james.carson
Hello WatchGuard Community users,
If you need personal or confidential support, please create a case by clicking the support center link on the top right of this page, and creating an online technical support case.
I am unable to provide support via PMs in the forums.
Thank you,
-James Carson
Comments
-
@KAndersson I'll pass your request onto the product managers. There is an existing feature request, and that is AAAS-12937. If you'd like to follow that request, please create a support case and mention AAAS-12937 in the case.
-
Hi @KAndersson FIDO2 does not appear to currently be on our roadmap. It may be in the future. -We do support both WatchGuard branded and third party hardware tokens. See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/tokens_hardware.html -The AuthPoint app supports other 2FA methods, such…
-
All of the logs are saying that B channel (the side of the connection from the firewall to the distant webserver) are failing. I would check that side of the connection. If this is failing for multiple sites, it might be possible that IPv6 is not set up correctly on this/these firewalls.
-
Hi @olivier_simard In theory OSPF should work so long as it's a valid VLAN ID (valid being 1-4094.) I would suggest looking at the OSPF status in your status report (you'll need WatchGuard System Manager to see this.) (Firebox System Manager Status Report Example)…
-
Hi @KAndersson Under most circumstances, modern OSes (Windows 10/11, supported versions of OSX, most Linux distros, iOS, and Android) will do a network connectivity check when connecting to WiFi (with the purpose of seeing if there is a captive portal.) NAE has a few checks -- if it's lagging I would suggest opening a…
-
Hi @morpheus27 See the article here: (Custom IKEv2 and L2TP VPN profiles for Windows computers) https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bopASAQ&lang=en_US
-
Hi @Gmanry -Are you sending traffic across a new leased line or a branch office VPN? If so, see: (BOVPN and Network Address Translation) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_and_nat.html If you're going over a leased line that is marked as an external interface,…
-
Hi @mhakin If we're seeing them on the receive (RX) side it generally means they're arriving at the firewall that way. That specific counter only resets on firewall reboot, so if the firewall has been up for some time, that may not be too alarming. I'd suggest opening a support case with that information and one of our…
-
Hi @crm_informatica The error you're seeing is suggesting that the SSLVPN simply can't connect - it's asking if you want to use a cached version of the profile for the firewall from the last time you successfully connected. The country your firebox resides in is well known for restricting VPNs. If you're unable to access…
-
Hi @adasi I'd suggest opening a support case by calling 877.232.3531 or by clicking the support center link at the top right of this page. It's difficult to tell what might be happening here with just the error message.
-
Hi @Infra If you are in manual order mode, and if you create a policy to/from "firebox" you can use the policy name to make note lines, if that is helpful for you. You can also use policy highlighting to color code your rules if that helps you organize See:…
-
Hi @morpheus27 Provided your DNS server that the VPN is using can resolve the domain name (as it will only be resolvable via the AD DNS server) I don't see why it wouldn't work. I've not specifically tried this, but as long as your Allow IKE2VPN_Users policy allows traffic to the DC it would in theory work.
-
Hi Bruce I opened a feature request for this. That is FBX-27166. In the meantime, you can pull this data via the webUI via a support file. -Go to System Status -> Diagnostics, and select Download a support log file. Open the TGZ file that is downloaded, and navigate to:…
-
Hi @CLS_CPA By default the firebox allows all traffic outbound. If you're using a proxy, you can add those sites to the HTTP proxy exception list. However, I would try using the site first -- if you're not having any problems accessing it/them, you'll likely not need to do anything. See: (HTTP proxy exceptions)…
-
The firewall may also display this error if there's simply no useable route to that host -- for example, if you are using multi-wan link monitor to determine if an interface is up or down, and it's marked down - the firewall won't use it.
-
The firewall will show that error if ping can't determine what interface to send traffic out. Try specifying the interface via the advanced options checkbox. You can supply an argument like this (pretend 160.51.52.53 is the external IP of the interface I want to ping from - use whatever your external IP address is on the…
-
Hi @Roberto It may help to turn logging off on the firewall to your log server, save, and re-enable it -- that'll restart the entire connection process. We don't support the Windows log/report server anymore, and it hasn't been updated in several years. If you're able to run Dimension, I would suggest looking into setting…
-
Hi @amccann I'm happy to make the request, but please understand that the categories are based off of Forcepoint's Websense product. If you are looking to deny these sites via webblocker, a manual exception for each of these sites may be the best way for the time being.
-
Hi @BryceGiroux If you'd like to pull stats from both devices, your SNMP server will need to be on the same subnet as the management interface for the Firecluster. If you're reaching it from a different network, or across a VPN, you will only be able to access the current master device.
-
Hi @usifirebox Why are you using non RFC1918 addresses as a private subnet? Since this traffic is just going to be NAT'ed going outbound, this doesn't add any security to the network. RFC1918 reserved address space for private networks: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)…
-
Hi @amccann For applications like RMMs, I would suggest looking into Application Control. Many of the common systems (anyconnect, goto, teamviewer) are available as actions that can be applied to policies.
-
-AFP vs SMB. Info on Apple's website (specifically their forums) suggest that AFP performs in the same manner (where it expects to see an ACK of the previous blocks prior to sending more.) FTP is a good alternative to test with if you're looking for something to compare against, as it's designed to stream across a WAN.…
-
Hi @JethroD Based on what you're describing, the speeds you're seeing are likely a combination of the following things: -Network speed (between the two points, upload and download.) -Protocol in use to test and/or transfer files. (this is very often SMB) -Latency between the two points. -Use of a full tunnel vs a split…
-
Hi @unitedregional You'll need to add the user in Users and Groups first. Once the user is there, you can add it to policies. See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/define_users_groups_about_c.html Please note that the usernames are case sensitive, and will appear…
-
Hi @Greg That page is continuously updated. In the meantime, you can find details and scores for each vulnerability at NIST's website: -This release updates the version of OpenSSH used by Fireware to v9.6p1 and addresses CVE-2023-48795. [FBX-26195] https://nvd.nist.gov/vuln/detail/CVE-2023-48795 -This release updates the…
-
Hi @devnull4u I did some testing and was able to get this to pop up on one of my testlab firewalls with no module installed. I opened a feature request to clean up that log message - that is FBX-26563. Please create a support case and mention FBX-26563 if you'd like to follow that request.
-
@GeorgeWillow Yes. Create a support case and mention FCCM-4622 in the case, and that you'd like to follow that feature request. The technician that is assigned the case can set it up to do that for you.
-
Hi @devnull4u A log message like this would generally suggest that some of your logging may be turned up past error, or that the 3G/4G modem feature of your T80 is enabled but isn't finding a device. We'd be happy to help fix this issue for you, but we'll need more information about how your firewall is configured. Please…
-
Hi @Alex_S If you want to follow or get status updates on this feature request, please open a support case and mention the feature request number The status of these request currently is: FBX-4651 - SUN-RPC <- Closed FBX-16085 - DCE-RPC <- Open but no updates
-
Hi @GeorgeWillow There is currently a feature request open for the ability to turn TCP SYN checking off for cloud managed devices. This is FCCM-4622.