Comments
-
Exactly what did you do to implement this? What dynamic routing method did you set up? If you need specific help, and you have a support contract on at least 1 of the firewalls, you can open a support case on this, whch you can do via the Support Center link at the top right.
-
The deny suggests that either 1) the policy does not include TCP port 5060 or 2) the packet is not coming in on external IP ending in .214
-
Import the firewall Fireware web CA certificate into your PC or web browser. Info on this is shown in the topic of your other post, here: Auth portal cert error https://community.watchguard.com/watchguard-community/discussion/27/auth-portal-cert-error You can access the firewall certs via the cert portal: http:// Firebox…
-
Have you imported the firewall Fireware web CA cert into your PC ?
-
18.213.11.84 is an amazonaws.com IP addr, so it is not likely to be a Gmail IP addr...
-
Other than reply packets, what other incoming traffic do you want to have come in via WAN 2 to devices on the optional network? You should be able to specify that by using the appropriate SNAT settings.
-
You use SD-WAN on an outgoing policy to force traffic allowed by this policy to use specific external interface. About SD-WAN https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/sd-wan/sd_wan_routing_about.html
-
UserID & password are case sensitive. What is the authentication server type selected for your SSLVPN users? Perhaps this? The User name format depends on which authentication server the user authenticates to: If the Firebox configuration includes multiple authentication servers, and you want to authenticate to an…
-
Best to always read the Release Notes prior to doing an upgrade. From the Release Notes: https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Dimension_v2_2_2/WatchGuard_Dimension_2_2_2.pdf "You can upgrade to Dimension v2.2.2 directly from Dimension v2.2 or v2.2.1 only. It is not possible to…
-
Perhaps it is UDP port 443 and not TCP port 443? HTTPS is TCP port 443. Care to post a sample Traffic Monitor log message showing this?
-
Correct.
-
"It looks like Blocked Sites needs to have an expiration date though" Not true. There is no date field when you add an entry on Blocked Sites. The Blocked Sites list in FSM shows an entry such as this: 204.236.167.126 configuration Static Blocked IP NEVER EXPIRE
-
No, not blocked both ways since your current policy is only for outgoing packets - the To: field. You would need a similar policy From: 'Compromised IOC IPs' to block incoming ones. Blocked Sites blocks both incoming & outgoing.
-
Is Diagnostic Logging for Gateway AV and DLP set to Error?
-
However, I would expect to see denied in Traffic Monitor for these blocked accesses, unless you have unselected the "Send log message" option in the Logging section on this policy.
-
There is the Blocked Sites list. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/stats_blocked_sites_web.html As far as your method - what is the goal - to only block access To these IP addrs ? If so, then this should work, as long as the ANY policy is at the top of the policies…
-
Are there link lights lit on the Uplink ports on each firewall? Try a power off/on on the new building switch
-
You will need to install the cert from the firewall or from a local Certificate Authority on local PCs in order to do Inspect. It can be done via AD GPO. Use Certificates with Outbound HTTPS Proxy Content Inspection…
-
Assuming that you have HTTPS Inspect enabled, and Logging for Reports selected for the HTTP & HTTPS proxy: Dimension -> Per Client Reports Enter the user name if this is for an authenticated user or an IP addr of the user workstation. Click UPDATE, and get a URL detail list for the dates/times selected at the top right of…
-
There is a hub & spoke method where you set up all traffic to go from remote site A to another remote site via a main site (hub). WatchGuard calls this tunnel switching. Branch Office VPN Tunnel Switching…
-
It should be possible since there is an option to select a branch office option on the Routing and Remote Access Server in Windows Server.
-
You can turn on diagnostic logging for IKE which may show something to help: In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE Set the slider to Information or higher In the Web UI: System -> Diagnostic Log -> VPN -> SSL. Click the down arrow and select Information "I even already have VPN's to…
-
Make sure that IPSec forwarding is enabled on both of the NATing devices in front of each firewall.
-
The firewall drops unexpected reply packets caused by asymmetrical routing, and does not log them. Consider opening a support case on this to get the persective from a WG rep.
-
With your public IP addresses being included in the BOVPN tunnel settings, reply packets from the far site will go back via the BOVPN and not via the Internet - so the reply will not match the sent packet in the sessions table and won't work. If you have multiple public IP addrs on your M470, you could set up SSLVPN client…
-
Any Network -> Route entries?
-
A traceroute to 172.18.2.249 should end at 172.18.2.249. No idea why this is being routed out to the Internet unless the Cisco VPN box is doing this somehow. Look at the routing table info on your firewall - FSM Status Reports or Web UI -> System Status -> Routes maybe something there? Here is what I would expect to see…
-
Is general Internet access allowed via the SSLVPN connections? What do you see in Traffic Monitor when access to this FQDN is tried? Is your firewall public IP addr included in your BOVPN Tunnel settings ?
-
You can do a packet capture on your firewall, which may show something to help. See TCP Dump, below https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
-
Any logs on the Aruba switches to look at? Seems like a switch issue