Comments
-
Hello xxup, Have you seen any more since yesterday ? We've had several GAV updates since. Ralph
-
Hello Mike, Ok, I figured this out. There's a data discrepancy between NA and EMEA analyst data. We're getting the vendor to investigate....I'll keep you posted
-
Hello Greg, The certificate is used for registration with Cloud. It is created at the registration time. There should be two certs created atm. One with a Pending status and one with Signed status. You can ignore/delete the pending one. It's a defect that's corrected on the next major release.
-
Hello Mike, Thanks for testing. There's always a reason for everything :) I'm looking into this. There must be a disconnect somewhere with getting the info out of the service.
-
Hello Mike, We'll get this logged as an enhancement to simplify integration of MS policies/exceptions. Ralph
-
Ok, thanks Mike. Looks like the result might be coming from the local AV cache given it's the same task ID. Try clearing it from the CLI: cache-flush scan I had the file re-analyzed and it's definitely benign. The file 89e8aef291ba8f41d5b797f644033ccf was found to be BENIGN.
-
Thanks Mike, That one was picked up yesterday as malicious because of that "invoices" link inside the file. Wondering if the Privacy popup with custom privacy options is tripping this. Do you have logs from day ? I'd like to get a more recent task_uuid to eliminate local AV cache.
-
Hello Mike, Could I get you to grab the md5: and the task_uuid: from the logs...
-
Hello Mike, The "invoices" link inside the PDF was identified as a malicious URL. Fake invoices with phishing links are super common. Let us know if you see any others...The sample you submitted was reclassified as benign.
-
Hello Chaos, "..so that dimension will hopefully run better because right now its dreadful...." Feel free to log a support case. The database may need a tune. The default settings (not exposed at the moment) might be inefficient for this environment. "...Is there a way to shrink the DB size once it has been increased ..."…
-
Hello GRD, Cannot replicate here. Direct WSM download link: http://cdn.watchguard.com/SoftwareCenter/Files/WSM/12_5_3/wsm_12_5_3.exe Both, the SHA1 hash and the installer, check out. Let us know if you're still seeing this and any other details you can provide to help track this down.
-
Yes, that's the plan to accommodate "multiple email servers behind a single Firebox" environments...
-
Via Content / Proxy actions...you can now select which Proxy Server certificate you want to use. See Policy Manager / HTTPS proxy / Select .Server based action / Set action to Inspect. Now, you can select which Proxy Server certificate you want to use. "....In Fireware v12.2 and higher, you can also choose to use the…
-
The OP's question was "...As the new FW supports multiple proxy certificates how is a certificate selected for use with explicit TLS over SMTP?.... " The multiple certificate support only applies to HTTPS and not SMTP. For SMTP, the proxy uses the Proxy Server certificate for TLS. This can be the default Proxy Server…
-
You don't select which certificate you want to use for SMTP. It uses the Proxy Server certificate by default. And as Bruce suggested, you would use the SMTP server's certificate+private key by uploading it to the Firebox as the Proxy Server certificate.
-
Hello, HTTPS only at this time. For SMTP, the proxy will use the default Proxy Server certificate. Either default or custom.
-
Hello Dominic, support for integrated AuthPoint is coming in a future release. At this time the gateway or similar is required for MFA control.
-
Has anyone tried setting the client's log level to debug, as suggested earlier ? This changes internal timing between components and may help here. A new client is being released next week.
-
Check out the Device / Authentication report. Try setting quotas to get data used. Setup a daily Managed Task for the Firebox / User Authentication report.
-
Ah ok. I'd suggest using the Tech Search to make sure your search covers all resources: docs, kbase articles and known issues. https://watchguardsupport.secure.force.com/SupportSearch/ "The HyperText Transfer Protocol (HTTP) 400 Bad Request response status code indicates that the server cannot or will not process the…
-
Just verified that we have this doced https://watchguardsupport.secure.force.com/publicKB?type=Article&SFDCID=kA10H000000g2kaSAA&lang=en_US
-
Doug, Check out below for application logs C:\ProgramData\WatchGuard\AuthPoint\logs
-
Hello Greg, Domain Name rules are domain based and are matched against the SNI or CN, if SNI isn't available. URL style patterns will not match in this instance. We're working on a fix. You'd have to create a Deny Domain Name rule to block the example posted by the OP.
-
@Bruce_Briggs The suggested workaround would only cover one of the two requirements. /* would not work in a Domain Name rule since we're only matching against the SNI, CN or IP. These are different from standard WebBlocker or HTTP proxy exceptions. So essentially, you'd have to Deny the desired domain via custom Domain…
-
Hello Bruce, Let's concentrate on just one rule. As noted by the OP, "....the proxy is allowing the connection becuase login.microsoftonline.com is in the predefined content inspection exemption list......". If we disable the pre-defined rule, that stops the exception from matching and we can block the phishing domain. Now…
-
We're replacing pre-defined exception rules to prevent matching. -disable *.microsoftonline.com and login.microsoftonline.com. This gets rid of erroneous matching -add *.microsoftonline.com/ * and login.microsoftonline.com/ * Domain Name rules with Allow action. This replaces disabled rules to ensure Content Inspection is…
-
Thanks for reporting. I'll get this bugged... in the meantime, disable the two predefined exception rules then create Allow Pattern Match rules by adding /* to the end of the pattern. This should prevent the override and still skip inspection. You can then catch it by blocking the Newly Registered Domains category or by…
-
Hello Indrek, Does changing the log level on the client to Debug change behaviour ? right-click tray icon / properties
-
Hello Marsk, Here's the full chain for this certificate. Make sure links 1 and 2 are present along side your webserver certificate when importing. 0,1 and 2 certificates are your responsibility. Client is responsible for having the issuer of link #2 in its CA store. 0 s:/OU=Domain Control…
-
Hello Marsk, Check out below and let us know what's missing.. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/certificates_intro_c.html https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_https_protect_private_c.html