Display Name
Last Active
No Roles


  • I can remember one WatchGuard training session where it was actually the other way around (always use a Virtual Interface where possible). The reasoning for that came down to being able to use them for SD-WAN actions/failover (eg. failover of a VPN tunnel). I'm not sure if this is totally correct, but if you have a large…
  • The limitation seems to be that the "bridge" setup which is what you're after can be defined in the Trusted, Optional or Custom zone type but not External, since this is probably not that common (sounds like a feature request if it is something you do need). If your external interface requires a VLAN tag, then potentially…
  • After reading this I thought I'd have a look at my appliances and in Firebox System Manager, if I go to the "SD-WAN" tab, the "Global" action shows the interfaces I have configured for Multi-WAN, and moreover the interface name in bold seems to be the one that is active. (Similarly it shows the other SD-WAN actions as…
  • Only time I've seen this issue with Speedtest is if you are using an explicit proxy - in which case you need to add an entry for port 8080 in the CONNECT tunnelling section of the explicit proxy settings. (It is actually HTTPS on port 8080 if you want to apply a proxy action [ie. need a HTTPS proxy action defined first],…
    in Speedtest Comment by PhilT_VIT August 12
  • I've not used the SSO agent, but check in your NPS configuration what Filter-Id value (RADIUS attribute 11) is being returned to the Firebox. Also look at the NPS logs for a user that doesn't have the correct policies to ascertain which NPS policy it applied (and thus which Filter-Id was returned). The setups I have this…
  • It's not perfect but while I do things like put mobile devices in their own "guest" VLAN, one other thing I did a while ago was to block DNS-over-TLS (TCP port 853) as some mobile devices will use this if the DNS server its configured for is compatible (Google's is one of them). Recent Android devices, if they have…
  • I figured that to be the case, which is why I suspect what I'm trying to do is an edge case (down the track I may have needed to do a static NAT between two "internal" interfaces, but knowing that the one with NAT applied has to be an external or optional interface type, I'll keep that in mind).
  • There exists a static route on the Internet-facing WatchGuard that points to the WAN IP of the second/branch WatchGuard appliance out a particular interface there, and that works currently (the interface A in my example). A similar route exists for the trusted VLAN (B) which also works, but at the moment I can't get…
  • If it's what I think it is (for some of the NBN based connections), then while some use VLAN 100, this is not always the case (at least one I think uses PPPoE with a VLAN tag requirement). Being able to set this in a RapidDeploy setup (at least for the USB method of configuring interfaces) would be useful too.
  • The "Outgoing Interface Bandwidth" might help in the scenarios where I need to throttle outbound traffic (assume it only applies to outbound, and not inbound traffic)? I'll have to do some tests of traffic management rules in conjunction with that outgoing interface bandwidth to see what combination works for our setup.
  • I have an open "bug/enhancement" ticket with WatchGuard Support for the very same thing (SSO authentication for the WatchGuard SSO agent with Azure AD) and was given FBX-14093 as the feature request number.
  • Agree it'd be nice to have this as an option for SSLVPN, which is why in the last setup I did I had to implement IKEv2 and then change the certificate to one signed by the client's internal CA to limit who has access to it. It doesn't use user certificates unfortunately (I have an open enhancement request for that) but…