james.carson

Hello WatchGuard Community users, If you need personal or confidential support, please create a case by clicking the support center link on the top right of this page, and creating an online technical support case. I am unable to provide support via PMs in the forums. Thank you, -James Carson

About

Display Name
james.carson
Joined
Visits
1,124
Last Active
Roles
Moderator, WatchGuard Representative
Points
444
Badges
7

Comments

  • If you're using policy manager, it'll be under Setup -> logging. If you're using WebUI, it'll be under System -> logging You'll see the IP address of a log server populated if it has been set up.
  • Hi @jwright If both aren't working, that suggests there's either a problem with the config, or with the virtual machine. -If other PCs can connect, but the VM can't, the machine there is where I'd start. -If you can, I'd suggest trying to install either the IKEv2 or SSLVPN on the Mac itself and see if you can connect…
  • Hi @Spiro I can't tell you specifically what it is based on just that log. If you're looking for more information, I'd suggest opening a case. the port scan attack means that the firewall saw 10 new connections to different ports in one second (unless this value was changed in default threat protection.) if you are logging…
  • Hi @Spiro You should look at the blocked sites list on your firewall. (Firebox System Manager) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/blocked_sites_wsm.html (WebUI)…
  • @Spiro The first thing I'd suggest doing is making sure you're on the latest version of the AuthPoint gateway. The next thing to check are the logs for the gateway. They're in C:\ProgramData\WatchGuard\AuthPoint\logs You'll want to look at the gateway application.log file. Info there may help determine what the issue is.…
  • If it remains, after you save to the firewall, close, and re-open policy manager, I'd suggest just opening a ticket. If something does need adjusting, our team can assist.
  • If the interface is removed, it should just drop it (the firewall does the same thing if you move from a 8 port device to a 5 port device -- it just drops off those interfaces. It will give you a pop up warning to check that the interfaces are where you want them, but it should also allow the save with those ath interfaces…
  • @wciibb Has the server in question been rebooted since the logon app was installed? If not, it's likely the process linked to the actual console logon hasn't restarted and pulled down the new configuration that points it at the AuthPoint process.
  • @lacevedo Likely not because the firewall is using a proxy resource to reach out to that distant server. Have you ruled out an ISP issue from that link?
  • If an interface (like ath1, ath2, ath3, the wireless radios on a tabletop firewall) go away, any rules using the aliases for those interfaces just flip to "None" if there's nothing else in that part of the rule. Policy manager will not allow you to save if a rule has "None" in it, and you'll need to add something to the…
  • @PhilT_VIT The trade-up values in the activation system are what is pre-calculated. The customer care team can manually do most trade-up types that aren't listed there (provided it's not something absurd like going from a T10 to a M5800.) I'd suggest opening a customer care support ticket (use the support center link at…
  • Hi @Roadmax I would suggest starting by looking at the traffic monitor logs on your firewall for any Deny or ProxyDeny traffic related to whatsapp when the problem is occuring. If there were no changes to the firewall before/after that outage, it's very likely not the firewall causing the problem. The issue you're…
  • @Sosna Unfouranetely the only way to recover the device will be via via an RMA swap, provided there is a current support contract on the T30. T30 is also nearly end of life ( https://www.watchguard.com/wgrd-trust-center/end-of-life-policy ) so it may be more advantageous for you to use it as a trade-up device.
  • Hi @travis_tmb Have you checked what you can actually transfer between sites? The ISP's advertised download speeds are generally asymmetric (meaning the download is higher than the upload) and that it is their max speed. Downloading a single file from a website, will often not max out your ISP connection. Tools like iperf…
  • Hi @lacevedo The proxy consists of two parts, A channel, and B channel. A is the side that goes from the client to the firewall B is the side that goes from the firewall to the final destination. In your log, the error is on B channel, which is the firewall apparently trying to post something to the webserver that you are…
  • @ZoltanKallo This requires a VPN client where you can configure the proposals made by the phone, such as strongswan. See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_android_client.html
  • @GTBStrong The firewall will still respond to requests but with an appropriate message for the IKE version type, usually outlining that the request did not match a configured SA. The built in policy will attempt to interrogate any IPSec traffic that comes to it. If you do not want the firewall responding to any request,…
  • The bug ID for this issue is FBX-24474 -- the issue is related to a change in WSM that causes the query time to increase for blocked sites. FSM will fail to load the list in the refresh interval, and in some cases may stop responding. A fix is currently targeted for 12.9.2 -- the workaround is to use the WebUI for the time…
  • Hi @Willsmyth00 It's most likely that the rule governing access to the firewall isn't being matched anymore (either due to being changed or for some other reason) or your IP changed to one the firewall is not expecting. If you changed the IP addresses on the interface that you're working with, check to see that you're now…
  • The specific part "user doesn't exist, check your username" is most likely a response from Azure being passed to you by the firewall. (Note that I'm working with the log you posted here and nothing else.) If the user's name is particularly long or has special characters they may be getting dropped or messed up in the…
  • @GTBStrong You can use the WebUI to manage the blocked sites list as before with no issues, the problem only seems to occur via WSM. Customers that run into this issue tend to have very large blocked sites lists. Reducing the length of the blocked sites list can also help alleviate this issue.
  • Hi @prashan There are various "hidden" policies on the firewall that are controlled by options on the firewall itself. If your PCI/DSS compliance software is saying that you can't have remote access software, any VPN will count as such. The Allow IKE to firebox rule (the firebox's built in IPSec policy) terminates IPSec…
  • Hi @AMT I'd start by looking at the logs in traffic monitor (filter by the IP you're coming from to isolate your machine) and see if any errors pop up when you try to transfer files. If (for example) the button to create a new folder just isn't there when remote, it's more likely that there is some type of restriction for…
  • Hi @JosePerez If you want to configure specific policies to go out specific interfaces, use the SD-WAN settings in each policy to do that. If you're looking to send everything out globally the same, using multi-wan works as well.
  • @Leonid I'd suggest looking at the logs on the firebox (you may have to set IKE logging to the INFORMATION level) See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/set_diagnostic_log_level_c.html If the firebox is refusing the connection for some reason it should say why in those…
  • If you're authenticating an AD user, AuthPoint needs a connection to that server (be it Azure or regular on-prem AD.) If you're authenticating a local user (as in one that's just entered in on the PC itself,) you can create a local account in AuthPoint so long as the username matches the one on the machine exactly.
  • Without seeing your AD setup it's difficult to answer that -- I'd suggest using a tool like ADExplorer which can help build/test queries: https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer
  • Hi @Cristiano_D There isn't an ability to do something like this -- however, you can set up network locations to allow users to log in from specified locations. See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/policy-objects_network-location.html
  • Hi @NexusTK It's possible to do this -- you'd need to set the firebox up as a RADIUS resource and have the authentication go via the AuthPoint gateway's RADIUS server. The firebox would work off the AuthPoint group, so making the policy from line the AuthPoint group you expect to see would be the best way to make policies…
  • IKEv2 can be used, via StrongSwan, but SSLVPN can also be used via an openVPN client, (which there are many of for Android.) See: (Configure Android Devices for Mobile VPN with IKEv2) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_android_client.html (Use Mobile VPN with…