Comments
-
Ventura is not supported yet. The WG SSLVPN client is based on the OpenVPN SSL client. The OpenVPN SSL client does not currently support Ventura. https://openvpn.net/client-connect-vpn-for-mac-os/ Welcome the the bleeding edge of recently released software. Many of us wait for a while until the product is more mature and…
-
Also, I use FSM Traffic Monitor, with Max log messages set to 25K. This allows me to see a lot of entries for a specific IP addr over a period of time.
-
When I click on the Amazon app, I quickly see a ton of log records in Traffic Monitor because of all of the logging options that I have turned on on my HTTPS proxy action & the HTTP proxy action on the HTTPS proxy action. The majority of the log records are Headers being stripped - many beginning with x- I do use a DNS…
-
I still have no issues with MS Office updates. Could this possibly be a Geo block issue? MS updates can come from IP addrs associated from many countries.
-
There is no ability to do this in Policy Manager or the Web UI. They are in the order to which they were added. The same is true for an Alias.
-
To see where the DNS packets are being forwarded, you need to select "Enable logging for traffic sent from this device", which will show all packets being sent by your firewall. Normally these packets are not shown in Traffic Monitor. From the Web UI:…
-
I don't have that problem. My Amazon app opens with content very quickly. Try setting up an Any packet filter for the IP addr of a test iPhone. If content opens quickly, then look at the policies that are being used to allow this content. I have logging enabled on all of my policies, and for all of my HTTP & HTTPS proxy…
-
Does the e-mail server require a different port than standard TCP port 25? For example, Gmail requires SSL/TLS - TCP port 465. Gmail also requires an user name & password.
-
Yes. Standard routing - to access anything not on your local subnet - traffic goes to your default gateway to be forwarded to the destination IP addr. You can verify this by turning on Logging on your explicit firewall rule - do a test access to VLAN 4 and look at Traffic Monitor to see the allow log entry for this.
-
Turn on Logging on your Outgoing policy to see that is being allowed by it in Traffic Monitor and/or your log server. Then you can try to identify what policies you need to add to your config to allow desired traffic. Then you can disable the Outgoing policy. This can be a time consuming process. Best to warn your users…
-
The domain name suffix is for when you want to connect to local devices or local web sites, etc., by a domain name. Since you don't seem to have that need, you don't need to worry about providing a domain name suffix. Your firewall settings seem OK to me.
-
Is your incoming bandwidth high, near max utilization? Than could be a cause. What does a speed test show from an iOS device ?
-
There is no way that we on the boards can know what happened here, or why. Best to open a support case to get WG help in understanding this. They can review your configs, etc.
-
Anything in Traffic Monitor to help understand this? You can turn on diagnostic logging for IKE which may show something to help: In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE In the Web UI: System -> Logging -> Settings Set the slider to Information or higher
-
"enable DNS Forwarding" option doesn't hurt here. It will only be used when some internal device is set up the firewall interface IP addr as its DNS server IP addr. Devices which get their IP addr & DNS info from the firewall DHCP function will get the DNS server IP addr which you have set up on the WINS/DNS tab. You can…
-
1) yes - the standard functions will continue to work Separately licensed security subscriptions stop working when those subscriptions expire. 2) not sure exactly what you are asking here
-
So where was the issue? Your ISP someplace?
-
See the "Enable the Firebox as an NTP Server" section, here: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/NTP_server_enable_add_c.html
-
You can't edit a Managed BOVPN in WSM Policy Manager
-
Yes, using Link Aggregation of 2 @ 1 Gbps interfaces, or by using a WG firewall set up with a 10 Gbps external interface. Review this: About Link Aggregation https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/link_aggregation_about_c.html
-
Sorry, I misread your 1st post. It looked to me like you have a BOVPN between each firewall. When connected to firewall A by a VPN client, how are you trying to connect to a server on firewall B? By the firewall B external interface IP addr?
-
You have an A/P cluster. Member A is in standby.
-
Your BOVPN Tunnel settings need to include the SSLVPN virtual IP addr subnet, on both ends, for SSLVPN client traffic to go across the BOVPN.
-
Is this an A/A cluster or a an A/P cluster? If an A/P cluster, then only the master cluster member is active. I would not expect Fireware DHCP to be active on the passive member. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_about_wsm.html Active/Passive cluster In an…
-
Generally no. The exception is the TCP-UDP proxy which will look for HTTP, HTTPS, SIP, FTP, IMAP, POP3, and SMTP packets sent on non-standard ports. About the TCP-UDP-Proxy https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/tcp/tcp_udp_proxy_about_c.html
-
Could be that the app is using QUIC - HTTP & HTTPS over UDP, instead of the standard HTTP & HTTPS using TCP. The Fireware HTTP & HTTPS proxies do not inspect UDP packets. I have a Custom Packet Filter policy near the top of my config which blocks QUIC - UDP port 80 & 443 - HTTP & HTTPS over UDP.
-
I see Suriname show up in WSM Policy Manager. The country which shows up as France (FRA) seems to be French Guiana.
-
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_c.html
-
Yes, using SSO - WG AD authentication
-
Add a Custom Packet Filter for TCP port 8443 From: the IP addrs of the 2 computers To: Any-external