james.carson
Hello WatchGuard Community users,
If you need personal or confidential support, please create a case by clicking the support center link on the top right of this page, and creating an online technical support case.
I am unable to provide support via PMs in the forums.
Thank you,
-James Carson
Comments
-
Hi @tantony The log suggests that the client isn't able to connect to your firewall's IP. I'd suggest starting by having your customer right click the SSLVPN icon in their windows system tray, and selecting view logs. There may be more information there. If the issue is only happening on that PC, it's very likely something…
-
Hi @Spencer I'd suggest asking the technician in the case that you're working on for an enhancement -- they can that request to the case you already have open.
-
Hi @Luigi You'll need to ensure that the virtual MACs the switches are using do not collide with the virtual MACs used by the firecluster. The article here talks about how this works: (Active/Passive Cluster ID and the Virtual MAC Address)…
-
Hi @JC_P I would suggest replying to the case that you already have open or was closed and let the technician know that you're still having an issue. If you happen to have a case number for any of the cases you worked on, I'd be happy to ensure that your case is with the correct team to help.
-
Hi @JaviPic There's two features that are getting mixed up here that were added in 12.10.4. --This release adds checks to prevent inadvertent changes to the built-in status and admin account permissions. [FBX-26096] --You can now block the source IP address of consecutive authentication failures to the Firebox. [FBX-9333,…
-
@shaazaminator The specific log you're seeing suggests that the proxy is denying the traffic due to the authentication type being used by the remote server does not match the list in your ESMTP -> Authentication section of your proxy action. If you're unsure what they're using, it may help to change your none matched…
-
Hi @Zed24 The deny logs suggest that your allow rule (which is likely above that rule) isn't picking up your traffic. -Do the addresses you're seeing resolve to the domains you allowed? -Is the firewall able to see DNS queries made by your client PCs? -Are other assets the webpage needs to load being accounted for in your…
-
Hi @robbied31 The technician that's working on your case has identified a certificate issue that is preventing your firewall from connecting to WatchGuard Cloud. They are asking for a different type of access to correct that for you.
-
Hi @robbied31 I'm sorry it's taking some time to reply. Can you please reply with your case number -- I can make sure it's with the correct team and ask the support team to assign it.
-
Hi @BR0KK85 If importing and exporting made your import work, it's very likely that the original PFX file didn't include an intermediary certificate that IIS then put in the chain when it was exported. Did your file size get larger when it was exported? If your CA doesn't provide the cert chain in the PFX file, the…
-
Hi @robbied31 If you have a case open, I'd keep working with the team there -- they'll have more information to help.
-
Hi @NetworkWise FBX-20876 would be the request.
-
Hi @Sgimtech Server 03 is no longer supported by Microsoft -- I would suggest your customer consider upgrading their server to one that still receives updates.
-
Hi @KRob The IDP portal allows users to log into it, and then select the applications they'd like to use. The IDP portal signs the user into the service via SAML. You can find mroe info about it here: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/idp-portal_about.html The IDP portal doesn't…
-
Hi @KRob The customer could potentially use a hardware token (like the AuthPoint hardware token, or another compatible TOTP type token.) Failing that, I would suggest making multiple accounts for your vendor so each has their own token.
-
Hi Rob, It sounds like something in the SSLVPN webserver config might have gotten messed up. I'd suggest the following: -Using policy manager or the WebUI, disable SSLVPN and Access Portal, and save. -Re-enable SSLVPN and Access Portal (I would suggest doing SSLVPN, then Access portal, pausing to see if any errors pop up.
-
Hi @MRo At this point in time, there are no plans to allow users to be in multiple groups inside of AuthPoint. If you're having issues with users jumping groups, I would suggest opening a support case so we can look into this. Group information comes from AD group sync -- meaning that we may be getting different answers…
-
Hi @NetworkWise The firebox will only contact one SSO Agent, and if that one fails, then the backup. Without the ability for the SSO Agent to look up the other domain user/groups, this isn't possible.
-
Hi @OADerrick I'd suggest submitting a support case for both of these items. -Network Access Enforcement is a global setting for the SSLVPN. If you have a requirement for the vendor to not use access enforcement, I'd suggest using one of the other VPNs (like IPSec/IKEv1 or IKEv2) for them. -Please make sure you're using…
-
Hi @MRo Most of the issues in this thread have been addressed. Can you be more specific about which thing you're referring to, as there are a few similar topics that were discussed. At this current point in time, there are no plans to allow multiple groups per user.
-
Hi @Devlin_R I some digging, and I believe the overarching project they're referring to is WCD-13571. (This is an a request that is just full of smaller requests, and can't be followed directly.) I'd suggest asking the sales engineers in question what specific request they are referencing to confirm that WCD-13571 is the…
-
@Abertay -What model transceivers are you using? Are they on this list? https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3dsSAA&lang=en_US If you haven't done so already, please open a support case so we can look into this. If you reply with your case number I can ensure this is with the correct team to…
-
If you're just looking to tell the firewall to regenerate the self-signed certificate, you can do so via the Firebox's CLI. Using PuTTY or another SSH application, connect to your firewall using the SSH protocol, but change the port to 4118. You will want to connect as admin, and use your admin passphrase. If you are using…
-
Hi @Fire_Smith If your isp is delivering via a VLAN, you can in theory set your external interfaces as VLANs on the same interface. They would need to be using different VLAN IDs, and they would both need to be tagged for this to work. Otherwise, if you wish to maintain connectivity for a bit with both IPs, your method…
-
@Yorbin_Rubio Rebooting the firewall will clear the lease table. If you're running into this a lot, I would suggest increasing your DHCP pool, or reducing the lease time for your pool so addresses drop off faster. Remember that clients will check in at 1/2 the time of their lease to renew, so setting the lease time…
-
Hi @Abertay What interface module are you using? (About Modular Interfaces) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/modular_interfaces_about.html These interface modules are available only for the Firebox M290, M390, M590, and M690: WatchGuard Firebox M 4 Port 1Gb Copper…
-
Hi @butterbear We state in the help article here that we recommend you configure your firewall to allow these hosts to WatchGuard Cloud: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Endpoint-Security/manage-settings/configure-network-services.html The client won't be able to download settings nor…
-
@PJAlso If you need to redirect something like NTP, I would suggest using your own DNS server, so you can point a query at anything you like. If you'd like a feature request, I would suggest opening a support case. Please provide as much information as possible -- information like why this needs to be done via the firebox…
-
@KellyL HTTP proxy exceptions only apply to specific items inside the HTTP proxy. These settings are bypassed for HTTP-proxy exceptions: HTTP request — Idle timeout, range requests, URL path length, all request methods, all URL paths, request headers, authorization pattern matching HTTP response — Idle timeout, response…
-
Hi @Robert_Vilhelmsen This only works for fully managed devices. If you need one for a basic managed device, or an unmanaged device, you can generate one via the WebUI under System -> Configuration File. If you got a config report from a local/basic managed device before, this is likely where you got it from. See:…