Comments
-
Hey @Chris_Kelly, This may depend upon where your DNS MX records are pointing to. The on prem Exchange or O365. Good documentation here on Transport Routing in Hybrid environments https://docs.microsoft.com/en-us/exchange/transport-routing The very first sentence is this: "Don't place any servers, services, or devices…
-
@tovonantenaina, Sorry, I must have misunderstood your issue. Thought you were looking to allow all gmail to bypass SpamBlocker. You are correct, that would be a risk doing so and not recommended, but everyone has their own use case. If you could clarify your issue some more and provide log files, rejection messages, SMTP…
-
Yeah, unfortunately the IKEv2 VPN doesn't allow the use of AD for authentication unlike the SSL or IPSec VPN's do. Thus requiring you to re-authenticate with your AD credentials after the VPN connection if you wish to access any Domain resources. File shares, Exchange etc..... Personally I've found the IKEv2 VPN is great…
-
@NathanI, Your post is pretty vague describing your VPN configuration. Are you using AD, SSO, RADIUS, LDAP or the firebox for user authentication? Is the external IP of your firebox static or dynamic? What are you using for DNS? The Watchguard web site has a plethora of information on how to configure VPN's including step…
-
Hey @robtve86 , So running Link Aggregated VLAN's is "nothing special" eh? Wonder what the rest of your firebox configuration looks like. :-D Happy support figured out the issue and thanks for letting us know about the bugfix. Take Care.
-
Sounds like you may have another policy handling the inbound FTP traffic if your SNAT policy isn't showing any traffic while a transfer is taking place. This is assuming you have logging enabled. Check for any inbound policies on port 21. Also, since policies are either inbound, or outbound, any Traffic Management Action…
-
In Policy Manager go to Subscription Services > Spam Blocker > select your incoming SMTP policy > Edit > Under the Exceptions tab click Add > enter your exception for gmail. *@gmail.com The save the changes back to the firebox. * Doug
-
@JustAGuy , Yes, you can configure BOVPN connections using both static and dynamic IP addresses. Start the configuration process with the Main Branch Firebox as it has the static IP and work your way out to the remote offices. Make sure you have access to the remote office Fireboxes. Check out this video to get you…
-
@pkirill , Enable logging on the any-any policy between your Trusted 10.x network and the VLAN 192.x network, then have your MFT try and connect to your DC and monitor the traffic. Do you see any allowed traffic with ports 135, 389, 445, 464 that the MFT would use to query the AD server? If so, then I would look at the…
-
The first scenario appears to be internal between Trusted or Optional networks or VLANS, the second appears to be from a Sever to an external IP. The firebox's default NAT settings should handle both scenarios unless something specific is required.
-
Try creating a NAT Loopback policy and see if it works for you. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html
-
I'll assume this is an outbound connection to Anydesk, correct? You will need to create a custom policy (either packet filter or proxy) for ports 80 & 443. In the From field put Any Trusted (or whoever you wish to access Anydesk) and in the To field choose DNS lookup and insert anydesk.com Place this policy above your…
-
You didn't mention whether the NAT'ing was inbound or outbound, but if you use Policy Manager > Network > NAT Setup > you can configure either Dynamic NAT from a single IP to a subnet under the Dynamic NAT tab, or configure a 1 to 1 NAT using the other tab. Static NAT is configured under Setup > Actions > SNAT for inbound…
-
@Chaospinhead Your outbound policies, are the packet filters or proxy policies? Proxies may slow things down a bit depending upon the model # of your Firebox and cause latency issues. The rule you have using a DNS lookup to find the PBX host may also cause latency as the DNS lookup takes time. Try creating a packet filter…
-
@GARYMN , Is the external IP on your firebox a public IP or one provided by the modem? Best to have your modem in Bridge or Passthrough mode and have the public, static IP on the external interface of your firebox. Then in Policy Manager (or the Web UI) choose VPN > Mobile VPN, choose your type and follow the setup wizard.…
-
Are the IP addresses on the new servers added to the From list on your DNS outbound policy?
-
Ok James, I see what you are doing now. WiFi Cloud > Discover > Configure > SSID From here you are creating a new SSID (or copying an existing one which would be easier) and then creating a schedule inside that SSID. This way you can have multiple versions of the same SSID and toggle them on or off depending upon which…
-
Thanks for the help James, but I don't think I made myself very clear. I see where one can create SSID schedules in the Cloud. What I am looking for is the ability to create a schedule and save it as a profile, similar to the scheduling option in FPM. This way one can have a policy for normal hours, one for extended…
-
Did you change any of the IKEv2 Shared Settings in the Firebox? Windows 10 doesn't natively support anything past Diffie-Hellman Group 14 I believe. My Firebox is at Diffie-Hellman Group 19 (for my BOVPN connections) and my Windows 10 clients are unable to connect via IKEv2.
-
Yeah Bruce, I read the same documentation and followed the instructions to the letter. The T-20 couldn't obtain an IP address. Disable bridge mode and it works perfectly. Why? You got me, it just does.
-
FYI to forum users, this is the answer I received when I opened a support ticket. You need to get to in "Discover" to set a static IP. Once you select that "VLANs" option you'll select "Customize" and you can leave "Communication VLAN: 0" if the management IP is going to remain on an untagged network or set the specific…
-
Bridged mode Bruce. I get the client receives DNS from the DHCP config on either the firebox or a local DHCP server depending upon one's setup. When I initially configured the AP's all IP information was manually assigned to each AP, including DNS. Now my DNS servers have changed and I just need to change the configuration…
-
Got it Gregg, It appears that SD-Wan's link monitor was causing a network monitoring process to crash. This in turn caused all kinds of weird behavior in my proxy policies that utilized content inspection. There is a bug fix in 12.7, FBX-6435 that address this issue. I upgraded to 12.7, set my proxy polices back to content…
-
Are you utilizing SD-WAN for the primary and backup interfaces? How do you presently fail over when the primary interface goes down? If you are using SD-WAN and disconnect the backup interface all traffic should still use the primary interface of you have the policies and SD-WAN configured to do so. Placing an any-any…
-
Gregg, I've got all the proper certs configured. The WG proxy certs for outbound clients distributed through Group Policy, and third part certs for inbound proxy policies added to the FB certs. Have a ticket open now and WG engineers have been working on it for over a week now. Checked all settings, running TCP dumps,…
-
@Greggmh123 I may have to rescind my complaint against DNS Watch as my resolution by disabling it seems to have been fools gold, as user complaints kept pouring in. Not only with Internet, but more importantly email and inbound connections to in-house web servers. Come to find out the the issue was (still is) with any…
-
I started noticing odd things trying to load websites and resolving host names yesterday afternoon and just recently all my users working in the office complaining of all these mysterious issues pinpointing to DNS. So I disabled DNS Watch in my Firebox and changed the DNS Forwarding order in my servers and all is good now.…
-
You're correct Bruce, I just found this out. Didn't know that before. Thought that since it requires an admin password to add the blocked site it would write it to the config. Maybe a future feature update, when you block an IP have a "permanent" option in the Hours/Minutes/Seconds drop down list?
-
Have you tried logging into the Verizon router using the default gateway IP of your Firebox and setting the router to Bridge Mode yourself? The router should have a sticker with the default username/password and IP on it somewhere.
-
Sorry, no I haven't done anything special to my exclusions, just haven't moved to V11 yet.