dst_port=443
src_intf=PROD-SERVERS
dst_intf=External
rc=548
proxy_act=HTTPS-Client.Standard-GSA.3
msg=HTTPS Request
pr=https/tcp
sent_bytes=199
update_time=2026-03-06 14:10:18
log_type=tr
geo_dst=IRL
rcvd_bytes=6112
sig_vers=18.410
wgc_cluster_id=442545
action=drop
msg_id=2CFF-0000
app_id=0
tag_name=ProxyHTTPSReq
sni=enterpriseregistration.windows.net
app_cat_id=0
sn=C03B035EDEB47
device_name=SZF-M590-PRI
2CFF-0000

Can anyone offer some advice to get this working? Also any general best practise advice around exceptions would also be welcome.

Reason: Category 'Newly Registered Websites' denied by WebBlocker policy 'Default-WebBlocker'.

Please contact your administrator for assistance.
More Details:
Method: GET
Host: www.employerslawyer.com
Path: /

Domain: employerslawyer.com
Registered On: 1998-02-25
Expires On: 2027-02-24
Updated On: 2026-01-09

I have a question about the web blocker and the classification of websites. I am currently seeing an increase in miscategorization. In my case, this often affects small German company websites. I suspect that this is due to the use of AI, and I am wondering how this happens. Here are two examples:

www.pflanzenpoint-schuster.de Reason: Category “Sex” denied by WebBlocker policy “ITS-WebBlocker” only plants

www.havelwolle-naturkleidung.de Reason: Category “Nudity” denied by WebBlocker policy “ITS-WebBlocker”. they want to sell things against nudity

The sites appear to have been incorrectly categorized based on a few keywords.

This needs to be improved urgently. Has anyone else experienced something similar?

2025-12-31 09:19:07 Deny 192.168.150.65 142.251.41.133 https/tcp 52709 443 Public Wifi Comcast blocked sites 52 127 (HTTPS-proxy-00) proc_id="firewall" rc="101" msg_id="3000-0173" tcp_info="offset 8 S 2585186209 win 61690" flags="SR" duration="0" sent_pkts="1" rcvd_pkts="0" sent_bytes="52" rcvd_bytes="0" botnet="destination" geo_dst="USA" Traffic

If I disable the Botnet Detection, everything works 100%. If I turn it back on, it blocks it again but once in awhile it might let it squeak through for just a second or two. I just disabled botnet detection for now and was going to tackle it when I had time.

But today, a second site had the same issue, I disabled botnet detection and back up and running! I have 13 different Watchguard devices, these are the only two having issues.

All the Watchguards are at the latest firmware.
All the Watchguards have the latest Botnet definitions.
It doesn't matter what interface it's on either, the Public Wifi, any Trusted networks, etc.

I haven't dug in yet, but wanted to ask around and see if anyone has run into this.

Thanks in advance!

I dont see a way to auto failover if the the working vm is unavailable.

Is there a way?

we are testing Access Portal to secure the access to our hosted services like OWA (Outlook on the Web) and RDweb and we would like to add AuthPoint for MFA later.
But there are several problems we are encounting with this solution. Maybe someone here can help before I am submitting a ticket with the Watchguard support.
1. Forwarding user credentials from the Access Portal to OWA is not working. The user has to reenter their credentials in the OWA login screen after they already have successfully authenticated into Access Portal.
2. ActiveSync is not working. The Traffic Monitor shows something like " ...user was rejected or user doesn't exist". In my understanding request to /Microsoft-Server-ActiveSync should be bypassed from Access Portal.
3. The new RDWeb HTML5 Client is not working. Does the reverse proxy in Access Portal even supports websocket connections?

Currently we are using Nginx as reverse proxy for all those services and it works without any problems. But Access Portal + AuthPoint looks like a good solution for easily implementing MFA for some webservices.

The problem:
• License expired 2 days ago (Oct 21, 2025)
• Purchased new license/Feature Key
• Device shows as "Disconnected" in WatchGuard Cloud (cloud.watchguard.com)
• Can access device locally via LAN IP through web interface (https://IP:8080)
• Device is in production with 2 ISPs connected

Current Configuration:
• Model: Firebox T25
• Firmware: 12.11.4.B719894 (just updated from 12.11.3)
• Current expired license shows as: ****CD7 (expires 10-21-2025_20:03)

What I've Tried:
1. Web Interface (System → Subscriptions):
- Page loads initially but then goes blank/white
- Tried multiple browsers (Chrome, Firefox, Edge) including incognito mode
- Cleared cache, accepted SSL certificates
- Problem persists even after firmware upgrade to 12.11.4

2. WatchGuard System Manager (WSM):
   - Get error: "Permissions error. Please login with the 'status' user name and password
   for readonly access"
   - Using correct admin credentials that work fine on web interface
   - Authentication method set to "Firebox-DB"

3. CLI via PuTTY (SSH to LAN IP):
   - Tried from WG# prompt:
   * license feature-key add [KEY] → "Invalid input detected at '^' marker"
   * feature-key add [KEY] → "Invalid input detected at '^' marker"
   * license add → "Invalid input detected at '^' marker"
   - Tried from WG(config)# prompt:
   * feature-key add [KEY] → "Invalid input detected at '^' marker"
   * license feature-key add [KEY] → "Invalid input detected at '^' marker"
   - Verified with show feature-key that current license is there and automatic
   synchronization is enabled

   • The command feature-key exists but only has automatic-synchronization option, no
     add subcommand

4. Other attempts:
   - Updated firmware from 12.11.3 to 12.11.4 hoping to fix web UI issue
   - Verified device has internet connectivity (both ISPs active)
   - Checked System → Management Server (enabled for WatchGuard Cloud)
   - Tried direct URLs like /subscriptions.html, /license_upload.html - all blank

Network Status:
• Device is online with 2 ISPs connected
• Can access web interface locally via LAN IP
• Cannot reach device from WatchGuard Cloud
• Firewall policies seem correct (Firebox-to-External allowed)

Questions:
1. What's the correct CLI syntax to add a feature key on Fireware 12.11.4?
2. Why would the Subscriptions page go blank after initial load?
3. Is there an alternative method to import the license (XML file upload, config file edit, etc.)?
4. Could the expired license be blocking certain management functions?

Any help would be greatly appreciated! This device is in production and I need to get the license renewed ASAP.

Thanks in advance!

Apparently facebook is classified as a botnet through the current definitions. Had half a dozen tickets from 6 different customers today had to turn botnet detection off to get facebook to work again.

I tried to exclude but didn't spend much time on it and it didn't work "entirely". It worked but it was very slow, had to shut it off totally to get it to work normally. Hope this is fixed soon!

I went ahead and made a rule to allow any to connect to the destination IP over port 80 and 443. that stopped it from a deny error but it still doesn't load the portal page an now I get no message at all in traffic monitor if I filter on the source IP of my mobile.

I have read through the page https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/access portal/access_portal_config.html
I do not see anything there that is helpful to correct this. I tried rebooting the firebox but that did not resolve anything.
Ideas what to look for are appreciated.
- Jesse.

*removed IP addresses from customer post - jc.

We were running 12.11.2 at the time, but have since updated to 12.11.3

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/access-portal-saml_authpoint.html

I am to the point where I can choose Authpoint-SAML instead of Username and passphrase. I can enter my name, move to the password page, enter that and click the send Push. I receive the push on my phone and approve.

Then the page just moves back to the main login page. The URL then says:

https://portal.mydomain.com/auth/login?errcode=501

The logs up in the Cloud for Authpoint say the authentications are successful.

I thinking this is something not configured correctly on my Firebox, but I'm not sure.

Also, once I can get this working, how do you remove the option to use just a Name and Passphrase from the Access Portal main page?

Anyone have any suggestions?

I would like to know please if anyone lately had problem with the automatic feature key synchronization. We just renewed a bunch of Firebox and it's all good on the Watchguard Cloud but this time unexpectedly the Firebox didnt not automatically retreive the new key feature as its used to do before.

I'll be waiting for your feedback.

Best regards

I am just trying my luck if anyone can give me some hints or help.

There are websites that I cannot block.
If I test the url, it will show as a category that is also "deny" in the webblocker options.

I already added them to the exceptions as "deny" in which I already tried a lot of different text patterns.

There are quite a lot of similar websites like this.
Did I miss anything?

For example:
I want to open a PDF file. It is possible to open a PDF file smaller as 2 MB. A PDF file larger than 2MB does not open. I will see an unlimited loading bar. I can´t even Download the file.

With Word/Excel files:
I can´t open this files in a browser, so the browser will ask me to download this files. Files larger than 2 MB can´t be downloaded.

It is possible to open and download this files, when I connect to OWA in LAN. The files are not broken. I tested it with several files.

We have tested the Access Portal which is useful and we can connect to a RDSH server through the portal webpage. We however cannot use the Access Portal webpage have to use the Microsoft Remote Desktop Client as we have some software which needs this application.

I like having something in front of the RD Web server.

Is there any way we can connect through the Access Portal using through the RD Client or will I have to use a reverse proxy and skip the Access Portal?

I seem to have an issue with Geolocation and some watchguard functions like sslvpn, proxies for exchange and other websites. I've been getting a number of attacks lately on sslvpn and other inbound sites requiring authentication against our active directory. As an example, here is a blocked site hit from Romania from Dimension.
FWDeny, blocked sites (geolocation source), pri=4, disp=Deny, policy=WatchGuard-SSLVPN-00, protocol=https/tcp, src_ip=80.94.95.120, src_port=62928, dst_ip=50.174.117.145, dst_port=443, src_intf=2-Comcast-Fiber, dst_intf=Firebox, rc=101, pckt_len=52, ttl=114, pr_info=offset 8 S 3976651325 win 61690, duration=0; sent_bytes=52; rcvd_bytes=0, 3000-0173, geo_src=ROU; geo_dst=USA

My sslvpn log levels are set to Information (High), but everything else is default. At the same time, an active directory account was locked out. The IP address tried a number of different services, but all were blocked.Dimension doesn't show the account it tried

My big question is could the geolocation be allowing the authentication attempt, and then block the traffic? Can I raise up some log to capture it all in dimension or the cloud portal logs? Should I just open a ticket?

First, the documentation says "To send data to ThreatSync and receive actions, Fireboxes must run Fireware v12.9 or higher and be added to WatchGuard Cloud for logging and reporting or cloud management." Yet I have cloud monitored Fireboxes still running 12.5 (updates are planned!) that are sending data to ThreatSync. At that Fireware level, communication is only one way, correct? Or is the documentation out of date?

Second, if I have an Incident with a description of "Malicious IP address was detected by the Firebox" and it also says the Automatic Response was "Connection Blocked by Firebox 'Mister_Firebox'" that means that the firebox itself blocked the IP address on Mister_Firebox and only that firebox, and that my ThreatSync automation policies had nothing to do with it, right? Because if ThreatSync had blocked the IP, I would see it under Config -> ThreatSync -> IPs Blocked By ThreatSync.

Third (and final!), I have an automation policy with a risk range of 1-10, for incident type Malicious IP and device type "Firebox." It "preforms the following action" of Block Threat Origin IP. Yet I also see several Incidents with Automatic Response type indicating the IP was blocked, but there's no corresponding entry in the IPs Blocked by ThreatSync. If the firebox is always going to block the IP, under what circumstances would the Malicious IP automation policy even fire? Perfect world, if the Malicious IP was blocked by one firewall, I'd like it to be blocked on all firewalls.

Bonus question! Is there a way to make a new automation policy run on historical incidents?

Appreciate your help!

How can I break that management link and enter the new Feature Key ?

Thanks.

Lewis.

I do not see how Webblocker can do this.

Anyone have any ideas?
Thanks