Comments

  • To add a non-expiring entry to Blocked Sites, this is done in Policy Manager (Setup > Default Threat Protection > Blocked Sites).
  • If you go down the path of terminating the VPN on the server itself (Azure would normally recommend you setup a Virtual Network Gateway and terminate it on the virtual network instead), just make sure the Network Security Group (NSG) that's in front of the server is set to allow the required [IPsec] protocols through to…
  • Not me, but have read on a different forum where somebody else had the same issue with two different sites (same ISP) where the Internet/WAN address was in the same subnet (despite being geographically separated). In that case the ISP had to reassign the IP address of one site so it was assigned an IP address in a…
  • Normally I'd recommend defining the VLANs on the firewall anyway, and you'd need to do this in order to achieve the stated goal. That said, without a managed VLAN capable switch, if the setup is a single access point and it has a PoE injector (since the T20 doesn't have a PoE port), something like configuring a port to be…
  • When I run the comparison using the website (https://www.watchguard.com/wgrd-products/appliances-compare?pid1=17846&pid2=74741&pid3=74736) I see the HTTPS (Full scan) come up as 216Mbps for the T25 and 301Mbps for the T45. That said, if using the trade-up program, the T35 is apparently only eligible to trade up to the T45…
  • Because of the way it works, it will only send a request via the default method the user has configured - and if the user has "Phone" set as the default it will do that. (Mind you in our tenancies Phone and SMS are deemed insecure so they're disabled - but since it has to be a method that is an "accept" acknowledgement,…
  • Somebody else might have a better way, but front of mind is that assuming the tunnel is a route-based one (virtual interface), add that tunnel to a SDWAN action, then create a policy that uses a DNS FQDN (name) for the destination which specifies that SDWAN action.
  • Side note I have a ticket with a feature request open (FBX-14093) for this scenario (more so for an Azure AD only setup where no on-premise AADconnect setup exists) as we did have a client that wanted to use the SSO client but for a pure Azure AD [now Entra ID] setup.
  • The linked document does refer to a quite old version of Fireware (11.11.x), but the concept seems to be the same. One thing I have noticed is that if you select the "Remote Endpoint Type" as "Firebox" based on the tooltip that shows in Policy Manager, this gives you a GRE over IPsec tunnel.
  • Just noticed this knowledgebase article on this very topic: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S00000110tgSAA&lang=en_US
  • Potentially could also couple the BOVPN Virtual Interface with a SDWAN rule specific to the traffic for the ERP system (so priority to the BOVPN virtual interface, but fail over to the Internet route). I recall having to do something like this for a client's hosted ERP system although their routes were MPLS WAN link first…
  • I had a feeling that was the case - thanks for confirming my thoughts re the sysb firmware. The resulting Firebox still boots with the upgraded firmware (12.5.11 in this case) so seems it's more about having to re-apply changes specific to the newer firmware, which shouldn't be that much as the production units would be…
  • I think SParker is referring to the top level domain ".zip" which has been in the IT press of late (along with ".mov"). My thought would be that a block at DNS level is purely on the DNS domain name, not the URL path one accesses eg. hXXps://malicioussite.zip/file/bitcoin.zip vs hXXps://cleansite.com/file/bitcoin.zip The…
  • The Webex documentation does specify particular IP ranges if you want to further limit your firewall policy (https://help.webex.com/en-us/article/WBX000028782/Network-Requirements-for-Webex-Services). In any event you'll need more than just those two ports open outbound. Assuming it is a whitelist type setup where only…
  • As Bruce_Briggs has mentioned, replacing the SSL (web) certificate with a trusted third party certificate would be the way to resolve this (it obviously has to be one the Nessus scanner recognises too, so can't use an internal CA signed one either). Had a client who got this raised in a security scan and the comment back…
  • From a feature request stance, having native Azure AD authentication as an option (typically via SAML) would be the best option. We have quite a few setups where this would be ideal, since having Azure AD Directory Services (AADDS) is quite cost prohibitive just to run a RADIUS server "in cloud", and not all our clients…
  • I believe one specific mobile provider setup here is IPv6 only in that they only provide an IPv6 address to the endpoint, however those networks do have a IPv6 to v4 gateway to allow for access to IPv4 only resources, of which there are still quite a few in the world. If that's not the case for the network/s you describe…
  • Specific to the T20 and T40 series there was an issue with performance if on a 12.8.x firmware which was fixed in 12.8.2U1 (https://portal.watchguard.com/wgknowledgebase?type=Known%20Issues&SFDCID=kA16S0000007lO7SAI&lang=en_US) If you haven't already upgraded the T40's firmware I would do this first as I had a client setup…
  • Usually bridging the networks is discouraged as far as I can tell as this then doesn't allow you to segregate VPN traffic, but is there a specific use-case to do this with IKEv2? (Microsoft RRAS server when used to terminate remote access VPNs actually does this [bridging VPN users to an existing network]). I see SSL VPN…
  • What kimmo.pohjoisaho mentions is what I would do as well. Somebody shared with me a while back a document relating to Starlink not "supporting" IPsec, which I find surprising but worth noting "just in case". (This was in the context of troubleshooting a user to site VPN). If doing the above fails, you'd have to explore…
  • I see the warning, but the interfaces remain there as per the previous screenshot (which was taken after I changed it to a M270). Given it shows as bound to the VLAN when I change it back to the T40-W, presumably it just sits there in the config. Seems a bit odd but happy to leave it there if there is no impact down the…
  • It's not a policy that shows it (I've seen that before), but rather the VLAN configuration in my case since I have an SSID on ath1 connected to a specific VLAN. ie. if I change the config from a T40-W to M270 then go save it as-is in Policy Manager (regardless of whether I change the feature key or not), when I go and look…
  • On the subject of trade-up oddities, the EOL webpage says for a T35/T35-W that the options are a T40/T40-W or a T80, yet the trade-up matrix ( https://p.widencdn.net/sijswa/Trade_Up_Program_Overview ) only allows for a trade-up to a T40/T40-W (there is no tickbox for T35 to T80).
  • It's an old thread, but came across it troubleshooting a T40-W with a new 400Mbps fibre Internet link getting substandard performance (typically 250Mbps) when I know a T35-W I have at home can get to about 550Mbps before hardware limitations throttle it.…
  • If you're using AD via RADIUS, then the RADIUS server itself needs to be configured to trigger the MFA prompt. For Windows NPS, you have to install and configure the Azure MFA extension - but be warned if you do this on your production server, all requests to it go to Azure for MFA (so any local AD only users will fail to…
  • Granted I've only had to deal with two other brands of routers (not firewalls) that have integrated LTE modems and even those ones have different SKUs for different markets. The comment about mobile devices having one SKU is not quite correct - again there are different models for different markets (even if only a few…
  • From when I did something similar: It removes the interface reference from any firewall rules - and if it renders the policy with no from or to entries, it shows up as "None" (in WSM at least) and throws an error telling you to fix the policies (ie. put something else in or delete it). It doesn't delete the policies if you…
  • With VPNs to/from Azure, you need to make sure the MTU for the VPN is set to 1400 or less, otherwise you get a heap of retransmit errors. (This number is in the Azure documentation). You may see references to alternately setting the TCP MSS value to 1350, but this only affects TCP traffic so the MTU setting is preferred.…
  • I suspect some of our client's users will be in the "me too" camp in terms of CGNAT and mobile IKEv2 VPN connections - some of ours work fine here (Australia, New Zealand) and some don't work as well or at all. While I suspect this…
  • Only thought of this now, but another option for the Starlink T20 to connect to the T35 if all else fails is a BOVPN over TLS setup, however this does come with some changes on the T35 end which may conflict if you have an existing [mobile] SSL VPN setup. In some quick testing I do notice you can't use this setup with any…