james.carson

Hello WatchGuard Community users, If you need personal or confidential support, please create a case by clicking the support center link on the top right of this page, and creating an online technical support case. I am unable to provide support via PMs in the forums. Thank you, -James Carson

About

Display Name
james.carson
Joined
Visits
881
Last Active
Roles
Moderator, WatchGuard Representative
Points
410
Badges
7

Comments

  • Hi @rsradvan210922 The firewall will continue to run, but will not receive any software updates, bugfixes, or feature enhancements. M200 is also going end of life at the end of the year. If you configure more than one 'device administrator' user, only one user can edit the configuration at any given time.
  • @JasonCrawford If you click through to the VPNs, you won't be able to edit the managed ones - they'll be grayed out. This applies to both WSM and the WebUI.
  • Hi @GDA, This is an open feature request, its ID is WCD-2464 If you'd like to follow it, please create a support case and mention WCD-2464 somewhere in the case. The tech assigned the case can set that up for you.
  • Hi @Norman You should be able to enable IPv6 on multiple interfaces. The DHCP pools for IPv6 can be derived from one of the externals, but does not necessarily have to be. In general, we can't run two DHCP servers on the same network. For this (and other feature requests) I would strongly recommend creating support cases.…
  • In addition to the above, you'll see the VPNs listed in VPN resources on the management server under each firewall.
  • @JasonCrawford If you're in WSM, you won't be able to edit managed tunnels -- everything will be grayed out. They'll also usually have the term "dvcp" somewhere in the name unless it was edited out when they were initially created.
  • Hi @Keven There is an open feature request for this - it is FBX-15765 -- if you'd like to follow it, please create a support case and mention FBX-15765 in the case. This issue is currently open -- and a proxy would take some time to develop -- I would suggest using a packet filter for the time being. The existing FTP proxy…
  • This should be more readable: msiexec.exe /i AuthPoint_Gateway-7.0.1-534.msi ONETIMETOKEN="registration key" /L*V log_gateway.txt /q
  • Hi @KevinD The Installer itself requires a GUI to copy/paste the gateway ID into it, but that's all. Once it's on the machine, there's no GUI or anything. You should be able to specify the key via the CLI if you invoke silent mode. Be sure to make it write a log file so you can see if anything went wrong after. Your…
  • Hi @Bek It is possible on some of the firewalls. I can't speak for FortiGate, but I would assume it is possible there as well. If you're looking at spec sheets, please keep the following in mind: -Throughput speeds show aggregate throughput. i.e., all of the VPNs running via the box, not one specific data stream to one…
  • I'd suggest creating a support case so that one of our support team can assist.
  • Hi @Joris85 I'd suggest taking a look at the list of supported BGP commands here: (BGP Commands) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dynamicrouting/bgp_commands_c.html If you're still running into an issue, I'd suggest opening a support case using the support center link at the top…
  • Hi @UBu By default the IKEv2 allow policy allows access to any resources -- and the VPN route is a full tunnel. I would suggest a support case so that we can look at see what might be happening. You can create a support case by going to support center at the top right of this page.
  • @James_S512 It can (in theory) be used, but the user in question would get a push every time they move from AP to AP or anything else happens via RADIUS. For most circumstances, using Windows NPS will be the best way to implement RADIUS for WPA2/professional.
  • When you create the gateway in your VPN, make sure you pick the ISP you're trying to use from the drop down menu. There needs to be a gateway set up for each ISP IP you're using.
  • There are a lot of territories and other possessions that are affiliated with countries you wouldn't think are correct (there are a lot of Dutch owned islands in the Caribbean, for example.) If the country is labeled properly, it's likely correct -- if you have any incorrect IPs, I'd suggest opening a support case and we…
  • @HeroldEng I'm not sure why the RADIUS server is responding with 3 different attribute 11s -- it'll generally reply with one, and separate the groups with a comma or similar. The firewall will generally take whatever one it sees first. Does it work if you add "IKEv2-Users" and "MFA_Admin" to the list of allowed groups?…
  • @HeroldEng You can use the TCPDUMP tool inside firebox system manager to see what's coming across. -In FSM, go to Tools -> Diagnostic Tasks. -In the network tab, choose TCP Dump from the drop down menu. -Check the advanced options box. -In the arguments box, type in "-i eth1 port 1812" without the quotes. Replace eth1 with…
  • If you're using AD via authpoint you'll need to be using NPS -- Is NPS set up to pass that group?
  • @ChristianN that's gateway wireless controller logging into the AP to manage it.
  • The log here suggests that the firebox is attempting to SSH into something on your network. If you haven't set anything up to do this, I'd suggest opening a support case so that we can look into the issue. I would suggest opening a support case so that one of our team can look into this -- there are a few possibilities…
  • @HeroldEng The firebox is looking for the group that the user is a part of to be in the RADIUS server's Access-accept message as attribute 11 (also known as FilterID.) AuthPoint will output the group the user is in -- just make sure that the same group is present in your SSLVPN configuration See the post below. The group…
  • @agmr You should be able to go directly to the latest version -- provided the device still has support. If you don't have support, you should still be able to upgrade to 12.5.9.
  • Hi @jdbaron25 The new owner will need to do a transfer of ownership. Just let whomever purchases it to do the following: -Create an account at WatchGuard.com if they don't already have one. -Open a case by going to: https://watchguard.force.com/customers/CustomerCommunityHome or calling 1.877.232.3531 -Select the option…
  • Hi @David_Grilli It is possible to create a QR code to connect the user to the SSID and provide the WPA key, but there's no mechanism inside iOS or Android to get the voucher code into the browser. There are many sites on the web that'll make a QR code for your SSID for you, just search for "QR code Wifi generator." What…
  • Hi @Munkhdavaa I'd suggest starting by looking at the traffic monitor on your firewall and searching for the IPs that the Nextcloud server resides on. Look for any denied traffic, which can give you an idea on what ports might need to be opened up. If NextCloud offers any documentation on what ports need to be open for…
  • Hi @Bill_F The general direction for the SD-WAN monitoring tools is that they are enough to perform the task needed by the firewall. -For customers that want to send multiple link mentors out per address, you can do this, but only one will be used for SD-WAN metrics. -If you'd like to monitor/log multiple external targets…
  • Hi @tantony The logs you posted show that the destination IP is in the USA. The screenshots don't really help here. -Don't assume that a country's webpage is hosted in the country it is for. Webservers can be located anywhere. -Geolocation is based on the location of the IP in a database -- not the top level domain. If you…
  • Hi @Cristiano_D At this current point in time, there isn't a way to do this. The user should get an error should they attempt to log into a SAML or IDP resource with that status, however.