Comments

  • @Becha69 - Sorry is been a while. The OTP code needs to be sent in plaintext i.e not encrypted. If you set MS-Chap V2, Push can work (and I think the Phone Call as well), but any code methods (SMS, App Code) won't work, as the backend is unable to decode and verify the encrypted OTP hence the unencrypted PAP mode. @Darnaud…
  • Hi Tristan, thanks for your input, but as Bruce highlighted the issue isn't related to bandwidth constraints. The instance that we had, a user was compromised, and then their AD account was used to then upload significant data using a combination of Mega Upload, FTP and AnyDesk services. While I can block these from an…
  • Sorry to resurrect an old feature request but I think that this is important. I'm seeing more scripts hit Github with the ability to fire off payloads dynamically through TOR exit nodes and individually creating alias's across all clients that we manage will requires significant time and upkeep. If there was either an…
  • Hi James, Could you clarify the following scenarios in which the IPS signature will work? a) HTTPS server behind a packet filter rule with IPS enabled b) HTTPS server behind a proxy filter rule, DPI not enabled and IPS enabled c) HTTPS server behind a proxy filter rule, DPI enabled and IPS enabled Just want to ensure that…
    in Log4J Comment by DaveDave December 2021
  • Hi Travis, Ive found that Mac/iOS devices have been fine with L2TP whereas Windows devices need a bit more prodding to get going to the point now where we have standardised on setting this regkey before doing any other troubleshooting. Windows 10/8.1/Vista and Windows Server 2016/2012R2/2008R2 —…
  • Hi Terry, Not sure how you are going with this. I'm stretching my brain as I hit something similar to this many years ago. I forget the specifics but in my instance it was something to do with either BDPU filtering or gratuitous ARP. It was affecting the clusters upstream performance in bizarre and significant ways.…
  • Hi James, Thanks for your update. The options for Replace is only possible in the SMTP Proxy. There no option for this in the HTTP or HTTPS proxies.
  • Yeah I know. That's the problem I would like enhanced. Ideally if we can quota traffic for a specific direction we have a much better chance of catching suspect traffic or at the very least be able to leverage a slowing tactic. I admit that this is something that I hadn't even thought of doing until we had the situation we…
  • From the Watchguard make sure you are publishing using Proxy Rule. For HTTPS you must ensure that content inspection is enabled. Under HTTP Response -> Header Fields, create the headers you want to remove. E.g: Rule 1: Name: Server:* Pattern Match: Server:* Action: Strip Rule 2: Name: X-Powered-By:* Pattern Match:…
  • Hi David, I had an issue similar to yours, in that web browsing and the initial page loads would take forever. Converting the web rule from a proxy to a packet rule worked around it to let me know that it was something with the proxy. From there I disabled services one by one. It turned out to be the WebBlocker service.…
  • Yeah I suspect that maybe their testing utility server is on a network much further away than their actual localized VOIP servers. From looking at the software there is no way to change where it points to.
  • Hi James, Based on your feedback above on the 80 + 443 UDP bypassing proxies, does that mean if we have a TCP-UDP Proxy rule to "capture all" Chrome is still bypassing it, meaning that there is still a chance for the users to visit a malicious site using these ports? Is there any chance this will change? or is this a…
  • +1 Currently having issues with users connecting from poor links in various countries blaming IT support for their poor experiences. Having a trailing log of Authenticated VPN Clients with their latency statistics will make a HUGE different to how we handle support.
  • Hi James. Sorry I have been away from this thread for some time. I've hit this limitation a number of times now mainly working with larger networks trying to support Domain Joined and Non Domain Joined devices while providing access to internal network resources. We need the ability to point VPN clients to a DHCP server,…
  • Just to hijack this thread, and apologies for mentioning another vendor; Fortinet have a similar feature with their appliances where you can pick and choose dynamic list services to allow/deny or monitor. Having something similar on the WG side would be very beneficial. Understand the Application Control side, but you can…
  • We have this working on a number of clients. Push can work with the higher level of encryption (MS-ChapV2), SMS and OTP need to be dropped down to PAP. Azure NPS Extensions will take over your NPS, so you need an NPS server dedicated for Azure MFA. e.g if you have Wireless 802.1x you will find that the NPS extensions will…
  • I just posted a new discussion about this, then found this one. 100% agree with this discussion. The 4G software needs to be reviewed. Its embarrassing to supplied a new firewall but then have to provide additional bolt-ons (Netgear LB2120's or Nighthawks, or Netcomms/Dlinks) to run the 4G option due to software…
  • Thanks Bruce, im going to give that one a spin :smile:
  • Hi Tess, This could be due to packet overheads and the MTU being set incorrectly resulting in fragmented packets. I am currently working on a similar issue and use IkeV2 across all of my site branches and remote vpn users. It doesn't happen all the time, but by dropping the MTU on both sides we seem to have stabilised the…