1/8 Fireboxes won't connect
I have 8 locations with Firebox T20 and T25s respectively. I have one management location with a static IP. I can connect via the System Manager to 7 locations with no problem, but one of the T20s is problematic, and I am at my wit's end. All of the locations have the exact hardware configuration apart from 2 of the locations having T25s. WAN > Switch > WatchGuard. They are all on the same ISP. The Firebox-mgmt policy is configured identically on all of them. I can see myself ping the Firebox in the diagnostic logs, but I do not see any activity when I try to connect via the System Manager.
I am looking for anything new to try. I tried:
- Setting Firebox-mgmt From to Any
- Opening same ports for Firebox-mgmt on the management network.
- Taking out the switch and going WAN directly to Firebox
Driving home from that location (about two hours away), I thought of some other things I wish I had tried, so I'm looking to have a plan when I head back. Any guidance is appreciated; thank you.
Comments
I Strongly recommend that you never have WG-Firebox-mgmt From: Any or Any-external.
Instead have it From: a specific IP addr such as the external IP addr of your main firewall, or from a VPN user ID.
There is no way that having it from a specific correct IP addr is the cause of your issue.
You can turn on Diagnostic Logging for Management, which may show something to help.
You can turn on Logging on WG-Firebox-mgmt policy to see what is being allowed from your remote management access attempt. Perhaps something upstream from your firewall is blocking something.
As a plan B, you can set up VPN client access to that firewall, and then get System Manager and/or Web UI access via it.
Then you can look at the Traffic Monitor logs while being remote to help resolve this.
Hey Bruce, I only set my policy to "Any" for a matter of seconds and determined it didn't help. I have been using my management locations' static IP via Host IP4 in the firebox-mgt policy.
I will check the logging on that policy and see if I see anything. Thanks for the VPN suggestion—that sounds promising.
If you're not seeing the traffic hit your firebox at all, it's very likely that traffic is being blocked upstream from your firebox.
I would suggest contacting your ISP.
You can also use TCPDUMP on the firebox to verify this -
-Open and log into WatchGuard System Manager.0
-Launch Firebox System Manager
-Go to Tools -> Diagnostic Tasks.
-In the network tab, choose the tcpdump task.
-Check the advanced options tickbox.
-use the following argument "-i eth0 port 4105 or port 4117 or port 4118" without the quotes. Change eth0 to the appropriate port number if you are not using port 0 for your ISP.
-Click run task, and attempt to connect.
If you don't see anything popping up here, it's likely your ISP is filtering that traffic - you'll need to contact them and ask them to stop filtering those ports.
-James Carson
WatchGuard Customer Support
Thanks, James. I will give all of this a shot. My plan is to get out there this weekend, so I will report back when I have found the solution. Thanks again, everyone.