Comments
-
You do need to set up VLANs for this to work. Does your switch support VLANs? If not, then you can't do this. If it does, then you need to set up VLANs on it and on the AP. You can set up the firewall in 1 of 2 ways: 1) you set up a VLAN interface on the firewall and have both VLANs from the switch connect to this firewall…
-
Now you have some real facts to provide should you open a support case on this. Let us know if a firewall reboot resolves the issue with the 12.10 client.
-
Try the old outdated SSLVPN client...
-
Have you tried connecting a SSLVPN client from behind your firewall? That should remove any Internet related issues.
-
You can request that your case be escalated
-
There is no ability in Fireware to specify the account info for Nord or any other of these services to allow the other end to allow you to connect, even if one could figure out what the IPSec settings should be.
-
Care to provide a specific example?
-
HTTPS traffic is encrypted between the web browser and the web server, so the firewall does not know what URL is being accessed. Without Inspect being enabled on a HTTPS proxy, the only info that the firewall can match on is the CN (Common Name) or SNI (Server Name Indication) fields in the web server certificate for the…
-
I would make the other sites be responsible for their own security and have them connected outside of your firewall. Give each of the other sites a public IP addr to use. Set up an external VLAN on your layer 3 switch, and connect your ISP connection, your T85 external and all of the routers to this external VLAN.
-
A quick look at the script for Mac & iOS seems that you can add a 2nd entry in the SearchDomains section, with the same format as the existing string entry since the type for SearchDomains is Array.
-
If you want the router connections to be behind your T85, you can set up 1-to-1 NAT entries with the desired public IP addr and the private IP addr of the router external interface. You also could put a switch outside your firewall and have all of the other routers and your firewall connected to it, and have each of those…
-
No idea. I have no experiences with them.
-
You can add this to the AddVPN.ps1 file in the PS folder, below the Set-VpnConnectionIPsecConfiguration line. Make sure that the ConnectionName matches what you have in the script. Set-VpnConnectionTriggerDnsConfiguration -ConnectionName "WG IKEv2" -DnsSuffixSearchList "dns-suffix-1.com", "dns-suffix-2.com" -PassThru…
-
Quite odd
-
Have you set up Link Monitor on both WAN interfaces ? If not, please do so. We recommend something upstream, such as your ISP DNS server, or a Google (8.8.8.8, 8.8.4.4) or some other high availability DNS server for example. Check Traffic Monitor to see if there are obvious WAN outage log messages as a result. Configure…
-
I would not expect SD-WAN to stop working when a feature key expires. Seems like a bug to me. Since everything is now gong out via a VPN, try changing the Global setting, Networking section, TCP MTU Probing from Disabled to "Always enabled", and see if that helps. Define Firebox Global Settings…
-
A HTTPS session is encrypted between the web client and the web server, so there is no way for the firewall to send a deny message to the web client. To do this, you need to implement HTTPS Inspect, where the session is encrypted between the web client and the firewall, the content is inspected, and then there is a session…
-
Have you looked at adding a remote printer to a main site print server, and see if that works?
-
You can add network printer by IP addr in Windows, so that would be an option. But "seeing" a printer which is at a different site is not possible.
-
How about if Joe VPNs into site 5 instead of site 1? "seeing" a print server uses Windows networking which works on broadcast packets. Windows networking broadcast don't route across across BOVPNs.
-
FYI - I don't work for WG.
-
No idea. And I have no idea if a reasonable IPS signature for a pass the hash issue is possible. If you look at the NIST CVE site: https://nvd.nist.gov/vuln/detail/CVE-2024-21410 is says: "This vulnerability is currently awaiting analysis." and "Apply mitigations per vendor instructions or discontinue use of the product if…
-
CVE-2024-21410 is not currently listed in the IPS detected signatures. This Microsoft article indicates how to protect your Exchange server from this vulnerability. (missing link now added) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410
-
Anything in Traffic Monitor to help understand this issue? Does the new segment have a different subnet and the one on that firewall interface? If so, did you add an IP addr from that subnet on the firewall interface as a secondary IP addr?
-
While not recommended, you can modify the .xml file with a text editor, which should allow such a change using find/replace. Some use Notepad++ as this type of text editor. Always have a current good backup of the .xml file prior to making any change such as this. You can use WSM Policy Manager or the Web UI to load a…
-
Is this what you are looking for? Use a Branch Office VPN for Failover From a Private Network Link — Configuration Example https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/configuration_examples/vpn_failover_config_example.html
-
You can request a case to be escalated, if you end up with a support tech who isn't really helping.
-
Do you see any denies or Proxy Strips in Traffic Monitor when these accesses are tired?
-
Relatively slow transfers when using SMB will also be true for IKEv2 and IPSec VPN connections. The huge reduction is transfer rate using SSLVPN seems odd here. Not sure where to look for a cause though. Perhaps some software on the client PC which is intercepting the SSL session to do inspection?
-
Perhaps turning on diagnostic logging for IKE will show something to help. In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE Set the slider to Information or higher In the Web UI: System -> Diagnostic Log -> VPN -> IKE Click the down arrow and select Information