How do I configure a PC to use wireshark through the Watchguard from/to external and trusted?
edited October 2022 in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN
Can someone explain to me how or if it's even possible to setup the watchguard to send all traffic on the network to it's intended destination and a copy also to one pc that's running a wireshark? I've been playing around with multicast routing... no luck so far.
Sign In to comment.
I just tried one of those wire tap things where its supposed to act like a hub and send and receive out of all ports, and when I plug in my modem to the firebox, works fine. as soon as i add a second pc in another port on the tap, all communication is lost.
but i'd rather somehow do it on the watchguard
It is easy to do with a managed switch.
Put it between the firewall trusted interface and whatever is down stream, presumably a non-managed switch.
Set up a mirror port, to mirror traffic from another port.
Then connect a PC/laptop the the mirror port.
With Fireware, one can set up bridge ports.
I have not tried using a bridge port interface for this, but I expect it would work.
Create a Network Bridge Configuration
The firebox itself won't mirror a port for you, if you need to do that you'll need to use a switch that can accomplish that. Most cat5/6 taps are passive devices (meaning that they're splitting the voltage between the two connections in use.) If the split voltage is too low for the firewall to detect a link, it can cause problems.
If you're looking for a hardware device, I'd suggest looking for a hub, as that will repeat all traffic out all ports. You will only be able to find these devices in fast ethernet models, however. If you need gigabit speeds, you will need to get a switch that can mirror a port.
If you're just looking to gather occasional data, you can use the tcpdump tool that is built into the firebox's diagnostic tasks to do so. It can ouput pcap files that wireshark can read.
See: (Run Diagnostic Tasks to Learn More About Log Messages)
(A subset of these tools are available in the WebUI under system status -> diagnostics, but I would suggest using WSM if you plan on using this tool as it will allow you to run multiple captures at once if needed, and allow them to run for longer.)
WatchGuard Customer Support