Comments

  • I noticed the 12.11 beta now supports Entra ID for Firebox SSO as well as for the SSL VPN authentication. Looking forward to this release. https://watchguard.centercode.com/key/12_11_Beta
  • These are Entra ID only joined devices, and I have tried targeting both by username and by group. It still only works if I reinstall the sso client manually.
  • Looks like the / in the install line was causing an issue "/WG-Auth-Client.msi". The app is now deployed after removing the / but I'm back to an issue I was having with Intune before. The users show up in the Traffic Monitor and Authentication List correctly but the policies targeting these users are not applied. If I…
  • I just ran into a major issue with this setup that only affects the Azure AD joined devices. When I look at traffic monitor the user does show up correctly, for example src_user=user@domain.local. However, when I try to target the user with a policy by username or group, it doesn't work. It only works for computers that…
  • The devices in that list are mostly legacy devices. T-mobile currently offers an Inseego device which has ethernet or USB tethering. I feel like the ethernet option should at least work. Not sure about USB. I'm a bit disappointed with the options at the moment. The T-85 LTE module is expensive, and the T45-CW is missing…
  • No, and this issue just started a day or two ago.
  • Same here, we are also looking for this feature.
  • I turned off QUIC in Edge but it didn't help. I created a new https proxy on the firebox with all extra features disabled i.e. no web filter, no content inspection, etc. and the site still doesn't load. Even a proxy exception for the site doesn't help. So far, the only way I've gotten the site to load in Edge is to not use…
  • I just ran into the same proxy issue. I could not download anything from sourceforge in Edge but Brave and Firebox worked fine. I found that this site would not load at all in Edge https://downloads.sourceforge.net until I selected "Enable only when ICMP network issues are detected". I tested this on three different…
  • Looks like 12.10.1 has a new feature: With v12.10.1 of the WatchGuard Single Sign-On (SSO) Agent, WatchGuard Active Directory SSO now supports computers joined to your domain with Azure Active Directory. This support is for hybrid environments, where a local Active Directory domain controller is used for authentication by…
  • Yes, we have more than 10 users with Entra ID joined device, not hybrid, and the SSO client works for all of them.
  • We use AD Connect to sync local AD accounts to Azure. We use the SSO Client on all devices. Other than that, we didn't do anything else. We're not using the Event log monitor either. I've only tested this on one PC so far but should be testing more soon.
  • We have the gateway installed on a server so that isn't an issue. This requirement was a bit worrying since Azure AD Joined computers are not members of the local AD Domain. "All computers from which users authenticate with SSO must be members of the Active Directory domain with unbroken trust relationships."…
  • I have a similar issue with a new T40 WatchGuard Cloud Status registration_status: 2 enabled: 1 connected: 0 token_required: 0 server: firebox.iot.usa.cloud.watchguard.com:443 api_endpoint: https://firebox.usa.agent.watchguard.com disconnect_reason: Connection lost
  • I have a new T-40 as well. I see the device when I click Add the device to the cloud and it works but the device never actually connects to the cloud even though the option is enabled locally. I've tried removing it and adding it plus toggling cloud on and off on the device but nothing helps. webui: WatchGuard Cloud Status…
  • I'm use SD-WAN to send guest traffic over a second isp and fails over to the primary if the second goes down. The opposite is set up for everything else using Multi-WAN so at the moment the guest network has better link monitoring. I had an issue a couple times now where many web sites were barely loading on the primary…
  • That's correct but that brings up a related question for me. Multi-WAN seems inferior to SD-WAN so in order to use SD-WAN, we'd have to select it on every single policy? It would be better if Multi-WAN also had the metric options for loss, latency, and jitter. Either that or let us select one of our SD-WAN options as the…
  • Threatseeker Cloud shows status degraded https://status.forcepoint.com/#/status/1
  • I see that in traffic monitor now too. 2021-07-30 12:19:37 M270-loc1 webblocker categorize_url: curl returned error: Connection timed out after 15001 milliseconds Debug 2021-07-30 12:19:37 M270-loc1 webblocker categorize_url: curl returned error: Failed to connect to rp.cloud.threatseeker.com port 443: Connection refused…
  • Where do you see that? I'm getting these notifications: error: Webblocker server is not available
  • That doesn't say you need the "standard support sku" and the standard support sku doesn't say it's for a firecluster. Again just didn't want to buy the wrong support sku. "support subscription" seems vague when almost all the skus include a support subscription and how am I supposed to know there isn't a sku specifically…
  • Saw that and the regular documentation but it doesn't specifically mention needing "Standard Support renewal" on the passive unit so I wanted make sure I was purchasing the correct renewal. Thanks
  • That's what I suspected, just couldn't find it worded anywhere. Thanks for the confirmation.
  • I ended up disabling WatchGuard cloud on the cluster, then removing it from the cloud. After that I was able to add the firecluster back into the cloud and it's working fine now.
  • The m270 has a TPM chip but according to the status report it does not? token_required The token_required status indicates whether the Firebox has a TPM chip. If the Firebox does not have a TPM chip, it requires a Verification Code to register. 0 — Firebox has a TPM chip 1 — Firebox does not have a TPM chip
  • WatchGuard Cloud Status registration_status: 0 enabled: 1 connected: 0 token_required: 1 disconnect_reason: Not registered
  • 12.6.4 has a few fixes per the release notes. In an active/passive FireCluster, DNSWatch no longer fails when the active cluster member has an expired DNSWatch license and the passive cluster member has an unexpired DNSWatch license. [FBX-17093] This release resolves a FireCluster issue that caused the sslvpn_firecluster…
  • I think I didn't explain it completely. In the docs, it says Policy Manager Managed Device Settings - "This name is case-sensitive and must match the name you use when you add the device to the Management Server configuration. This can also be the IP address of the Firebox." So I've input the primary external static IP for…
  • That's what I was looking for. I as able to remove my old ISP IP and that removed it from the BOVPNs. Now I need to change the order but it says the name there must match the device name. Does it matter that the device name is only one of the IP addresses listed in the management properties box?
  • What does one have to do to fix this besides stop using managed VPNs? I've tried deleting my bovpn, waited for the gateway to be removed, and the recreated the vpn but still the same three multi-wan are in the same order. I can't disable the third external interface because it says it's in use by the bovpn gateway.