James_Carson

Hello WatchGuard Community users, If you need personal or confidential support, please create a case by clicking the support center link on the top right of this page, and creating an online technical support case. I am unable to provide support via PMs in the forums. Thank you, -James Carson

About

Display Name
James_Carson
Joined
Visits
370
Last Active
Roles
WatchGuard Representative
Points
97
Badges
2

Comments

  • Hi aandersenDK I downloaded and checked the SHA1 against OpenSSL, and I get 4a58403e0b65ea6c687319d2c3dbde413f6c2d47. Based on your argument, it looks like you may have unpacked the tar file out of the gzipped file. Can you try running it on the …
  • Hi @Fred2K You can set up 1-to-1 NAT on a standard branch office VPN tunnel. However, the network you're NATing needs to reside on the firebox. If you're using the firebox to link the remote subnet that's somewhere else via VPN to the Azure (whic…
  • Hi @Philippe_Rose Google, and other content providers will often dynamically adjust what servers are replying to you based on load and other factors. I would suggest blocking countries as conservatively as possible. Another good example of this i…
  • Hi @Meeks We don't use SSLv3 on the newer versions of Fireware -- so upgrading to the newest version of Fireware will be your best bet. You can find that at software.watchguard.com For the self signed certificate, you'll need to get a certificate…
  • Hi @adslr3 I've added your request to a similar existing feature request -- FBX-3765. If you'd like to track progress on that feature request, please open a support case and mention somewhere in the description that you'd like to track open featur…
  • Hi @BMD011 WebBlocker doesn't run on inbound proxies as the request is just coming from an IP address. We don't get to see the signed certificate of the server or the DNS request, so there's not really a great way to determine the hostname of the …
  • Hi @Meeks There's a few things you can do, but we'd need more details on what's being hit in the scan (please be sure to exclude any bits with your public hostname/IP.) -Ensure you're running the latest version of Fireware. You can find it at sof…
  • Hi @kbergros The FSM counter is the connection counter -- however, that will fluctuate quite a bit between refreshes. You honestly should never be getting close to the maximum number in day to day use. If you'd like to see more details about the …
  • Hi @adslr3 Thanks for the suggestion. What's your intended action if the quota is met? Are you looking for a warning, or for the connection to be throttled/cut off? Previous requests of this nature simply wanted to keep track of usage, as comple…
  • Hi Hosrt, You should point the IP at the one your FQDN resolves to.
  • Hi Horst, What IP is used depends on your NAT policy, and the rule the traffic is traversing. -In Network -> NAT, you can review your dynamic NAT rules. You can control subnet level rules here , if that works best for you. -In each policy, un…
  • Hi @SkyJaxx Link Aggregation won't combine the two interfaces into one. LAGs will generally be used to support single connections that exceed the capacity of one port on the firewall or where redundancy is required for that link. You'll want to l…
  • Hi @Iprel There aren't any that I'm aware -- my assumption is that you're accessing this via an HTTPS proxy. Do you see any proxy errors in your traffic monitor logs? -Note that you may have to turn the diagnostic logging level up (to information)…
  • Hi @docmokel It's a bit tricky to diagnose this without any logs. Do you see any green allow or red deny logs in the firebox traffic monitor when you try to ping? If you can post that it might help determine what's happening (please ensure you re…
  • Hi @anc It'd depend on why they're ending up there. -If it's for a specific sender, you can make an exception in spamblocker: (About spamBlocker Exceptions) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/spa…
  • Hi @RVilhelmsen The Webblocker server's search page doesn't accept the http:// or https:// portion of the URL if you're trying to do a manual lookup. Try searching for just "www.mrporter.com/en-dk/mens/whats-new/shoes/sneakers" for inst…
  • Do you have anything running on port 443 (https) other than your SSLVPN, or did you change the port number for the SSLVPN? If so, you'll need to specify the right port like vpn.example.com:444 If you're still unable to get this to work, creating …
  • Hi @benoit_vannier Some of the older firmware versions for the firewalls do have issues with managing APs, but these have since been resolved. Without seeing logs, or the specific situations, about the only advice I can give is to ensure you're on…
  • Hi @Cristiano in order to scan webmail, you'll need to use the HTTP and HTTPS proxies. You'll only be able to do Gateway AV scanning, IPS scanning here. Spamblocker won't work via the HTTP/HTTPS proxies. Thank you,
  • Hi @Cristiano With regards to the client connections. there are two basic ways this can go: -Webmail: You can use the HTTP/HTTPS proxies (HTTPS will need content inspection turned on.) This can provide antivirus scanning, but won't help with spam…
  • Hi @Cristiano, It looks like that case was with our support engineering team, whom opened a feature request (FBX-11829) to have a feature added. If you're still having issues, I'd suggest replying to that case, and the engineer there will better b…
  • Hi @Cristiano What certificate did you import? The firebox has several. What case number did you have open? If a case has been open that long with no response, it's usually because of a pending bug or feature request. I can have the support tea…
  • Hi @Marcos Thunderbird likely has its own certificate store. Have you tried importing your proxy authority cert into thunderbird? Outlook will use whatever one is present in Windows itself (as will IE, Chrome, and anything that's built into windo…
  • Hi @JoshuaThompson Without the message ID, I can't say more than it sounds like a connection that ended. I pulled an example log from my firewall with the same disposition: 2019-11-19 00:10:00 FWAllowEnd, , pri=6, disp=Allow, policy=Any-From-Fire…
  • Hi @Daniel_P30 There isn't really a generic recommendation for this, as it will vary by service. Have you tried the default settings with SD-WAN enabled? If these don't work, try adjusting them to your needs.
  • Hi @Nguyen_Dung Like Bruce mentioned, Content Inspection/Deep Packet Inspection (DPI) is the most effective way to block this type of traffic, as the firewall can then open and inspect encrypted HTTPS traffic. You'll also need to close the other w…
  • Hi @chupacabra My assumption is that you're sending syslog messages (which will be just plain text) as that's the only way to stream logs to a 3rd party service without it doing SNMP polling. If that's the case, the firewall will just send the dat…
  • Hi @PeterGV If you'd like to create a support case, we can certainly get a feature request set up to support this and attach it to this case, which will keep you notified of progress on that. If you'd like to use the OpenVPN variant, you can get t…
  • Hi @PeterGV I'm referring to WindowsRT as the ARM platform, which the surface you mentioned was part of. As far as I'm aware, no VPN apps work with the ARM based variants (I may be incorrect here) -- however, WatchGuard's SSLVPN is based on OpenVP…
  • Hi, @PeterGV The ARM based processors won't work with the WatchGuard SSLVPN. You can use the L2TP VPN which is supported by Windows 10's built in VPN client. This is more of a limitation of the WindowsRT platform rather than a limitation of the S…