Comments
-
Probably add if it was under the WatchGuard MSSP licensing setup then I believe the best you'd get is the configuration to import to a new Firebox as MSSP appliances can't be converted licensing wise to retail for some reason (they'd also expire).
-
For local management, with IKEv2 (note this impacts site to site BOVPNs as well), in Policy Manager disable the "Enable built-in IPSec policy" option in VPN > VPN Settings. Create an explicit inbound IPsec policy from "Any-External" (or your preferred interface if needs be) to "Firebox" and apply the Geolocation action to…
-
Not that I have any Fireboxes with inbound SMTP to deal with any more (all the clients I deal with use hosted mail servers like Microsoft 365), but for outbound SMTP I've found even for scan to email we needed to bypass the SMTP proxy and just use a SMTP packet filter as it didn't like some of the extended SMTP commands…
-
I've been doing some tests for a similar setup here and Robert_Vilhelmsen is correct that you need a virtual (interface) IP address on the VIF to have traffic routed both ways correctly across a VIF. In my case between the Fireboxes I just used a APIPA address (169.254.x.x) that is unique within this setup but I have seen…
-
It sounds a bit confusing that you have a Virtual interface (VIF) and a 'normal' BOVPN (presumably policy based)? Or are we talking about tunnels to two different places? For Azure, stick to the VIF (route-based VPN) as that is the recommended method. (Also make sure the MTU is 1400 or less). Otherwise what james.carson…
-
More often than not when the clients and users I deal with have website issues like this, first thing I check (after the logs in case of things like WebBlocker) is whether a "proxy bypass" policy as you've done works. It's not the SDWAN bit I suspect (though depending on your setup wouldn't rule it out), but I find more…
-
A few things come to mind in this scenario. The IP addresses in your description don't quite match the ones in the diagram - hopefully Azure has the correct subnets in the local network gateway definition? (I've seen it happen where one set of IP addresses is on the configuration, but a tech kept putting in the wrong IP…
-
Did a quick search and it does appear that Aruba APs use LLDP to negotiate power requirements from the connected (switch) port, which explains why it uses the lowest common denominator power-wise (ie. 802.3af) since the Firebox doesn't support LLDP. Presumably the AP225W doesn't need to do that hence why it'd work with…
-
I had this exact same question a few years back and ended up logging a support call. Short answer it's not possible yet, but on their list. They tagged it as an enhancement on their list FBX-7518 which might help if you open a support call and mention that ID.
-
Seems https://community.watchguard.com/watchguard-community/discussion/comment/10054 might be what you're after (FBX-21224 feature request to create an unencrypted GRE tunnel). You can create an encrypted GRE tunnel today (well GRE over IPsec) if you create a VPN interface and specify the type as "Firebox" from what I can…
-
Definitely this. Depending on how the network is structured on their side, some will still require DHCP to be enabled to establish the session even though it hands out the same IP address (that is the case with some NBN and NBNEE services in Australia for example).
-
Whenever you see an "Unhandled Internal Packet-00" type log, that generally means it didn't match any of the policies you have defined. Your screenshot shows the "587" policy matching traffic from "Any-Trusted" to "Any-External" - I am wondering if the internal system is not directly on a trusted interface (the only way…
-
I've done a transfer of license in the past plus other similar tickets - if you select "Customer Care" as the support case type as Bruce_Briggs mentioned, I believe the serial number field is not a requirement (though one can be filled in), in which case put the serial number into the ticket description instead.
-
As Bruce_Briggs mentioned, it is likely - and I would agree - the outgoing firewall on the Chinese government side is the issue (the one dubbed the Great Firewall of China). It might work if a different port number is used (ie. not 443) - you'd have to specify this when establishing the connection and make sure it matches…
-
Assuming that the firewall at site B has 3 interfaces - Starlink, the private link and the internal one, you either need to have MultiWAN setup (if both the Starlink and private links are configured as 'external' type interfaces), or use a SD-WAN rule. If a VPN tunnel is used across the Starlink connection at site B to A,…
-
To add a non-expiring entry to Blocked Sites, this is done in Policy Manager (Setup > Default Threat Protection > Blocked Sites).
-
If you go down the path of terminating the VPN on the server itself (Azure would normally recommend you setup a Virtual Network Gateway and terminate it on the virtual network instead), just make sure the Network Security Group (NSG) that's in front of the server is set to allow the required [IPsec] protocols through to…
-
Not me, but have read on a different forum where somebody else had the same issue with two different sites (same ISP) where the Internet/WAN address was in the same subnet (despite being geographically separated). In that case the ISP had to reassign the IP address of one site so it was assigned an IP address in a…
-
Normally I'd recommend defining the VLANs on the firewall anyway, and you'd need to do this in order to achieve the stated goal. That said, without a managed VLAN capable switch, if the setup is a single access point and it has a PoE injector (since the T20 doesn't have a PoE port), something like configuring a port to be…
-
When I run the comparison using the website (https://www.watchguard.com/wgrd-products/appliances-compare?pid1=17846&pid2=74741&pid3=74736) I see the HTTPS (Full scan) come up as 216Mbps for the T25 and 301Mbps for the T45. That said, if using the trade-up program, the T35 is apparently only eligible to trade up to the T45…
-
Because of the way it works, it will only send a request via the default method the user has configured - and if the user has "Phone" set as the default it will do that. (Mind you in our tenancies Phone and SMS are deemed insecure so they're disabled - but since it has to be a method that is an "accept" acknowledgement,…
-
Somebody else might have a better way, but front of mind is that assuming the tunnel is a route-based one (virtual interface), add that tunnel to a SDWAN action, then create a policy that uses a DNS FQDN (name) for the destination which specifies that SDWAN action.
-
Side note I have a ticket with a feature request open (FBX-14093) for this scenario (more so for an Azure AD only setup where no on-premise AADconnect setup exists) as we did have a client that wanted to use the SSO client but for a pure Azure AD [now Entra ID] setup.
-
The linked document does refer to a quite old version of Fireware (11.11.x), but the concept seems to be the same. One thing I have noticed is that if you select the "Remote Endpoint Type" as "Firebox" based on the tooltip that shows in Policy Manager, this gives you a GRE over IPsec tunnel.
-
Just noticed this knowledgebase article on this very topic: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S00000110tgSAA&lang=en_US
-
Potentially could also couple the BOVPN Virtual Interface with a SDWAN rule specific to the traffic for the ERP system (so priority to the BOVPN virtual interface, but fail over to the Internet route). I recall having to do something like this for a client's hosted ERP system although their routes were MPLS WAN link first…
-
I had a feeling that was the case - thanks for confirming my thoughts re the sysb firmware. The resulting Firebox still boots with the upgraded firmware (12.5.11 in this case) so seems it's more about having to re-apply changes specific to the newer firmware, which shouldn't be that much as the production units would be…
-
I think SParker is referring to the top level domain ".zip" which has been in the IT press of late (along with ".mov"). My thought would be that a block at DNS level is purely on the DNS domain name, not the URL path one accesses eg. hXXps://malicioussite.zip/file/bitcoin.zip vs hXXps://cleansite.com/file/bitcoin.zip The…
-
The Webex documentation does specify particular IP ranges if you want to further limit your firewall policy (https://help.webex.com/en-us/article/WBX000028782/Network-Requirements-for-Webex-Services). In any event you'll need more than just those two ports open outbound. Assuming it is a whitelist type setup where only…
-
As Bruce_Briggs has mentioned, replacing the SSL (web) certificate with a trusted third party certificate would be the way to resolve this (it obviously has to be one the Nessus scanner recognises too, so can't use an internal CA signed one either). Had a client who got this raised in a security scan and the comment back…