james.carson

Hello WatchGuard Community users, If you need personal or confidential support, please create a case by clicking the support center link on the top right of this page, and creating an online technical support case. I am unable to provide support via PMs in the forums. Thank you, -James Carson

About

Display Name
james.carson
Joined
Visits
810
Last Active
Roles
Moderator, WatchGuard Representative
Points
352
Badges
7

Comments

  • Hi @Beau The IKEv2 config files are specifically designed for the built in IKEv2 clients built into modern OSes. The WatchGuard/NCP client doesn't support IKEv2. If you'd like to use IKEv2, please use the guide here to set up your client: (Configure Client Devices for Mobile VPN with IKEv2)…
  • Hi @Morse If you're looking for a way to better organize policies, I'd suggest using policy tagging, which allows you to tag and color code the policies. This is (mostly) possible in some cases via policies like the TCP/UDP proxy. However what you're suggesting is basically a complete overhaul of how the policies work.…
  • Hi @mknox Unfortunately windows doesn't provide a way to make the tunnel split, or exclude routes -- it wants to build it as a forced/zero routed tunnel. You can use powershell to edit the routes used in the IKEv2 VPN, and there are multiple tutorials around the internet showing how to do this. For most end users, this…
  • Hi @itCOdtQ Botnet just blanket blocks an IP based on multiple threat sources. It doesn't have any context as to why a client might be trying to visit a site. Sites are often hosted on CDNs that host content for multiple sites on one IP, so it's completely possible that a client was trying to reach a legitimate site.…
  • Hi @Pramod Which VPN are you using? SSL, IPSec, IKEv2, or L2TP? Unless it's a manual firebox-db user, account passwords are usually handled by the authentication server the firebox is pointed at. Currently the VPNs do not enforce "custom sessions."
  • Hi @djsl1210 The Hue bridge won't work through a proxy, as it tries to send non HTTP data over port 80, which the proxy will quickly drop. Lots of consumer devices do this because port 80/TCP or 443/TCP (the HTTP/HTTPS ports) are almost never blocked on home routers. If you haven't already done so, setting a DHCP…
  • Hi @svitadmin The other user here is correct, it requires strongswan, which is not always installed by default in every distro. Most distros include OpenVPN support by default, which is compliable with the SSLVPN. If you're having trouble getting it up and going, the OVPN file from the firewall into the built in OpenVPN…
  • Hi @Adam_Fontenot The feature key comes from the same security subscription download server (services.watchguard.com) that a few users have been having issues with over the weekend. If you run into this issue, it should connect eventually, but manually applying the key is the fastest way around it.
  • Hi @Pat AuthPoint is licensed completely separately from the firewall (the idea is that anyone can use AuthPoint, wither they're using a WatchGuard firewall or not.) The connection to WatchGuard cloud should work regardless of what level of logging you have (basic has 1 day, total has 30.) If you're just paying for support…
  • Hi @Francesco In order to get those checkboxes to show up, those logs need to have gone by in Traffic Monitor before you right click -> event notifications. If you're not seeing them, try logging in and out of SSLVPN then right clicking in FSM.
  • Hi @CharlesC Check that your SMTP policy is allowing communications from "Any-Trusted" or "Any-Optional." See SNAT Loopback here: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html
  • Hi @CharlesC If you're able to do so using the WAN IP, but not the web address (DNS name) whatever internal DNS server you've defined is likely directing you to a different IP or a wrong IP. If you type "nslookup <mailserver.name>" do you see the IP address come back that you expect? If the address is incorrect, you may…
  • Hi Dramis, Auto-order mode isn't really a thing in the CLI -- the firewall just puts the policy wherever you tell it to put it. If you use CLI in addition to WSM and/or the WebUI, it'd still be a good idea to go turn it off -- but if you just use CLI, it should never invoke. This is because auto-order mode invokes when…
  • @Jason_Bramley I've provided all of the information given to me here. If you need more, I'd suggest a support ticket.
  • subdomain would be the "afb1, afb2, etc" As long as they're unique, DNS/WINS should handle them. The firewall doesn't do anything with the DNS queries, so as long as you've NAT'ed them out appropriately you should be fine. If you'd like to direct the DNS queries elsewhere you can use DNS redirection.
  • Hi @GePo Using Notification Source: Devices Notification Type: Cloud Connection Status Should generate the type of notification you're looking for (This is in Administration -> System -> Notifications.) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/notifications_configure-rules.html This…
  • Hi Robert, This sounds like a support case -- we'll need to get logs to determine why the service is taking up so much memory. The ticketing system should allow you to create a case without a firewall serial number for AuthPoint related cases (just choose product family "watchguard endpoint security" and you should see…
  • Hi @RobE -What version of fireware is your firewall running? -What model of firewall are you running? -Are any of the categories in the following area turned above "error" --In Policy Manager, go to Setup -> Logging, and click the Diagnostic Log Level button. --In WebUI, go to System -> Diagnostic Log. PIM is usually…
  • Hi @martindavidsson I'd suggest looking for any deny logs for any protocols that you might be trying to use. PPTP will attempt to stand up a GRE tunnel, and depending on how the rule you created is set up, may not be allowing this. I would suggest considering using a different VPN technology. PPTP is not considered secure…
  • Hi @Will00 The SSLVPN config should carry over, but without seeing the logs from the issue, it's difficult to say what might have gone wrong. If you have not done so already, I'd suggest creating a support case by clicking the support center link at the top right of this page.
  • Hi @BillOfBo The firewall itself doesn't resolve DNS, it just forwards it or directs the PC that accessed it to the correct place. Anything related to WINS or DNS would need to be changed there. Since it's windows, AD DNS should be able to be authorative for each subdomain. Making sure each DNS server can reach the others…
  • Hi @Bob Changing the Vendor_ID on the VPN server isn't possible on the firebox. Please see: https://techsearch.watchguard.com/KB?type=Known%20Issues&SFDCID=kA16S000000SO0eSAG&lang=en_US If you're looking for a workaround while Microsoft patches this issue and can't rollback, consider using the SSLVPN which uses its own…
  • @Alex_S It's not possible to disable vendor_id on the firebox. https://techsearch.watchguard.com/KB?type=Known%20Issues&SFDCID=kA16S000000SO0eSAG&lang=en_US The firebox isn't running Microsoft's remote access services, so the setting changes they suggest may not match or even be possible. There are OpenVPN based clients…
  • Hi Robert, If the policy has a time option, and it isn't in the timeframe that you selected, the policy is just skipped. I would suggest making two policies if you're looking to enable MFA after hours. -During normal hours, have your network location and time in one policy. -After hours, just have the time and no location,…
  • Hi Robert, Does it use this amount of memory all the time? The gateway consists of a few components (Gateway, RADIUS, LDAP, and ADFS agents.) I'd also suggest making sure you're on the latest version -- the installer can be found in the AuthPoint area of WatchGuard Cloud.
  • AuthPoint supports some 3rd party hardware tokens, you can see the specs here: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/tokens_hardware.html The only app that is supported is the AuthPoint app for AuthPoint tokens. There's some additional functionality baked into them that allows push…
  • I will get something filed for this. Thank you for the feedback.
  • A KB has been posted here: https://techsearch.watchguard.com/KB?type=Known%20Issues&SFDCID=kA16S000000SO0eSAG&lang=en_US We're exploring if any changes need to be made and will update that KB article accordingly.
  • Hi @ms0 There is an open feature request, FBX-7227, which includes adding DH groups 16 and 18. There's no ETA as to when this might be available. If you'd like to follow this issue, please create a support case and mention FBX-7227 somewhere in the case. The technician can set the case up to follow it for you.
  • Hi @MGNL Authpoint isn't really designed to authenticate devices, so it might not be handling what you want to do gracefully. -Do you see any reject log in your audit logs in WatchGuard Cloud? -If you check C:\ProgramData\WatchGuard\AuthPoint Gateway\logs, do you see anything in the radius logs? The attribute is how…