Bruce_Briggs
About
- Display Name
- Bruce_Briggs
- Joined
- Visits
- 1,093
- Last Active
- Roles
- No Roles
- Points
- 149
- Badges
- 3
Comments
-
An incoming SNAT should work. However, we strongly recommend that you have your remote users who need to use RDP 1) come from specific Internet IP addrs You specify these IP addrs on the incoming RDP policy From: field - use SNAT on this policy or …
-
Since you are blocking .exe files on a HTTP proxy action in the Body Content Types section, there is no way to get around that other than using a different policy to access that .exe
-
ISP outage ? Do you have Link Monitor enabled on your external interface to something upstream ? DNS server outage? Do you have multiple external DNS servers defined for your client devices? Generate a support file, and open a support incident. Pe…
-
Looks to me that Google (or something) uses storage.googleapis.com for updates. I can't find anything on the Internet to indicate what storage.googleapis.com/update-delta is user for. This is TCP port 80 access: storage.googleapis.com/update-delta…
-
Not really. For this case, since this site is a HTTPS site, you need to have an Inspect entry for the domain on your HTTPS proxy. Then on the HTTP proxy action on your HTTP proxy action, you can have 2 URL entries - 1 allowing your exact URL, and a …
-
d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe IS NOT A DOMAIN NAME !!!!! This is: d17kmd0va0f0mp.cloudfront.net
-
If you are accessing from a different subnet, then perhaps it is a subnet mask or gateway addr issue. Otherwise, time for a support incident.
-
Log into the WatchGuard support portal. Then select My Watchguard. You will find a number of options, including: WatchGuard Cloud Manage TDR WatchGuard Cloud includes Authpoint and the Dimension like logging & reporting "WatchGuard Cloud&q…
-
DPI entries are for a Domain Name, not a URL. And, since this is for a HTTPS web site, one would never prepend HTTPS:// since that is a given. Same for a HTTP domain name or a HTTP URL - one would not enter HTTP:// - just the stuff after it.
-
Review this: WatchGuard Security Services https://www.watchguard.com/wgrd-products/security-services It explains what each of the additional licensed security products offer. Features not listed here are part of standard XTM.
-
It is a standard part of XTM. It is not related to WebBlocker.
-
You can apply quotas to a policy. Review this: About Quotas https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/quota_about_c.html
-
Did you add an Allow entry in your HTTPS proxy action for: d17kmd0va0f0mp.cloudfront.net ?
-
Torrents & gaming generally do not use HTTP or HTTPS ports, so WebBlocker is of no use to block those. Get an Application Control license, and then you can easily block those. Alternatively, deny all outgoing packet types which you do not speci…
-
The sites don't get blocked - they just don't work. So you do need to log the Allows, to find out what is being accessed. One does see various SSL Errors, Peer certificate preverify failed, etc. which can indicate a problem site.
-
You can select the "Log" option on the Action -> Inspect setting on your HTTPS proxy action. You can select General Settings -> "Enable logging for reports" on your HTTPS proxy action.
-
But when I search that site for :D (colum D) no hits are found. So what am I missing?
-
When I click this link I get that SplashtopSOS.exe is a binary file, and do I want to allow it.
-
Best to open a support incident. I can't think of a reason for this - unless you have select the Global option of "Enable configuration of policies for traffic generated by the Firebox" and have a DNS policy (proxy?) above the Any from Fir…
-
The real solution probably is to have different policies based on IP addrs or on user IDs. If you have an AD domain, then you can implement SSO, and then use AD groups or AD user IDs on selected policies. If you don't have an AD domain, you can s…
-
Thanks Also, can you post a link to a Markdown doc which shows the meaning of :D :P Note that colon D displays as an imogee on this board
-
No - broadcast packets are blocked across routed interfaces which includes VLANs. What is the need for this broadcast traffic to cross VLANs ?
-
So we now need to learn Markdown in order to post many things correctly here ???? NOT user friendly. Is there no default option which could be set for these boards to allow text to be not modified unless using Markdown ???
-
Is traffic going over the BOVPN continuously ? BOVPNs which do not have keep-alive traffic and have periods of no traffic will end, and will restart when there is traffic to go over them again. Could this be your case?
-
My primary comment is about split tunnel VPNs. This is a potential significant security risk, and you should seriously consider not using split tunneling client VPNs. You can find many discussions on the security issues related to this. Here is one:…
-
To see deny log messages in Traffic Monitor for denies caused by WebBlocker: On your HTTPS proxy action -> WebBlocker tab, you do have "Log this action" selected ? If not, select it. You can also select the "Log this action" o…
-
Sorry Gregg, I ate that piece of pie :wink: Does your Chrome session really use HTTPS and thus your HTTPS proxy, or perhaps it is using QUIC? I block QUIC on my firewall, and I can't get to that site using Chrome.
-
Select the View/Edit Proxy icon on your HTTPS proxy, on the Action de proxy line. The same for the HTTP proxy Review these: HTTPS-Proxy: Content Inspection https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/https/…
-
Inspect expects things to be correct. With Inspect, the HTTPS proxy expects to see real HTTP protocol being used, and the correct cert chain.
-
You need to edit the HTTP & HTTPS proxy action, and make any needed changes there. When you change a default proxy action you will be prompted to save the change as a new proxy action name.