Greg_Gilbraith

I'm either the documentation guy for support or the support guy for documentation. Ask me questions!

Comments

  • To login to your TDR account, simply log in to your WatchGuard customer portal account - https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_about_c.html
  • I could take a few guesses, but your best bet is the troubleshooting guide, it covers a lot of possible causes: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_troubleshoot.html
  • Allowing the traffic is fairly simple - you can allow connections to or from interfaces, subnets, etc. The tricky part is generally the routing. For best results, connect your MPLS router to a Firebox interface by itself, and the have a static route to the remote network through that router. So if your firebox LAN network…
  • One switch per external interface, please - either physical or logical - a single managed switch could handle all the Firebox interfaces for both cluster members, but you need to make sure that each Firebox interface is on a separate VLAN.
  • The order of interfaces has probably changed - FireboxV now orders the interface by MAC address instead of "the order in which they start up", which was sometimes unreliable. for more, see https://watchguardsupport.secure.force.com/publicKB?type=KBKnownIssues&SFDCID=kA42A000000HAmVSAW&lang=en_US
  • I would temporarily connect a PC to the VLAN with an IP on the 10.0.1.x subnet and set up the FIrebox that way, but if that's not an option, you can use the CLI to change it: https://www.watchguard.com/help/docs/fireware/12/en-US/CLI/index.html#en-US/interface_commands/interface_command_ref.html
  • Seems like that carries a risk of letting malware into my network?
  • I would take a careful look at the tunnel routes - make sure you have the full local subnets, not just the Firebox IP. Could also be something odd in the routing on your or the remote side of the tunnel. See if you can ping just the Firebox IP address on the remote side.
  • That's probably the best way to make it work, but you can technically do it as long as the side with the dynamic IP address always originates. The good news is that fireware now supports a variety of dyn services - https://watchguardsupport.secure.force.com/publicKB?type=KBArticle&SFDCID=kA2A00000000FkgKAE&lang=en_US
  • If you're connecting but not getting anything through, that might mean that ESP (IP 50) packets are not connecting. If this only happens in one location, you'll need to make sure the firewall at that location is configured to allow outbound IPSec connections. If this isn't an option, consider using Mobile VPN with SSL…
  • Did you do anything else? by default the Firebox will create a policy to allow all connections. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/l2tp/l2tp_vpn_policies_c.html
  • Not sure where iOS comes from, but either way it sounds like your Firebox isn't providing an internal DNS server to clients. Note that in both the Mobile VPN with SSL configuration, and in the Firebox global networking configuration, there are fields for DNS configuration. If you don't configure anything in the DNS…
  • You can definitely do this - take a look at this help topic abut drop-in mode - https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/net_config_dropin_about_c.html
  • Thanks Eugene - FYI when I called they had me follow the steps in this article. https://watchguardsupport.secure.force.com/publicKB?type=KBArticle&SFDCID=kA2F00000000L3pKAE&lang=en_US
  • So what's the advantage? Is it just that I run it as a VM instead of having to also manage a windows instance?