Display Name
Last Active
No Roles


  • Two points: 1) The messages are utterly useless because they show up for devices that are working perfectly and there are more of these than there are Allow messages from those working devices. For some working devices, I see four times more of the…
  • Adrian, In September 2019, James Carson created a feature request to disable showing those messages. No news since then.
  • And...crickets. It's a low priority to fix the utterly useless "tcp invalid connection state" messages that take up space in my FSM traffic monitor log. If I see a deny message, it should mean something.
  • Does it have anything to do with AuthPoint timing out when authenticating, then working on the next login attempt a few seconds later (T35)?
  • I am not sure what you mean by "I'd suggest importing directly into the AuthPoint app from whatever app you want to authenticate with...." I want to authenticate with AuthPoint! I have already done my 18 accounts in Google Authenticator …
  • Regarding "You can also click More (the 3 dots) and manually activate a token by typing the data in.)", WHAT data? All the Google Auth export shows is a QR code. The QR code in Google's export is 1.75" square. When I use AuthPoint o…
  • If the T70 has a TPM chip in it, you probably need to contact support to get it registered. There were some changes to recent firmware that made the cloud registration different for TPM-equipped devices.
  • If you want to get things implemented more quickly, sometimes it helps to be a beta tester.
  • "BUG/RFE is open and awaiting Engineering review" means they know about it and have it on their road map. It could be months away, or over a year.
  • Depending upon why you even have a voice VLAN, it may be easier to change it completely, say to Then do whatever you want with the data VLAN sizing. In my experience, changing data VLANs is more involved due to printers, server, and oth…
    in VLAN Setup Comment by Greggmh123 May 17
  • Yes, very easy, especially because they are already in use (I am assuming that their existence means they are being used).
    in VLAN Setup Comment by Greggmh123 May 17
  • What do you get if you enter https://yoursslvpnpublicipaddress into a browser on an external computer? I get a protocol warning using the IP you posted, when I should be getting the SSLVPN login page. An SSL scan of that IP shows an expired self-sig…
  • I use a different brand of access points so that I can have a unified wireless management experience across all of my clients/family/friends, whether or not they have a WatchGuard firewall, at far less cost than WatchGuard APs. I am sure they have t…
  • It also sometimes makes a difference if one uses Internet Explorer to import it vs. using the MMC. I always use the MMC now after discovering that IE sometimes puts into the user store instead of the local computer store, in spite of actually choosi…
  • Have you set Firefox to use the local computer certificate store and have you imported the Fireware HTTPS Proxy cert to the local computer cert store? IE, Edge, and Chrome all use the local computer cert store, while Firefox defaults to its own cert…
    in Google Maps Comment by Greggmh123 May 7
  • You need to import the "Fireware HTTPS Proxy" certificate to all computers/devices subject to HTTPS/DPI, and it needs to be in the local computer store's Trusted Root Certification Authorities > Certificates store. If you have a Windows…
  • In addition to limiting from IP (or instead of...), I suggest setting up MFA for all Mobile VPN access.
    in IKEv2 Comment by Greggmh123 May 5
  • (Quote) I recommend any current model with at least Live Security so that you can keep up on the firmware.
  • Something that old should be considered dead even if it works. There are risks to running ancient firmware.
  • Update as of 4/27/20: Right now, Duo will not work with WatchGuard’s IKEv2 VPN for 2FA. WatchGuard has identified the issue and WatchGuard and Duo are working together to fix it.
  • I almost mentioned changing the To target but when I tried to remember a config from five years ago, I thought I had changed it to be the Firebox, so I didn't say anything. I am probably thinking of my own OLD config from my Core X550e. I am going t…
  • "So i can take one service at the time to the new FB semles." If your goal is to be as seamless as possible when replacing an old Firebox, why not use the old config on the new Firebox? You can import the old config, add the new feature k…
  • "The old http/https proxies are present in ruleset, but not active" may be why you are seeing the SSL warning if you are not using one IP with two targets with SSL.
  • If your Citrix ADC runs on another IP than SSL VPN and the SSLVPN page took over the Citrix login, then I am really confused! The only way the SSLVPN page should be able to answer where Citrix had been answering is if they use the SAME IP. I had thi…
  • "My Citrix login page was replaced by Watchguard's login page." You mentioned having several IPs, so I assume that you mean that you have the typical block of 5 usable static IPs (or more) from your ISP. If you have one of those IPs that …
  • That is most likely why it is flagging it. I get the same block when Microsoft Teams tries to update and I had to exclude its "C:\Users\%username%\AppData\Local\SquirrelTemp\Update.exe" file.
  • I suspect it is because the executable changes its name each time. Can you verify the file name C:\Users\AppData\Local\Temp\WRupdate146283765.exe is the same as your previous exclusion?
  • If you are the only the only one behind the ISP router (e.g., you are not one of many in a shared office), then you should ask that they either put into bridge mode (best) or put the WAN IP of your firewall into their device's DMZ so that ALL ports …
  • Oh, man, I was about to post that it didn't work, and then I noticed the IP address. Geez, Gregg, pull your head out! I added MY desired IP and it worked just great! Thank you, Bruce!