Comments
-
Relatively slow transfers when using SMB will also be true for IKEv2 and IPSec VPN connections. The huge reduction is transfer rate using SSLVPN seems odd here. Not sure where to look for a cause though. Perhaps some software on the client PC which is intercepting the SSL session to do inspection?
-
Perhaps turning on diagnostic logging for IKE will show something to help. In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE Set the slider to Information or higher In the Web UI: System -> Diagnostic Log -> VPN -> IKE Click the down arrow and select Information
-
Discovery works based on broadcast packets. Broadcast packets don't normally cross routed interfaces such as from a client VPN connection to a LAN interface or from 1 LAN interface to another. So this is why you don't see results in Finder type apps. However, I would expect that entering an IP addr would work. Can you ping…
-
Perhaps @"james.carson" will comment here.
-
There is an onboard encryption chip on most if not all WG firewall CPUs, which does offload VPN encryption for IKE, but not for SSL, so IKE will be faster than SSL. "Force all client traffic through tunnel" makes Internet access from the SSLVPN client go to the WG firewall and then to the Internet, which will almost always…
-
WebBlocker is one possible place. The other is Application Control. Note that WB only works for HTTP & HTTPS sites, via their proxy policies, whereas App Control can be enabled on all outgoing policies. Review this. Application Control…
-
Review this: https://answers.microsoft.com/en-us/windows/forum/all/asked-1k-times-how-to-disable-turn-off-password/556d4d5d-c613-4f35-852a-071cb0f82cd7
-
Yes. And you can see the details of your Feature Key & what is enabled and any expiration dates in: System -> Feature Key
-
You can test this from the office PC
-
Are you doing a Windows Map Network Drive? The format is: \IP addr\share name
-
You need to set up a Windows share for the desired folder on that PC. Then it can be accessed from other PCs, including from a remote SSLVPN client. Once the share is set up, you can test the access from some other PC on the same network. File sharing over a network in Windows…
-
So you are asking about connecting to the SSLVPN client machine when there is a connection to your main site?
-
What is the server type being accessed? Windows? If so, is this server part of a Windows domain? If so, is the SSLVPN client end providing domain user credentials when trying to connect? Check the server logs to see what the issue might be.
-
You can set up 1-to-1 NAT entries for these, which would allow Internet access to up to 10 internal devices via those public IP addrs. You can use SNAT with these IP addrs, to Internet access to internal devices via those public IP addrs. You can set up Dynamic NAT entries From: a specific internal IP addr To:…
-
Do you have a WebBlocker license on your firewall? It is included in the Basic & Total Security Suite. If you do, you can select WebBlocker options to block on the HTTP & HTTPS proxies. Review this: About WebBlocker…
-
"Custom Timeout" does only apply to TCP, and the only way to change the default default UDP timeout is via the CLI. The TCP-UDP proxy does let you get specific with source IP addrs/subnets, so you could have a policy which only applies to your phones. And you can disable the 7 proxy options and enable "Other Protocols".…
-
Since the log message indicates that TCP port 80 packet is being forwarded to the web server, you need to contact your Japan folks for further help in resolving this.
-
What do yo see in Traffic Monitor when this access is tried? You can turn on Logging on a policy such as the "Allow SSLVPN-Users" or whatever policy that allows SSLVPN users to access this site, to see packets allowed by the policy in Traffic Monitor. Are there any controls on the web server to prevent access from selected…
-
Are you accessing it via the internal IP addr of the site or the public IP addr? If via the public IP addr, have you set up NAT loopback for this access? NAT Loopback and Static NAT (SNAT) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html
-
No. The WG WiFi 6 models are only configurable in WatchGuard Cloud. The old WiFi 5 models with a Basic license were the only models which could be configured with GWC in the firewall.
-
Many things do not work without installing a Feature Key, which requires the firewall to be registered.
-
For the record, what firewall model do you have and what version of Fireware is on it? You can see the version on Web UI -> Dashboard -> Front Panel Have you registered this firewall and applied the Feature Key? You can see the external IP addr of your firewall on Web UI -> Dashboard -> Interfaces. What is your firewall…
-
Does your firewall have a public IP addr? If not, you probably need to enable IPSec or VPN pass through on the device in front of your firewall. What do you see in Traffic Monitor when this connection is tried? You can turn on diagnostic logging for IKE which may show something to help: In the Web UI: System -> Diagnostic…
-
You can set this on the WINS/DNS tab of Network Configuration "In the Domain Name text box, type a domain name that a DHCP client adds to unqualified host names. This setting corresponds to DHCP option 15." This is the domain name suffix. Above quote from here in the Configure Network DNS and WINS Servers section:…
-
Most likely it is something on the client PC which is blocking this access. Any antivirus suite or similar installed? You can check the SSLVPN client logs - on Windows, right click on the SSLVPN icon -> View Logs You can turn on diagnostic logging for SSLVPN which may show something to help in Traffic Monitor: In WSM…
-
"To download and receive signature file updates, the Firebox must have access to both services.watchguard.com and cdn.watchguard.com." Configure the Gateway AntiVirus Update Server https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/gateway_av/av_config_update_server_c.html
-
To get to the Firebox V, the SSLVPN port needs to be different than the SSLVPN port on your M590. On your M590 you need to set up an incoming policy for the Firebox V SSLVPN port with a SNAT which points to 10.0.5.5.
-
Time for a support case to get help from a WG rep in understanding and resolving this. You can do this via the Support Center link above.
-
Note that the dest interface is Firebox. Is 10.0.5.1 assigned to a firewall interface as a primary or secondary IP addr ? Your ARP table should show if that is the case. . Web UI -> System Status -> ARP . FSM -> Status Report -> ARP section
-
Sorry - my explanation was for spoofed source, not unhandled... unhandled indicates that there is not a policy allowing the packet. Do you have a policy allowing UDP port 1434 ?