Comments
-
On Link Monitor, you specify a target for checking for the WAN. It is recommended to select something upstream from your firewall default gateway. I use a public DNS server such as Google DNS server IP addr - 8.8.8.8 or 8.8.4.4; or another public DNS server 1.1.1.1 That Link Monitor selection will be reflected on the…
-
For example - create 2 HTTPS policies - 1 for WAN 1, the other for WAN 2 On the policy for WAN 1 - you specify in the From and/or To fields the traffic that you want to use WAN 1. The To: field can include IP addrs, subnets and/or FQDNs. The policy for WAN 2 needs to be below WAN 1, and the To: field can be Any-external,…
-
Looks like you need a policy allowing access from the server to SSLVPN-Users, assuming that the source IP addr is the server IP addr and that the dest IP addr is the SSLVPN virtual IP addr.
-
You can test this locally - from a laptop behind your firewall, connected using SSLVPN, with a printer connected to the laptop.
-
While not in the office, the user's device is not connected to your domain.
-
Add the appropriate policy to allow this traffic. What access do you want to allow?
-
Is there a domain trust set up between both domains? Can he access by IP addr?
-
No idea what admd is. However, V12.11 is now out so perhaps this version addresses the issue. There is this fix in it: This release resolves an issue that caused high CPU usage when a USB drive was plugged in. [FBX-24321]
-
Yes. For A/P, just one firewall is active and holds the the external IP. This is done using VRRP. Active/Passive Cluster ID and the Virtual MAC Address https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_ap_cluster_id_wsm.html For A/A, Multicast MAC Addresses is used to share the…
-
For an A/A cluster, doesn't the Web UI show the external IP addr of the firewall you connect to when connecting to the trusted IP addr of the firewall?
-
Here is an older article on supported cell modems: Supported 3G/4G USB cellular modems and LTE interfaces for modem failover Question https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3PeSAI&lang=en_US Review this topic: Supported 5G modems…
-
Perhaps this? . The Mobile VPN with SSL Client for Windows now supports SAML authentication. [FBX-26372]
-
The 1st HTTPS policy matching the From: & To: fields will be used. No following HTTPS policy will be checked for this traffic.
-
Off hand, no idea.
-
re: " It appears from the logs that in some caes, it's identifying the browser traffic as an application which makes no sense" This is coming from Application Control being enabled on your HTTPS proxy. You can also use App Control to deny access
-
I'm not seeing a reason why https://nordvpn.com is not being blocked. Some background: The HTTPS proxy can't see the URL being accessed unless Inspect is enabled, since the traffic from the web client to the web server is encrypted. For un-Inspected web site access, the HTTPS proxy will look at the SNI and the CN fields of…
-
What is not working as you desire here?
-
Will your switch allow 2 different subnets to be defined as on the same VLAN??? On the firewall, a VLAN has a specific subnet defined to it. If traffic comes in tagged for that VLAN but from a different subnet, I would expect those packets to be denied as spoofed source.
-
Here is one: Is it possible to host web server or some other web service on Starlink? Yes! With IPv6 and Cloudflare reverse proxy https://luka.manojlovic.net/2023/12/31/is-it-possible-to-host-web-server-or-some-other-web-service-on-starlink-yes-with-ipv6-and-cloudflare-reverse-proxy/
-
Can the VPN client ping 172.16.111.254? Add an Any packet filter on site B From: 172.16.113.0/24 to 172.16.111.0/24 Move this policy to the top of your policies list. Turn on Logging on this policy. Test access from the VPN client & see what shows up in site B Traffic Monitor
-
“Route VPN Traffic” allows the SSLVPN client to access other subnets than the virtual IP subnet set in the SSLVPN setup. “Bridge VPN Traffic” will not allow access other subnets than the subnet specified in the SSLVPN setup. Do you have a route to 172.16.113.0 at site B?
-
Care to explain your "bridge" connection between the 2 firewalls?
-
From the docs: "Select Bridge VPN Traffic to bridge SSL VPN traffic to a network you specify. When you select this option, you cannot filter traffic between the SSL VPN users and the network that the SSL VPN traffic is bridged to." With this option, the SSLVPN client will only get access the specific subnet that you…
-
“Route VPN Traffic” is what you need. What option is selected on the SSLVPN setup on your firewall? . "Force all client traffic through the tunnel" or . Specify allowed resources If "Specify allowed resources", does that list include the subnet on site B? Please explain the connection for "the bridge between A and B".
-
The routing won't happen with your current setup. Traffic from site B will never leave site B for an IP addr on site B's subnet located anyplace else. You would need to have a bridge set up over the fibre between your current site B LAN switch and the new switch at site A. Or, you need to rethink the need for the this…
-
Try this: If you attempt to connect to the firewall using WSM directly (using file -> connect to device) you should be able to connect.. When you open policy manager, select the option to release from central managed mode. Once it finishes loading, you should be able to go to File -> Open -> Configuration File. This is…
-
Also, the T20 goes End of Life on Jul 01, 2028. Consider a newer model type, perhaps a T25 which is suggested as the replacement for the T20. End of Life Policy https://www.watchguard.com/wgrd-trust-center/end-of-life-policy
-
Application Control, which is included in the Basic Security Suite, has a list of VPNs that it can block. Many of these use Wireguard, including Surfshark. You can see the categories which can be blocked, here: https://securityportal.watchguard.com/Applications You can learn about Application Control, here: Application…
-
V12.5 ? The latest version for a M470 is v12.10.4 Update 2
-
What is the device on the remote end? Any logs on the remote end to help understand this? You can turn on diagnostic logging for IKE which may show something to help: In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE Set the slider to Information or higher In the Web UI: System -> Diagnostic Log…