Migration from M440 to M590
I am currently trying to migrate a configuration from a M440 24port to the 590 with the adapter bring it to a total of 18 ports (0-17).
I can load the configuration file fine after changing the interfaces, adjusting the feature key and making sure the system reads M590.
My problem occurs after I write it to firebox I lose connectivity to the webpage and the firebox system manager.
I double checked my interfaces, corrected my policies and confirmed the alias lists match throughout all policies side by side with the 440.
I made sure I changed my IP on the connecting device to match the interface in question and confirmed I can connect to the 440 the way I was trying on the 590.
At this point I am stumped as to what I am missing or failed to check.
I am doing all this from policy manager and a configuration file after the initial setup.
Any help is greatly appreciated!
Comments
What is between your mgt PC & the firewall interface?
Perhaps it has a MAC addr that needs to be cleared. If it doesn't see any traffic from the new firewall interface - it can't update its MAC addr table.
Try power off/on on that device
Currently there is nothing between it all connected by an ethernet cable, I am building it off my workbench. I tried rebooting after applying the configuration. Same result, also pinging from the PC I get either destination unreachable or request time out.
It also stands to mention I have not updated the 590 to the latest version I have them both on the same update version for most compatibility.
Assume that this is a networking issue.
Clear the ARP cache on your PC.
Try connecting to a different firewall interface that allow access to the Web UI & FSM
Arp did not help for some reason my interfaces do not like either the policies or I missed something during initial setup.
I added a new interface for testing and put a DHCP range so I may at least connect to it and troubleshoot traffic.
Would I be able to see what is failing in traffic monitor? Or any other better way of troubleshooting this?
Q. Would I be able to see what is failing in traffic monitor?
A. maybe, but only if you can connect to the firewall to bring up Traffic Monitor
In case there is an issue with DHCP on an interface, you can try setting a static IP addr to the PC, instead of using DHCP.
Also, you can verify that you are getting a DHCP IP addr via a CMD box with:
ipconfig /all
To release an existing DHCP IP addr:
ipconfig /release
To get a new DHCP IP addr after a release
ipconfig /renew
Here is where I am at currently, assume I am clearing DNS and arp tables in between changes and all alias are present in policies.
Firewall IP 4.4.4.3
Actual numbers replaced.
PC #1 Interface #3
PC: DHCP
Interface: "Trusted" IP address 7.7.7.1/24 Use DHCP server with an address range of 7.7.7.4 - 7.7.7.254
Result: Connects and allows WatchGuard System Manager, webui ect ect
PC #2 is connected to interface #2
PC: Static 5.5.5.33 netmask of 255.255.255.0
Interface: "Trusted" 5.5.5.1/24 DHCP relay to 8.8.8.13
Result: ping fails, tracrt fails, no management no web ui
If I change interface #2 from "Use DHCP relay" to "Use DHCP server" with a range and change the PC to DHCP it will work.
If PC remains static but withing range specified it fails
I am trying to be as clear as possible and I am sure I'm missing something silly here.
Seems like there is an issue with the connection to the relay DHCP server.
Interface 2 PC - with a static IP addr - what do you see from PC1's connection to FSM for Interface 2 PC in Traffic Monitor
Also check FSM -> Status Report for the Static IP addr 5.5.5.33
No traffic can be seen on interface 2 with PC IP or Interface IP in traffic monitor
5.5.5.33 is showing in arp on the firewall and the interface is showing in arp on the PC so they are aware of each other.
This M590 isn't in production yet so there isn't a connection to the relay server listed. My understanding is I could bypass the relay on the interface by setting PC 2 with a static IP.
My original goal was testing connections between the subnets/interfaces since I had to manually change them due to less ports. I could be wrong and need to plug it in after production hours and see if traffic flows
If you don't clear the firewall ARP cache or reboot, the Status Report arp entries will show for old connections, such as when it worked with DHCP as stated earlier.
I agree that a static IP addr should work.
Just make sure that it is outside the range for the DHCP pool.
No idea why it should not work IF it is within the DHCP pool.
The default is that allowed packets are not logged.
For testing, you can add or modify a policy and enable Logging on it, to see allowed packets in Traffic Monitor.
For example an Any policy From: 5.5.5.0/24 To: Any, and move it to the top of the policy list.
My Windows PC gets a globe icon in the System Tray if it can't connect to the Internet.
Is that what you see?
Okay I think I got it figured out with your help.
I manually added routes that said 5.5.5.0/24 go through 5.5.5.1 and that initiated the pings on PC 2
Then I added route 4.4.4.3 (FW IP) to gateway 5.5.5.1 (Interface 2)
This allowed the FW to send data back to PC2
With this test interface 2 is set to original settings of DHCP relay and Static IP on PC.
I am assuming this was needed for testing until the FW is put onto the network and then arp would fill the table and initiate routes on the backend?
Yes 5.5.5.1 would be interface 2 connected to PC2.