Bruce_Briggs

About

Display Name
Bruce_Briggs
Joined
Visits
5,509
Last Active
Roles
No Roles
Points
689
Badges
9

Comments

  • I had no issues doing this config migration to a new firewall in the past. My GWC configured AP300 had no issues going from a T35 to a T20 in Jan 2020.
  • Yes. Review this doc page: About FireCluster https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_about_wsm.html
  • These all provide graphs of bandwidth use: Current use: WSM Firebox System Manager -> Bandwidth Meter Web UI -> Dashboard -> Interfaces Historical use Dimension -> Reports -> External Bandwidth You can also use SNMP reporting tools to provide historical graphs. Examples include MRTG & PRTG, plus many others.
  • It is possible on your HTTP or HTTPS proxy policies that you do have some deny entries which are not set to Log. You need to check all of the proxy options to see. Also, for debugging of a proxy, turn on Logging on all settings which are allowed. You could use a HTTP/HTTPS packet filter To: the Pitney Bowes domain name or…
  • V12.8.1 resolves this issue. Memory issues related to AV scans have been addressed which helps smaller memory firewall models.
  • My post is for BradH, re: his auto-block comment.
  • Any policies are put to the bottom of the list when using Auto-Order Mode. Review this section in the docs: Automatic Policy Order https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policy_precedence_about_c.html
  • For diagnostic purposes, turn on Logging on this policy to see packets allowed by it in Traffic Monitor. re: 2nd question - what is currently allowed over the BOVPN at the remote site??? If it is an Any policy - then nothing. And for diagnostics - adding a specific policy on the remote firewall To the time clock so that…
  • @BradH: I do not recommend using "Auto-block of source IP of unhandled external packets" as there will be many unexpected IP addrs ending up on the Blocked Sites list. Some examples - HTTPS sites, DNS servers which have very slow responses HTTPS site example - a HTTPS replay packet for which there is no longer a match in…
  • Note that none of the wifi 5 cloud features such as WIPS are currently available for the wifi 6 products.
  • Yes, or what policy would be applied. Sometimes Policy Check doesn't provide a policy name when in fact there is a policy which matches the entered info. I don't have a cluster, so I can't respond to the cluster issue.
  • That won't work directly because reply packet will go out the Starlink path instead of coming back over the BOVPN. To get reply packets to come back over BOVPN, you need to change the source IP addr of the incoming packet to something which will be routed back over the BOVPN from the other end. I recommend that you use the…
  • CBC seems to be the culprit here.
  • Also you need to import the Feature Key
  • As long as you ran the QuickSteup Wizard, and have External set to DHCP, you should be able to connect to the Internet
  • Also, try a power off/on of your fiber internet device and see if that makes a difference.
  • Do you get a link light on your firewall interface or on your laptop Ethernet port? If not, try the other Ethernet cable type - there are 2 - straight through and cross-over. https://www.computercablestore.com/straight-through-crossover-and-rollover-wiring Can you ping www.google.com ? If so, this could be a DNS issue.…
  • No you normally can't. There was a recent exception as a result of the cyclops blink exposure, where current firewall models could get upgraded even if there was no active support license. "All active Standard and Gold Support subscriptions include phone and web-based support, software updates and enhancements, and advance…
  • No it shouldn't. All functions which are not security add-on licenses should continue to work as before the expiration. If you haven't done so already, you should upgrade them to the latest Fireware version available for each firewall.
  • Denver is most likely being resolved by devices local to it using NetBIOS. The remote PCs don't get NetBIOS broadcasts from the main site, so they would not know what "Denver" means. Assuming that denver.yourdomain.local or similar is registered in your DNS server, then remote users could access "denver" if they have a DNS…
  • 1) By default, allowed packets are not shown in Traffic Monitor. To see packets allowed by a specific policy, you need to turn on Logging on it. 2) one needs to see all of a deny log record to see all of the fields in it to know why a packet is being denied.
  • A HTTP packet filter does not have UDP port 80 in it. Did you add a HTTP packet filter to allow this access?? UDP port 80 should not be needed here. To remove the UDP port, you probably need to delete this policy and add one without the UDP port 80.
  • 56510 is the source port of the packet. WSM Firebox System Manager -> Traffic Monitor has a Settings option of Show Log Field Names which can make understanding the fields in a log message easier for newer users.
  • "Deny 10.0.20.5 10.0.100.100 56510 80 20-Admins 1-Trusted" This say that there is no policy allowing TCP port 80 (HTTP) from 10.0.20.5 on the 20-Admins interface to 10.0.100.100 on the 1-Trusted interface. So you need to add a HTTP policy to allow this access. For this, I would use a HTTP packet filter.
  • What do you see in Traffic Monitor when you try to access the Netgear? Where is the Netgear located in your network setup? What is the default gateway of the Netgear?
  • Yes. There is an online Help system. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/_intro/fireware_help_front.html Add Policies to Your Configuration https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/add_policy_c.html
  • Logging may help
  • Add an Any packet filter, From: CMM To: Any-external Set this policy to Denied. Move this policy to the top of your policy list. Packets denied by this policy will show in Traffic Monitor.
  • Block Internet access for ???? The "web gui" - meaning the firewall Web UI? If so, the default setup is to only allow access from internal access. The policy name is "WatchGuard Web UI" FYI, besides the Web UI, there are Windows based management tools - WatchGuard System Manager, which many of us use.