After upgrade 12.7.2 or higher, can't not connect gateway on Firebox in internal?

I have active GW in Trusted zone, but after upgrade to 12.7.2 i can't ping or access to gw, internet or orther from PC in my internal network

Comments

  • What do you see in Traffic Monitor for access attempts from this device?

  • I don't see traffic the device in internel, but in 12.5.9 i saw

  • You will only see denied packets and proxy strip type packets in Traffic Monitor.
    To see allowed packets, you need to enable Logging on policies of interest.

    Is your PC getting a an IP addr from the trusted zone?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @LucTran
    I'd suggest checking your IP address on your local machine -- DHCP options should not have changed, but some of the older firewalls take quite some time to upgrade. It's possible your computer auto-assigned itself an APIPA address (it'll start with 169.254.x.x usually.)

    If that's the case, try unplugging your network cable, and plugging it back in, or doing an ipconfig /release, then ipconfig /renew.

    Failing that, I'd suggest opening a support case so one of our support team can help determine what is going wrong.

    -James Carson
    WatchGuard Customer Support

  • edited November 21

    Also review this Known Issue:

    Traffic Monitor fails to show traffic logs after 1 December 2021
    https://portal.watchguard.com/wgknowledgebase?type=Known Issues&SFDCID=kA16S000000SNhXSAW

  • Hi @james.carson , thank for your suggestion. But, when i upgrade to new version, all local network was loose connection to GW locate in Firebox.

  • Thank @Bruce_Briggs , I will trobleshoot more, if need I will contact Support Team.

    Let me explain more detail:

    • I have trusted interface in WG, 192.168.x.254
    • Layer 3 SW for DHCP server, internal network include 192.168.Y.O/24 192.168.Z.0/24
    • In L3 sw, i route Internal traffic will pass thought gw on Firebox, and in Firebox will route back to Internal via interface connect with l3 Sw
    • Don't have VLAN configuration on Firebox, just 01 interface 192.168.X.254 and it's Trusted Interface
    • In old version, everything OK but go new, network in L3 can't ping or access GW on firebox
  • FYI - you can provide full private IP addresses & subnets without any security exposure to you.

    Verify that the L3 switch has an IP addr from the trusted interface subnet.

    Check the firewall ARP table (Web UI: Systam Status -> ARP Table) and verify that there is an entry for the L3 switch IP addr and that the entry matches the L3 switch MAC addr.

    Verify that there are Network Route entries for any subnet behind the L3 switch, and that those entries point to the L3 IP trusted interface IP addr.

  • Power off/on your L3 switch in case somehow the switch has an issue

Sign In to comment.