Comments
-
A quick look at the script for Mac & iOS seems that you can add a 2nd entry in the SearchDomains section, with the same format as the existing string entry since the type for SearchDomains is Array.
-
If you want the router connections to be behind your T85, you can set up 1-to-1 NAT entries with the desired public IP addr and the private IP addr of the router external interface. You also could put a switch outside your firewall and have all of the other routers and your firewall connected to it, and have each of those…
-
No idea. I have no experiences with them.
-
You can add this to the AddVPN.ps1 file in the PS folder, below the Set-VpnConnectionIPsecConfiguration line. Make sure that the ConnectionName matches what you have in the script. Set-VpnConnectionTriggerDnsConfiguration -ConnectionName "WG IKEv2" -DnsSuffixSearchList "dns-suffix-1.com", "dns-suffix-2.com" -PassThru…
-
Quite odd
-
Have you set up Link Monitor on both WAN interfaces ? If not, please do so. We recommend something upstream, such as your ISP DNS server, or a Google (8.8.8.8, 8.8.4.4) or some other high availability DNS server for example. Check Traffic Monitor to see if there are obvious WAN outage log messages as a result. Configure…
-
I would not expect SD-WAN to stop working when a feature key expires. Seems like a bug to me. Since everything is now gong out via a VPN, try changing the Global setting, Networking section, TCP MTU Probing from Disabled to "Always enabled", and see if that helps. Define Firebox Global Settings…
-
A HTTPS session is encrypted between the web client and the web server, so there is no way for the firewall to send a deny message to the web client. To do this, you need to implement HTTPS Inspect, where the session is encrypted between the web client and the firewall, the content is inspected, and then there is a session…
-
Have you looked at adding a remote printer to a main site print server, and see if that works?
-
You can add network printer by IP addr in Windows, so that would be an option. But "seeing" a printer which is at a different site is not possible.
-
How about if Joe VPNs into site 5 instead of site 1? "seeing" a print server uses Windows networking which works on broadcast packets. Windows networking broadcast don't route across across BOVPNs.
-
FYI - I don't work for WG.
-
No idea. And I have no idea if a reasonable IPS signature for a pass the hash issue is possible. If you look at the NIST CVE site: https://nvd.nist.gov/vuln/detail/CVE-2024-21410 is says: "This vulnerability is currently awaiting analysis." and "Apply mitigations per vendor instructions or discontinue use of the product if…
-
CVE-2024-21410 is not currently listed in the IPS detected signatures. This Microsoft article indicates how to protect your Exchange server from this vulnerability. (missing link now added) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410
-
Anything in Traffic Monitor to help understand this issue? Does the new segment have a different subnet and the one on that firewall interface? If so, did you add an IP addr from that subnet on the firewall interface as a secondary IP addr?
-
While not recommended, you can modify the .xml file with a text editor, which should allow such a change using find/replace. Some use Notepad++ as this type of text editor. Always have a current good backup of the .xml file prior to making any change such as this. You can use WSM Policy Manager or the Web UI to load a…
-
Is this what you are looking for? Use a Branch Office VPN for Failover From a Private Network Link — Configuration Example https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/configuration_examples/vpn_failover_config_example.html
-
You can request a case to be escalated, if you end up with a support tech who isn't really helping.
-
Do you see any denies or Proxy Strips in Traffic Monitor when these accesses are tired?
-
Relatively slow transfers when using SMB will also be true for IKEv2 and IPSec VPN connections. The huge reduction is transfer rate using SSLVPN seems odd here. Not sure where to look for a cause though. Perhaps some software on the client PC which is intercepting the SSL session to do inspection?
-
Perhaps turning on diagnostic logging for IKE will show something to help. In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE Set the slider to Information or higher In the Web UI: System -> Diagnostic Log -> VPN -> IKE Click the down arrow and select Information
-
Discovery works based on broadcast packets. Broadcast packets don't normally cross routed interfaces such as from a client VPN connection to a LAN interface or from 1 LAN interface to another. So this is why you don't see results in Finder type apps. However, I would expect that entering an IP addr would work. Can you ping…
-
Perhaps @"james.carson" will comment here.
-
There is an onboard encryption chip on most if not all WG firewall CPUs, which does offload VPN encryption for IKE, but not for SSL, so IKE will be faster than SSL. "Force all client traffic through tunnel" makes Internet access from the SSLVPN client go to the WG firewall and then to the Internet, which will almost always…
-
WebBlocker is one possible place. The other is Application Control. Note that WB only works for HTTP & HTTPS sites, via their proxy policies, whereas App Control can be enabled on all outgoing policies. Review this. Application Control…
-
Review this: https://answers.microsoft.com/en-us/windows/forum/all/asked-1k-times-how-to-disable-turn-off-password/556d4d5d-c613-4f35-852a-071cb0f82cd7
-
Yes. And you can see the details of your Feature Key & what is enabled and any expiration dates in: System -> Feature Key
-
You can test this from the office PC
-
Are you doing a Windows Map Network Drive? The format is: \IP addr\share name
-
You need to set up a Windows share for the desired folder on that PC. Then it can be accessed from other PCs, including from a remote SSLVPN client. Once the share is set up, you can test the access from some other PC on the same network. File sharing over a network in Windows…