james.carson
Hello WatchGuard Community users,
If you need personal or confidential support, please create a case by clicking the support center link on the top right of this page, and creating an online technical support case.
I am unable to provide support via PMs in the forums.
Thank you,
-James Carson
Comments
-
Hi @R_Devlin The firebox(es) don't really have a maximum performant number of SSO users. The number of users is limited by license, which is by model, but that's total number of logged in users (via SSO, RADIUS SSO, or authentication portal.) Some previous models and the NV5 have a hard authentication limit - as in the…
-
Additionally, prior to any scanning, I would suggest upgrading your firewall to the latest version of Fireware. (At the time I posted this, latest version for that device is 12.10.3.) There's a number of security fixes since 12.8.2 that will likely get picked up by whatever scanning service you're using.
-
@bford I'd suggest asking them for clarification. If they're asking you to specifically whitelist a MAC address for a device that's not on the same subnet as your device or your upstream ISP's device, it's not actually possible to do that on any gear, WatchGuard or no. In TCP/IP, MAC addresses are used to talk to local…
-
Hi @HeroldEng The AuthPoint logon app need to download it's config from the cloud before it will start enforcing policies. If this isn't happening, does the workstation have internet access? If you're having issues getting this workstation to sync up, I'd suggest opening a support case. Our team can help take a look at…
-
Hi All, I am going to close this thread. If you need help with an case (existing or not) please feel free to speak up -- I'm happy to help -- but please do so in a new thread/post. If you are asking for help with a case, please remember to include the case number. Thank you,
-
Hi @Ed_Gruenwald The tunnel latency shouldn't/won't have any impact on the Excel version using/leaving a lock file. I think your testing does a pretty good job proving this isn't the VPN itself causing this. My hunch is that the hidden file Excel creates when a document is open isn't being removed. I'd suggest checking…
-
Hi @MattB You'll need to use tunnel switching. See: (Branch Office VPN Tunnel Switching) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/manual_bovpn_tunnel_switching_summary_wsm.html Basically, the middle device ("network at primary location") needs to have tunnel routes for…
-
Hi @Ben_U I'll get a manager to take a look at your case -- Thank you for bringing that to our attention. update: I was able to contact the manager for the sales team you've been trying to contact. They will reach out to you directly.
-
Hi @Robert_Vilhelmsen In general, application control being run on HTTPS traffic that is not being content inspected will be less accurate than traffic that is. Wujie/UltraSurf specifically tries to make its traffic appear as multiple other protocols (like https.) If you're seeing false positives for this via HTTPS, I'd…
-
Hi @OPTDoug I'm assuming that your home connection is already allowing the traffic outbound. If it is not, you'll need to make a rule to allow that there. On the work side, you'll need to create a new rule. If you're using policy manger: -Go to Edit -> Add Policy -Select the protocol from the packet filter list, or create…
-
The firewall might be sourcing from the wrong interface. Instead of defining "-I eth0 IP" try defining the IP you want the firewall to ping from. e.g. if my firewall's external IP is 169.254.100.100 I would specify: -I_169.254.100.100_94.140.15.15 (I put underscores where the spaces should go because text formatting.) If…
-
Define multiple gateway endpoints when creating your VPNs. The firewall will try them one at a time in order. If the first does not respond (e.g., the internet is down on that circuit) it will go on to the next one. When the SA expires, it will start this process over again. See: See: (Configure Manual BOVPN Gateways)…
-
Hi @blockingvolume Please make sure your firewall is running the latest version of Fireware (12.10.3 at the writing of this post.) The new categories are added in that version.
-
@KAndersson I'll pass your request onto the product managers. There is an existing feature request, and that is AAAS-12937. If you'd like to follow that request, please create a support case and mention AAAS-12937 in the case.
-
Hi @KAndersson FIDO2 does not appear to currently be on our roadmap. It may be in the future. -We do support both WatchGuard branded and third party hardware tokens. See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/tokens_hardware.html -The AuthPoint app supports other 2FA methods, such…
-
All of the logs are saying that B channel (the side of the connection from the firewall to the distant webserver) are failing. I would check that side of the connection. If this is failing for multiple sites, it might be possible that IPv6 is not set up correctly on this/these firewalls.
-
Hi @olivier_simard In theory OSPF should work so long as it's a valid VLAN ID (valid being 1-4094.) I would suggest looking at the OSPF status in your status report (you'll need WatchGuard System Manager to see this.) (Firebox System Manager Status Report Example)…
-
Hi @KAndersson Under most circumstances, modern OSes (Windows 10/11, supported versions of OSX, most Linux distros, iOS, and Android) will do a network connectivity check when connecting to WiFi (with the purpose of seeing if there is a captive portal.) NAE has a few checks -- if it's lagging I would suggest opening a…
-
Hi @morpheus27 See the article here: (Custom IKEv2 and L2TP VPN profiles for Windows computers) https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bopASAQ&lang=en_US
-
Hi @Gmanry -Are you sending traffic across a new leased line or a branch office VPN? If so, see: (BOVPN and Network Address Translation) https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_and_nat.html If you're going over a leased line that is marked as an external interface,…
-
Hi @mhakin If we're seeing them on the receive (RX) side it generally means they're arriving at the firewall that way. That specific counter only resets on firewall reboot, so if the firewall has been up for some time, that may not be too alarming. I'd suggest opening a support case with that information and one of our…
-
Hi @crm_informatica The error you're seeing is suggesting that the SSLVPN simply can't connect - it's asking if you want to use a cached version of the profile for the firewall from the last time you successfully connected. The country your firebox resides in is well known for restricting VPNs. If you're unable to access…
-
Hi @adasi I'd suggest opening a support case by calling 877.232.3531 or by clicking the support center link at the top right of this page. It's difficult to tell what might be happening here with just the error message.
-
Hi @Infra If you are in manual order mode, and if you create a policy to/from "firebox" you can use the policy name to make note lines, if that is helpful for you. You can also use policy highlighting to color code your rules if that helps you organize See:…
-
Hi @morpheus27 Provided your DNS server that the VPN is using can resolve the domain name (as it will only be resolvable via the AD DNS server) I don't see why it wouldn't work. I've not specifically tried this, but as long as your Allow IKE2VPN_Users policy allows traffic to the DC it would in theory work.
-
Hi Bruce I opened a feature request for this. That is FBX-27166. In the meantime, you can pull this data via the webUI via a support file. -Go to System Status -> Diagnostics, and select Download a support log file. Open the TGZ file that is downloaded, and navigate to:…
-
Hi @CLS_CPA By default the firebox allows all traffic outbound. If you're using a proxy, you can add those sites to the HTTP proxy exception list. However, I would try using the site first -- if you're not having any problems accessing it/them, you'll likely not need to do anything. See: (HTTP proxy exceptions)…
-
The firewall may also display this error if there's simply no useable route to that host -- for example, if you are using multi-wan link monitor to determine if an interface is up or down, and it's marked down - the firewall won't use it.
-
The firewall will show that error if ping can't determine what interface to send traffic out. Try specifying the interface via the advanced options checkbox. You can supply an argument like this (pretend 160.51.52.53 is the external IP of the interface I want to ping from - use whatever your external IP address is on the…
-
Hi @Roberto It may help to turn logging off on the firewall to your log server, save, and re-enable it -- that'll restart the entire connection process. We don't support the Windows log/report server anymore, and it hasn't been updated in several years. If you're able to run Dimension, I would suggest looking into setting…