Wifi not Passing all Traffic?
I am working on a project to create a dedicated, hidden, password protected wireless band for our IoT devices. The VLAN existed in our WatchGuard Firebox before I came on with the team, complete with WebBlocker and Proxy Actions, as well as policies to pass any traffic from the IoT group to Any-External over ports 80/443. I created the the IoT SSID in our cloud.watchguard.com environment with the following configs:
SSID: Private
Radio: 2.4 and 5 GHx
Security: WPA3/WPA2 Personal
Password
Enabled VLAN to match the VLAN on the Firebox
Bridged
No ACL
Open Schedule
No Band Steering, Traffic Shaping, Client Isolation, or Network Access Enforcement
When devices are connected to the IoT Wireless SSID, the device receives an IP from the DHCP pool we created (or the IP it was statically assigned in the VLAN on the Firebox), and can navigate to certain sites, but not all. For example, I can navigate to youtube.com and nothing will populate on the home page, but if I search for and play a video, it plays. Installing the WtachGuard Certificate from our Firebox on a Mac and Windows device did not resolve the issue either. I watched the Traffic Monitor on the Firebox and continue receiving results like the below when trying to reach any website:
2025-04-30 10:39:11 https-proxy 0xbf8dca0-32247640 996: 192.168.109.194:33972 -> 31.13.88.63:443 [A t] {B} | 1201: 72.69.232.67:33972 -> 31.13.88.63:443 [B t] {X}[]: Handler: Connection closing on SSL failure (Domain: i.instagram.com)
2025-04-30 10:39:11 pxy 0x8870040-45778824 2269: 192.168.109.194:33966 -> 31.13.88.63:443 [A t] {B}: Accept SSL Error [ret -1 | SSL err 1 | Details: (null)/sslv3 alert certificate unknown] Domain: i.instagram.com PFS: ALLOWED | ALLOWED
Any ideas as to what might be wrong here? TIA.
Answers
For HTTPS inspection to work, you need to install either a certificate from the firewall or one from your corporate CA.
I don't see how HTTPS Inspect can work with IoT devices.
Some sites do not work with Inspect even with the correct cert installed. For those sites, one needs to set up Allow exceptions.
Hi @AJK_2023
The proxy logs are saying that the proxy is failing on B channel (which is the firebox talking to the destination.)
The details suggest that the firebox is either getting a cert it doesn't trust, or a completely invalid certificate. This is the cert on the firewall itself, and not the one that you have installed on your PC.
If you attempt this connection via a packet filter as a test instead of the proxy, can you get to the site? This tells us if the certificates on the firewall are the problem, or if the firebox is being presented certs that it can't decode.
It may also be worth checking if your firewall's trusted proxy certs are up to date. The steps in this article (even though it's talking about letsencrypt) show where those settings are:
(Certificate warnings when you browse to websites that use Let's Encrypt certificates through HTTPS proxies with content inspection)
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SNIXSA4&lang=en_US
If none of that helps, I'd suggest opening a support case via the support center link at the top right of this page.
-James Carson
WatchGuard Customer Support
thank you for your response. i guess that would explain why the traffic wasn't passing through the devices i installed the certs on.
Thank you kindly for your professional insight, James! I'll take a look at our firebox cert to make sure that it's up to date and proceed from there. I'll check back in soon