james.carson

Hello WatchGuard Community users, If you need personal or confidential support, please create a case by clicking the support center link on the top right of this page, and creating an online technical support case. I am unable to provide support via PMs in the forums. Thank you, -James Carson

Comments

  • For anyone that stumbles on this thread later looking for the answer, it's under System Status -> Diagnostics
  • Hi @Griff I'd suggest starting with whatever that DLL is -- if that driver is throwing out your authentication for some reason, fixing that is going to be the key to getting it working. If you can determine what app installed that DLL, I'd suggest interfacing with the support team from that product to find out what it's…
  • @SMSystems Our SSLVPN is generally compatible with any OpenVPN client. If the device you're using isn't compatible with OpenVPN, then you will likely need to find a different VPN option.
  • Hi @Wesley If you are using RADIUS, you can require OTP or push, but not both. There's no way to make that distinction with RADIUS.
  • @UWBCAdmin No, "Trusted" and "Optional" are just aliases that you can use in policies. The default policies that the firewall builds only handle outbound traffic. You need to make any rules that handle traffic between networks. If you want to allow any type of traffic between trusted networks, you can create an "any"…
  • If the cluster is replicating properly the certificates won't change. Check the cluster health scores in the status report (in FSM) if you want to check. They should all be 100.
  • Hi @PDD You could likely do this with a BOVPN Virtual interface, which allows you to set metrics for your routes: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_vif_metric_failover_c.html
  • Hi Jon, The cluster members sync what cert they use. Whatever one the current master is using is the one you'll want to download for content inspection.
  • Hi @Drive It looks like your upstream IP is also an RFC1918 private IP address (meaning something upstream is NATing too.) Have you verified your traffic is making it to the firewall? If the firewall is denying this traffic you should see a red deny message in traffic monitor for that traffic (it'll likely help to search…
  • Hi @Simar5710 It is possible to use alternate Authentication servers for most features, but you generally need to specify that -- it's not automatic. -If you're using the web sign on a webpage (like the 4100 authentication page) you can specify the auth server via a dropdown menu. -If you're authenticating via SSLVPN, you…
  • Hi @PhilT_VIT The issue is the sysb firmware. That is the firmware the firewall boots into when doing a factory reset (which is part of the rapiddeploy process.) If you are running into issues with features that are not supported, I'd suggest getting a baseline config via rapiddeploy, and applying anything else you might…
  • If you have a spare port on the WatchGuard, and another way to power a test AP, you can try tagging the VLANs as you expect on the WG firewall and plug directly in.
  • @DavidM2357 it's a bit odd that they'd specify just a GRE tunnel. There is a feature request for this, but I don't have an ETA as to if/when it might be available. The request ID for that is FBX-21224.
  • Hi @DavidM2357 it looks like that broker service acts independently of the firewall -- I don't see any reason you wouldn't be able to use that if you wanted to. The firebox doesn't provide any IPv6 over IPv4 services natively.
  • @SkyJaxx It will stop saving as it can't find the correct ID (assuming it doesn't just start writing to the ID it believes it is now.)
  • @Gakusei * As far as I'm aware, the scans are checking for the presence of the cert and not that it matches the domain name. If they did fail you for this, the solution would be to have them use the domain name instead, as 3rd party CAs will generally not sign certs with IP addresses in them. * This won't do anything to…
  • @cmc I would suggest checking device serial numbers before buying to see what their current status is: https://www.watchguard.com/archive/SNLookupActivation.aspx Also, be mindful of the end of life dates for devices: https://www.watchguard.com/wgrd-trust-center/end-of-life-policy
  • @SkyJaxx it will assume it's a new machine and may simply halt. If you're unsure how the ID might have changed, I'd suggest opening a support case so that our team can look into the issue via logs from your device(s).
  • Hi @Adam_Witwicki WatchGuard is currently working with an older version of OpenVPN due to multiple issues the newer versions introduce. Supporting these services is simply not a matter of slapping the latest code onto the firewall. The latest OpenVPN versions drop support for bridge mode (which many of our customers use)…
  • Hi Adam, We certainly strive to work with all of our customers in a timely manner. I would suggest asking that your case be escalated to our management team if you feel that your case is not being handled appropriately. I can also flag your case for review by a manager if you can reply with the case number.
  • Hi @Robert_Vilhelmsen Added as a request via FBX-25255
  • Hi @wsg Your site is compromised, which is why it keeps getting auto categorized as such. I've created support case 01887563 to provide you with more details. Please click the "support center" link at the top right of this page, log in if you aren't already, and go to My WatchGuard -> Manage Cases. You should see your case…
  • The FTP rule is in place to allow passive mode FTP transactions. Without that rule they will not work. If you don't use FTP, it's fine to erase that policy. You can read about the default policies and actions here:…
  • Hi @Ari2x Taking a look at your case, your technician appears to be pointing out some errors they're seeing on your external interface that potentially means dropped traffic. I would suggest looking into that as it may provide more information about your issue.
  • There is not currently an AuthPoint logon app for any version of Linux. It may be possible to log in via AuthPoint if authentication is set up via SAML or RADIUS. However, any bypass mechanism would need to be set up by the admin (such as an alternate authentication server) as there'd be no way to select that on that…
  • I've closed this thread as the topic keeps attracting spammers. If you're running into this issue, please consider opening a new thread or a support case.
  • Hi @cmc It looks like the recovery partition on that appliance was either wiped, or is corrupt somehow. The only solution for this device would be to RMA it. T30 and T30-W are going end of life on June 30, 2023, so unless you are planning to RMA the appliance right away, I'd suggest simply using it as a trade-up device.…
  • If they aren't removed via the retirement process, create a "customer care" type support case and mention the names and serial numbers of the firewalls that aren't being removed. They can be manually removed.
  • @EricP Application control doesn't use DNS at all. Application control can be applied to policies and uses signature based definitions to match against known traffic. FQDNs can be used in policies, and the firewall will attempt to snoop the DNS servers via DNS traffic that traverses the firewall. (This works best for…
  • The firewall isn't seeing any payload traffic -- the sending MTA might be waiting for something. the 451 from the server suggests that the problem may be on the sending or receiving side. Office365 uses 451 as a rate limiting response, so if the problem fixes itself, it's likely that.