Comments
-
Side note I have a ticket with a feature request open (FBX-14093) for this scenario (more so for an Azure AD only setup where no on-premise AADconnect setup exists) as we did have a client that wanted to use the SSO client but for a pure Azure AD [now Entra ID] setup.
-
The linked document does refer to a quite old version of Fireware (11.11.x), but the concept seems to be the same. One thing I have noticed is that if you select the "Remote Endpoint Type" as "Firebox" based on the tooltip that shows in Policy Manager, this gives you a GRE over IPsec tunnel.
-
Just noticed this knowledgebase article on this very topic: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S00000110tgSAA&lang=en_US
-
Potentially could also couple the BOVPN Virtual Interface with a SDWAN rule specific to the traffic for the ERP system (so priority to the BOVPN virtual interface, but fail over to the Internet route). I recall having to do something like this for a client's hosted ERP system although their routes were MPLS WAN link first…
-
I had a feeling that was the case - thanks for confirming my thoughts re the sysb firmware. The resulting Firebox still boots with the upgraded firmware (12.5.11 in this case) so seems it's more about having to re-apply changes specific to the newer firmware, which shouldn't be that much as the production units would be…
-
I think SParker is referring to the top level domain ".zip" which has been in the IT press of late (along with ".mov"). My thought would be that a block at DNS level is purely on the DNS domain name, not the URL path one accesses eg. hXXps://malicioussite.zip/file/bitcoin.zip vs hXXps://cleansite.com/file/bitcoin.zip The…
-
The Webex documentation does specify particular IP ranges if you want to further limit your firewall policy (https://help.webex.com/en-us/article/WBX000028782/Network-Requirements-for-Webex-Services). In any event you'll need more than just those two ports open outbound. Assuming it is a whitelist type setup where only…
-
As Bruce_Briggs has mentioned, replacing the SSL (web) certificate with a trusted third party certificate would be the way to resolve this (it obviously has to be one the Nessus scanner recognises too, so can't use an internal CA signed one either). Had a client who got this raised in a security scan and the comment back…
-
From a feature request stance, having native Azure AD authentication as an option (typically via SAML) would be the best option. We have quite a few setups where this would be ideal, since having Azure AD Directory Services (AADDS) is quite cost prohibitive just to run a RADIUS server "in cloud", and not all our clients…
-
I believe one specific mobile provider setup here is IPv6 only in that they only provide an IPv6 address to the endpoint, however those networks do have a IPv6 to v4 gateway to allow for access to IPv4 only resources, of which there are still quite a few in the world. If that's not the case for the network/s you describe…
-
Specific to the T20 and T40 series there was an issue with performance if on a 12.8.x firmware which was fixed in 12.8.2U1 (https://portal.watchguard.com/wgknowledgebase?type=Known%20Issues&SFDCID=kA16S0000007lO7SAI&lang=en_US) If you haven't already upgraded the T40's firmware I would do this first as I had a client setup…
-
Usually bridging the networks is discouraged as far as I can tell as this then doesn't allow you to segregate VPN traffic, but is there a specific use-case to do this with IKEv2? (Microsoft RRAS server when used to terminate remote access VPNs actually does this [bridging VPN users to an existing network]). I see SSL VPN…
-
What kimmo.pohjoisaho mentions is what I would do as well. Somebody shared with me a while back a document relating to Starlink not "supporting" IPsec, which I find surprising but worth noting "just in case". (This was in the context of troubleshooting a user to site VPN). If doing the above fails, you'd have to explore…
-
I see the warning, but the interfaces remain there as per the previous screenshot (which was taken after I changed it to a M270). Given it shows as bound to the VLAN when I change it back to the T40-W, presumably it just sits there in the config. Seems a bit odd but happy to leave it there if there is no impact down the…
-
It's not a policy that shows it (I've seen that before), but rather the VLAN configuration in my case since I have an SSID on ath1 connected to a specific VLAN. ie. if I change the config from a T40-W to M270 then go save it as-is in Policy Manager (regardless of whether I change the feature key or not), when I go and look…
-
On the subject of trade-up oddities, the EOL webpage says for a T35/T35-W that the options are a T40/T40-W or a T80, yet the trade-up matrix ( https://p.widencdn.net/sijswa/Trade_Up_Program_Overview ) only allows for a trade-up to a T40/T40-W (there is no tickbox for T35 to T80).
-
It's an old thread, but came across it troubleshooting a T40-W with a new 400Mbps fibre Internet link getting substandard performance (typically 250Mbps) when I know a T35-W I have at home can get to about 550Mbps before hardware limitations throttle it.…
-
If you're using AD via RADIUS, then the RADIUS server itself needs to be configured to trigger the MFA prompt. For Windows NPS, you have to install and configure the Azure MFA extension - but be warned if you do this on your production server, all requests to it go to Azure for MFA (so any local AD only users will fail to…
-
Granted I've only had to deal with two other brands of routers (not firewalls) that have integrated LTE modems and even those ones have different SKUs for different markets. The comment about mobile devices having one SKU is not quite correct - again there are different models for different markets (even if only a few…
-
From when I did something similar: It removes the interface reference from any firewall rules - and if it renders the policy with no from or to entries, it shows up as "None" (in WSM at least) and throws an error telling you to fix the policies (ie. put something else in or delete it). It doesn't delete the policies if you…
-
With VPNs to/from Azure, you need to make sure the MTU for the VPN is set to 1400 or less, otherwise you get a heap of retransmit errors. (This number is in the Azure documentation). You may see references to alternately setting the TCP MSS value to 1350, but this only affects TCP traffic so the MTU setting is preferred.…
-
I suspect some of our client's users will be in the "me too" camp in terms of CGNAT and mobile IKEv2 VPN connections - some of ours work fine here (Australia, New Zealand) and some don't work as well or at all. While I suspect this…
-
Only thought of this now, but another option for the Starlink T20 to connect to the T35 if all else fails is a BOVPN over TLS setup, however this does come with some changes on the T35 end which may conflict if you have an existing [mobile] SSL VPN setup. In some quick testing I do notice you can't use this setup with any…
-
Normally I'd say in theory - yes this is possible if you use on the Starlink (T20) end a BOVPN interface config that specifies a userid@domain identifier as the local gateway (as I believe Starlink issues a CGNAT address by default). [I've been doing this for 4G connections without issue so far]. The remote (T35) end in…
-
For Teams, the IP addresses/DNS names to use in the destination for the policy are taken from here (https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams) There's 3 different categories of traffic - start with the "Optimize"…
-
So it's not just me! In my case it redirects to https://:4100 which looks like it matches either the "WatchGuard Authentication" or "WG-Auth-WebBlocker" auto-inserted rules - where the invalid SSL cert in my case is the default "Fireware web CA" cert (the one marked as the web server certificate), which isn't trusted in my…
-
I know with the MSSP setup we have (as a partner) any delay (usually a day or so) is from having to get a new serial number per-se from our distributor for the desired FireboxV size if we don't have one to spare given the SKU is MSSP specific. As for licensing, once activated in our account we can apply a license almost…
-
The only time I see this on the MSSP appliances I manage is when the appliance is unable to reach the licensing server to renew the feature key. (In my case, I have some M270 appliances on a WAN behind a FireboxV MED - and if I don't allow access for the M270 appliances themselves to get to the WatchGuard servers, they…
-
Have now finally deployed a Firebox with 12.8 for the scenario I was describing above, and sure enough it was lucky that 12.8 included this feature. Turns out that even though the WAN provider specified to use a VLAN tag, when they provisioned the hand-off, they set their side as "untagged" so was thankful (after…
-
I don't have the full implementation steps (it's somewhere on the Microsoft website), but you need to setup a Windows NPS server as your RADIUS server, then add the Azure MFA extension to it (involves some Powershell from memory to link it to your tenancy). Assuming you have Azure MFA already setup, all requests to that…