James_Carson

Hello WatchGuard Community users, If you need personal or confidential support, please create a case by clicking the support center link on the top right of this page, and creating an online technical support case. I am unable to provide support via PMs in the forums. Thank you, -James Carson

About

Display Name
James_Carson
Joined
Visits
763
Last Active
Roles
Moderator, WatchGuard Representative
Points
219
Badges
4

Comments

  • Hi @Norman The majority of our firewalls have momentary switches -- meaning that the power button is a rocker switch. It will automatically spring back to the position it started in. The only devices I recall that do not have this feature are the…
  • Hi @HVDK There aren't very many settings to change on the client for IKEv2 -- if you freshly installed the profile, that should cover any settings. -Ensure that any upstream device that you have is allowing VPN/IPSec pass thru. If this is a featu…
  • Hi @RVilhelmsen Looking at the documentation you linked, it looks like we already have either the UserTrust or Comodo certificates that appear to be what Sectigo's certs verify back to. I verified this on 12.5.5/12.6.2 -- if you're running an olde…
  • HI @D_Lamberti88 WatchGuard is currently working on a version specifically for the update. Unfortunately, since Apple doesn't provide a finalized release candidate (meaning developers don't see a finalized version of the OS until it's released to …
  • Hi @marcottt This is due to a pervious failed attempt. Please open a support ticket and support can help.
  • Hi @Durrant It depends on what you're logging into. -If you're logging into Authpoint, our 2 factor authentication service, you'll need to log in as that's providing Authentication to your server. -If you're logging into a web page to get access t…
  • Hi @Deivid You can manage firewalls centrally via WatchGuard Dimension, or the WatchGuard Management server. You can read more about the requirements, and how to do each here: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fi…
  • Hi @WGM Device -> Authentication may work for your needs. You can see all of dimension's available reports here: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/reports_report-list_d.html
  • Hi @Daniel_P30 The firewall won't trust the cert by default unless the root (and any intermediary/leaf cert) in the chain are installed. You should only need to install them once, but resetting the firewall to factory defaults may be erasing them …
  • Greg is correct, the firewall will not expose the private key if you generate it on the firewall itself. For most users this isn't an issue, but it could be for some. This KB goes over doing it in other places, including OpenSSL, WG Management ser…
  • Hi @Tim_Farr If it's a website that is talking about/describing those types of disorders, I'd pin it under Health: "Sites that provide information or advice on personal health or medical services, procedures, or devices, but not drugs. Include…
  • Hi @WCS If the user's phone is unable to scan the QR code, they can also open the email on their phone and click the ACTIVATE button. If the email was opened on a phone it would look like this: https://www.watchguard.com/help/docs/help-center/en-…
  • Hi @cmc The firewall won't export a private key. You can, however, import your own proxy server/proxy authority certs (depending on the direction traffic is traveling. External -> Internal is proxy server, Internal -> External is proxy auth…
  • Hi @JosephL I replied to your other thread -- if you continue to have issues, I'd suggest opening a support case with WatchGuard, so that we can look into your logs more in-depth.
  • Hi @JosephL Authentication occurs on the firewall itself -- I'd suggest checking there to see if you have any logs pertaining to those events. They'll show up under process "admd" so searching for that should help filter it. The client …
  • The biggest thing that you'll want to make sure you make a rule for is DNS traffic -- there isn't one by default, and you won't be able to get to anything without resolving DNS.
  • Hi @Daniel_P30 It may be possible via something like the SSLVPN -- but again, China is known to block VPN connections. The user will need to know to download the client, and to type in the correct server to connect to it.
  • Hi @Daniel_P30 The firewall likely doesn't trust the chain. Try importing the root cert from your CA as "webserver/other" and then any intermediaries (if they exist) as "webserver/other" The firewall only looks there to build …
  • Hi @Thibaud I've created feature request FBX-20780 for you. Since SSLVPN gets the profile from the server (the firebox) the majority of the information from that type of report aside from latency could be derived from that profile. Asking the us…
  • Hi @bford syslog is plain text, so you can verify it via packet capture In Firebox System Manager, assuming your syslog server is on eth1, something like -i eth1 host 192.168.10.100 and port 514 Should capture the syslog traffic, and you can rea…
  • Hi @DaveDave I'm unsure if this is feasible, but I'd be happy to put in a feature request for you. Would you be able to provide an example of what you're wanting to use it for, and what DHCP options you need? Thank you,
  • Hi @lotty You can either point the link monitor target for that WAN at something that won't reply, or just simply disconnect the cable for the 1st ISP. Either should cause the firewall to fail over to the other connection provided it's set up prop…
  • Hi @Dan_Schreck We expect to have a version released soon. Apple's release candidate generally differs a bit from what they release, so we have to run through a bit of testing. If you'd prefer to use one of those other clients, so long as it acce…
  • Hi @ConnectNow It'll be impossible for the blackhole server to predict what you typed in, so the cert will never match. If there was something like an application on each PC (like dnswatchGo), this may be possible -- but the blackhole server out o…
  • Like the others said, there's no such things as 1000/half -- so if you're running gig, it's full duplex. The firewall follows networking standards as do many other devices -- if it's set to auto negotiate, and doesn't receive any negotiation, it'll…
  • In my experience, a lot of the compliance scanning companies are just using something like Nessus to scan, and don't have much, if any understanding of the report they're actually handing out. If you can find one that actually explains what each is…
  • Like bruce mentioned, a packet filter is probably going to be your best bet. The Firewall is going to attempt to decompress any archive that it comes across (zip, tgz, rar, etc) - if it's unable to, it'll throw an error and follow whatever the erro…
  • Hi @ucaoemili95 I have not yet seen any reports of an outage. If you're running into an issue like this I would suggest opening a support ticket so that we can gather your account information and investigate. You can open a case online by clickin…
  • It sounds like you may have changed the port? If you're using something other than the default 443/TCP you'll need to type in https://example.com/sslvpn.html:port If you have something else answering on port 443, like OWA, etc. you might need to …
  • If you were running an older version of WSM, at some point (around 12.1 IIRC) we updated some of the ciphers used to do this. The latest version should be backwards compatible with older versions, so you should be set.