Comments
-
What do you see in Traffic Monitor when an incoming WhatsApp call is tried? Please post sample deny log messages for a blocked call.
-
RatioApp (Web Portal) - Allowed – (Policy Type: RatioApp) TCP 50600 From: External To: 192.168.133.253 (Srv-2) Should be To: SNAT RatioApp (Web Portal), not to 192.168.133.253
-
If the ABG-Network interface IP addr is 10.111.0.253/24, and 10.111.0.254 is the interface IP addr of the old firewall, I don't see why this is happening, and you should open a support case on it.
-
The spoofing indicates that 192.168.1.147 is not expected to be seen on the ABG-Network interface
-
Seems to be an inconsistency on tag settings on the AP, switch ports & firewall. The change seems to indicate that the VLAN-B setting on the AP was not set to tag? Review those settings on the switch ports. What brand/model PoE switch do you have?
-
Nothing seems wrong with your settings. An actual deny log message may help sort this out. I have APs with 4 VLANs, and for 3 different Zones. 1 AP has the 4 VLANs going to a single firewall interface, all tagged. A 2nd AP has a tagged and an untagged VLAN going to a different firewall interface.
-
Latency is a significant issue with IKE. This article explains how to calculate what the max throughput should be based on latency, link speed, and TCP window size. How to Calculate TCP throughput for long distance WAN links http://bradhedlund.com/2008/12/19/how-to-calculate-tcp-throughput-for-long-distance-links/ Review…
-
"Research from Nord Security finds that the NordLynx VPN protocol can ramp up to 1200 Mbps, while IKEv2 only reaches 600 Mbps, and OpenVPN manages a best-recorded speed of 400 Mbps." NordLynx is NordVPN's version of Wireguard. https://nordlayer.com/learn/vpn/protocols-comparison/ "WireGuard is twice as fast as OpenVPN, if…
-
Check the Zone specified on your VLAN settings and verify that your policies match those zone settings.
-
What is the deny? Please post a sample deny log message.
-
1056897 CVE-2008-3697 Description: There exists a vulnerability in the ISAPI extension provided by VMware Server to extend support to IIS for running Perl scripts. This is an exploit from 2008. If the server is not VMware or is, but is a newer version than from 2008, then this is a false positive, and can be excluded in…
-
Care to post a sample spoofing log message? You can save the config to disk and use a text editor to search for a an IP addr or part of one. You can look at the Routes: . Web UI -> System Status -< Routes . WSM Firebox System Manager -> Status Report -> IPv4 Routes section You can open a support case - a WG rep can look at…
-
Q. Can I do a Quick Setup run without tampering with the Firewall settings? A. I don't believe so - step 4 of the Quick Setup Wizard saves the basic configuration to the Firebox and to a local configuration file. One would want to look at the local configuration file to see what is there and not upload it to the firewall.…
-
Is the VPN subnet defined to the new firewall someplace else besides the Network Route?
-
Q. why should I prevent any outbound traffic of users of the guest network? A. some companies have Internet access policies which state the types of sites which should not be accessed, even by guests, which may include pornography, illegal sites, compromised sites (for the safety of the user), etc. Even without such a…
-
Just to confirm, this was the result immediately after a Quick Setup Wizard run? By default, I would not expect a guest network to be defined without some firewall admin interaction.
-
Usually an appropriate Network Route addresses this. The Gateway addr should be an IP addr on the problem interface
-
IPS signatures used to be provided by Trend Micro. However, I can't find any info which indicates that they are still the provider. In any case, presumably WG folks review the signatures being provided prior to releasing them to us.
-
You can search for IPS signatures, here: https://securityportal.watchguard.com/Threats?sigVers=4 A search for WordPress shows some, but none for this issue.
-
I don't see how the HTTPS proxy could prevent "any unauthenticated user to reset arbitrary user passwords" on WordPress because of the Essential Addons for Elementor bug, given that there is currently no IPS signature for this bug.
-
Have you tried asking support to escalate your case to the next level? Those higher up in the support chain may be able to help understand the issue better, especially with the appropriate logs. I, and many others, don't have experience with multiple other brand endpoints, so some of us can't help more. BOVPN stability…
-
I had a similar support case in 2021. From the case: Created By: Lyuba Ivanchova (12/1/2021 1:26 AM) Hello Bruce, I did some research and the certificates that are Certificate Authorities for Proxies only receive quarterly updates to update any missing certificates or newly updated certificates. These updates are pushed…
-
I don't see how just by using the HTTPS proxy, that it would have prevented this exploit attempt. With the HTTPS proxy with inspection, one is likely to have better protection from known exploits for which there are IPS signatures.
-
From the docs: You can add a WebBlocker exception that is an exact match of a URL, a pattern match of a URL, or a regular expression. Since WB blocks a URL, not just a domain name, it seems difficult to me to construct the correct regular expression (RegEx) to block the zip domain but allow a .zip file suffix. Easier for…
-
I would try not overlapping the primary subnet and the secondaries. What is the purpose of adding secondary subnets?
-
The point is that the user authenticates to the portal, thus removing general access to an app via a general SNAT based policy - your initial goal. If you can't get this working, consider opening a support case on it or start a new post asking for help on getting this working for you. I do not have a firewall model which…
-
So external primary is 10.10.150.1/21 ? If so, why do you need these secondary subnet entries? FYI, V12.9.3 is now out, but I doubt that the results would be different. Consider opening a support case on this.
-
With V12.9.3, OpenSSL is at v1.1.1t
-
Also, what Fireware version are you running?
-
Exactly what IP addrs/subnets are defined to external here? 10.10.150.1/21 and 10.10.150.1/26 and 10.10.151.1/24 ? Are any of the external IP addrs used any place else, such as for internal devices?