Comments

  • Also I would personally have any VPN use a NAT so that it isn’t using my Local IP pool anyways. /16 is way too many addresses for a VPN anyways.
  • There is no true way around this. If the subnet of a client is the same as your network then the routing will fail. The only way to fix is to change one of the subnets since there is no 1:1 NAT function on mobile VPN. I personally stay away from /16’s for my main network because it can be super limiting for routes. I…
  • https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/authpoint_settings.html
  • You can adjust the timeouts between pushed on the portal in global settings… I believe in there is also where you configure “block user after X failed attempts”
  • EDR is designed to work with other endpoint solutions*
  • You could replace TDR with “EDR” which is the part of EPDR that does what TDR used to do. You could also open a ticket and see if WG will help with your TDR issue. I just wanted to make sure you know that the TDR basked is changing in the long run
  • > @"rv@kaufmann.dk" said: > Ahh... > https://community.watchguard.com/watchguard-community/discussion/1959/tdr-what-is-the-road-map-for-this-product > > Maybe we get a free upgrade to replace the TDR? > > /Robert > @"rv@kaufmann.dk" said: > News to me TDR is going EoL. > Replacing TDR with EPDR has a cost and for us, we…
  • I advise removing TDR and replacing with EPDR. WatchGuard will be changing TDR to be a "Log aggregate" type service for the other services in the future and is moving towards getting all of the stuff it was doing on the endpoint-level to EPDR. Otherwise I have not seen this issue... that said we have actively been removing…
  • That is up to you and how many public IPs you have. Either option you listed will work... though the more specific you can get the better usually. If you only have one Public IP, "Any-External" should be fine. However, if this uses 443, and you have SSL VPN running on 443 as well you will have port conflicts if you don't…
  • I would also enable "Logging for reports" so that your Dimension server or WG Cloud Visibility gets the logs so you can monitor how much the policy is being used over a period of time (or if it is being used). Logging for reports when able on your policies is a good practice to get into (It's nice when you want to do a…
  • Technically best security practice in general is to do away with role accounts. A lot of MSPs are getting cracked down on and are beginning to be required to do away with role accounts in order to meet compliant regulations for certain things now. TechIDManager is a thirdparty tool built to allow MSPs to build specific…
  • > @tantony said: > I'm a new user to WatchGuard, I'm used to Meraki. Anyway, I opened a ticket with WatchGuard support on 7/8, and I have yet to get a reply. Is this normal? > > I resolved the issue by asking on WatchGuard community, because they respond faster. > > Meraki support is 24/7 and fast. How fast your response…
  • Yeah WOL is a type of broadcast and broadcasts (on the WG at least) is restricted to subnet (which is by design since subnet routers are supposed to control each network like it is a separate “broadcast domain”
  • My talks with them indicate that they are working on it. That said I would want them to get their new Cloud Wireless where the old cloud wireless portal used to be (as far as the logs and information/security features go) before they add another product type to their portfolio… I understand the need for a single pane of…
  • As someone who has been in several talks with WG on this (at both Gold and Platinum Partners that I worked for) , it is my understanding that Their firewalls are not fully cloud managed, we have the option to be local or cloud managed. I don't believe the firewalls will experience the same... unique... treatment the WAPs…
  • IKEv2 usually performs better. I have several clients running IKEv2 with no issues. The only time issues happen is when Windows updates it and breaks it causing the said clients to use SSLVPN as a backup until WG comes out with a patch to fix what they break. 12.8 did also add some IKEv2 bug fixes and support for MobIKE
  • RD Web works with this. I advise using RD Web to Authenticate and then just using Logon App to lock down the RDP files that the RD Web console downloads if they are using Chrome (if in Edge have clients open this in IE mode and then the client won't download) Their RD Web integration is much more Geo friendly :-) This has…
  • Correct, OTP and QR Code are methods for offline MFA. QR Code is technically the "Preferred" method if you are to go "anti-OTP" one day (good luck with that mantra...)
  • > @TestingTester said: > We had put them into one of our staff members homes. He has four between the main house and one in a horse barn area. So far, I guess they are working great. I do worry a bit about Fast Roam without a WLC, not like the WG one ever worked very well. > > In smaller environments the MerakiGo APs seem…
  • It will not use Microsoft tokens. If you want it to be used as OTP for 365 you have to tell 365 to use a third-party (Usually they have Google as an option) and then you can scan with AuthPoint (or other MFA Tools). Microsoft tokens are usually managed by Microsoft and are not transferrable to 3rd party unless they are…
  • https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/Office365-AuthPoint.html
  • It can hold tokens but if you want it to do PUSH you need to use the SAML integration.
  • What issues have you ran into with .local domains? All ".local" domains I have ever used have worked fine with less issues than ".com" ones or even sub-domains.
  • The cause is just a public DNS conflict. I never have issues with .local domains. There are 3 fixes: 1st fix (Recommended if you have bandwidth for it): Turn off split tunneling and fully route through VPN. This will force your users to use the internal servers before routing out. 2nd fix: ** is to manually update the…
  • Is there a roadmap showing what features ARE being worked on? Haven’t seen much changes to the portal other than giving us the ability to do basic troubleshooting lately…
  • I recommend MFAing a VPN connection that then will connect MFA to term server and having the remote users do that since controlling their personal machines is more difficult to control. RD Web is a decent solution for this.
  • Requirements are in the documentation: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/logon-app_about.html
  • Nope. The only way around this is to add usernames to the bypass list in the config. Logon app will lockdown all accounts with MFA and doesn’t work fully with Azure login. It’s not recommended for personal computers unless you want your users to go to you when they decide to add another profile (like their kids) to their…
  • I personally don't user TDR anymore. I use EDR (or better yet EPDR) since it is a nicer product and is not nearly as resource intensive
  • It is cloud only. All new WG WAPs are cloud only and won't be managed by Gateway Wireless Controller. All new WAPs (Models that come out October 2021 and onward) are managed in cloud.watchguard.com. The GWC/ original wireless cloud WAPs are Arista models (Arista bought mojo networks)... the new models are made by WG and…