hi
probably a dumb question, but i am setting up a watchguard server, do i connect it just on a local network or connect it to the firebox?
also is there any documentation on this?
thanks
↧
watchguard webblocker
↧
Watchguard HTTPS Proxy issues
Due to the number of sites users have been recently bypassing such as Facebook by simply adding the https instead of http I have decided to place an https proxy in my Watchguard. I seem to be having a major problem with this. I did enable the HTTPS proxy filter and changed the Webblocker to be the same that the HTTP uses so I don't have to manage two different block site categorylist. After enabling this, it seems users could not access any site without getting some certificate error. From a support ticket I put into Watchguard that told me I had to export the self signed certificate from Watchguard and import it into eachcomputer andUncheck the box to use OCSP to validate certificates. The unchecking of this box seems to be opposite of what their help file states. The lady mentioned some issue with Google. Anyways, there still seems...
↧
↧
MPLS + BOVPN Concurrently
So were setting up a MPLS between our different sites for our new IP based phone system but running into an issue where we need to keep 2x BOVPN's active at the same time as the MPLS is active.
WG Support is saying its NOT possible to do this but I'm having a hard time believing that...
From a WatchGuard Example, it would be a MPLS failover BOVPN & BOVPN Tunnel switching scenario.
We initially tried to setup Dynamic Routing but couldn't get the BOVPN tunnel switching to work...
Help!
↧
Firewall Config Question
Hi Guys
First time posting here
I have a question for the WatchGuard gurus
I'm trying to configure a XTM in Mixed Routing Mode with a non bridged router. The router cant do bridge neither receives internet via PPOE.
I dont want to use Drop In Mode.
Any thoughts on this one ?
A SNAT config maybe ?
Thanks
↧
Webpage edits trigger IPS XSS web attack warning
Whenever I edit a page on the company website (a Wordpress site) that contains some javascript i get an "IPS detected for 'VULN Cross-Site Scripting -7/Web Attack' " from our XTM 525. I know its just doing what it's supposed to, but obviously my editing of our webpage is not a web attack. What do I have to do to get this to stop? Something needs to be whitelisted (webpage, my computer, or the webserver), but I'm not sure what or how to do it.
↧
↧
Switches for a Firecluster
We are setting up a Firecluster, and I'm looking for recommendations for two switches to go between the XTMs (active/passive) and our two ISPs. Anyone have any suggestions? It seems like a low-cost unmanaged 5 or 8 port switch would suffice, but it must be reliable.
Thanks!
↧
Second ISP
how can i add a second ISP to my watchgaurd firewall. my current ISP fails alot lately and when this happens no outside emails comes to my exchange sever.... any ideas how i can add second link from another ISP
↧
Remove built in Watchguard IPSec policies
Does anyone know how to remove the built in the weak IPsec policies from a Watchguard XTM system? I'm running Firewire 11.9.1 and our PCI scan triggered on the MD5 hash and DES encryption. We're not using them so I'd like to actually remove them from the Firebox to prevent both false positives, and more importantly, accidental use in the future.
↧
Akamai allowed through watchguard xtm510
We are utilising Adobe Cloud here and our Macs are trying to connect to Adobe however they use Akamai as the provider of there connectivity.
Currently we are having to allow a lot of random IP addresses through our firewall which is a Watchguard Xtm510. Does anyone have a way / rule to allow the DNS names through the Watchguard xtm510?
↧
↧
Watchguard FireCluster with two WAN Connections
I have two, single feed, WAN connections coming into our Watchguard XTM515. We are researching the possibility of converting this over to a Active\Passive Cluster. But I can't figure out a great solution for the WAN connections.
Any suggestions?
↧
Can not connect via telnet on external address or DMZ
I am setting up a new XCS 280. I can connect via the internal LAN IP but I am unable to connect to the DMZ address. I have opened any any on my firewall to see if the firewall is blocking it and still no go.
I did notice that when I use the internal address it does a request to watchguard systems but that does not happen when I try to connect externally. Doing a packet monitor I do see that I am able to reach the DMZ address and external public ip gets routed to the DMZ as it should.
Any thoughts?
I will edit this later but the IPs I use are:
External(64.83.252.30) which is forwarded to the DMZ(10.168.50.15)
Connecting to internal 192.168.0.15 I get the esmtp response.
↧
Watchguard users - Looking for your experiences for wireless and security device
Those of you who use Watchguard:
I looking for your experiences and recommendations on the Watchguard system as I have someone proposing to install it. Good and bad please.
↧
Missing attachments with Watchguard XTM330
About a month ago we installed a Watchguard XTM330. We are using the SMTP proxy with it set to quarantine any dodgy attachments.
I've had a couple of users report that they have received external emails with no attachments when there should have been one present. There is no warning text file or anything in the quarantine folder. It's just like the any attachment has vanished into thin air.
Initially I suspected the sender was simply forgetting to the attach the file but it's happened several times now with senders who know what they are doing.
Some other bit's of information which may be useful:
1. I've only ever seen it happen with excel files. However these were only simple files with no macros etc.
2. I got one external user to forward an email with a missing attachment to my webmail account. I received it ok and when I then forwarded...
↧
↧
Deploying Certificates
Is there any way to automate the process of deploying the trusted WG certs to BYODs for a guest network. More specifically for Android and i-devices.
I can redirect users to a custom page after authenticating, however, it means that if they were to arrive tomorrow, and authenticate again, they would be pushed to the custom page hosting the certs still.
Ideally, I want them to be able to sign onto the guest wifi (going through the WG), authenticate on the WG portal page, and have all the benefits that the box offers rather than switching off things like DPI etc.
↧
Forward quarantined email to mailbox on Watchguard XTM330
We have just installed a Watchguard XTM330 with the spamblocker feature.
At present all spam is diverted to the quarantine server where I can review it and then either delete or release to the end user.
Does anybody know whether its possible to divert it to an outlook mailbox instead? Once it's deleted from the quarantine server its gone, whereas I'm more comfortable having it in outlook so I can keep it in deleted items for a period of time and review it if I've accidently deleted something I shouldn't have.
↧
WatchGuard Dimension Policy Map
I just wanted to post that the new 'Policy Map' feature in WatchGuard Dimension 1.3 is awesome and incredibly useful (on top of Dimension itself).
If you have WatchGuard Firewalls and haven't checked out Dimension, Start it up!
↧
How can I pass all of a /29 through to my XTM515?
I ran into a snag where one particular brand of monitoring device has $#!++y software and is too smart for its own good. I can add one device to the software for remote access just fine, but when I add the second device (although the port is different) it detects the external IP as the same and complains that the device already exists. I tried DDNS, but it matches tghe same IP and still complains. The manufacturer is not going to fix the software anytime soon, so I thought of another way, but need some help.
We have a /29 for our primary external interface, allowing us to use x.x.x.1 as our gateway, with x.x.x.2 to x.x.x.6 as usable IPs.
The XTM is already set to use x.x.x.2/29 as its external interface.
I have a rule to allow ANY-External--Device-In-Question with a SNAT for the appropriate ports, but it is only passing on x.x.x.2
Do I...
↧
↧
can't login to Watchguard XTM 25- password or bug
I recently replaced an X20e with an XTM25. Among other things, the X20e had a recurring problem where I couldn't login until I restarted it. It was out of support and had old firmware, so that bug was probably fixed in an update.
Now I'm unable to login to the XTM25 as admin. I've restarted it, and still can't. I am considering that I may have changed the password and not noted it, but I know I've logged in the XTM25 since I installed it.
If it is the password, will uploading the config file restore all settings? Any known bugs related to login issues?
↧
Transparently Pass a /28
Hey everyone, I was reading a post that came up a couple days ago about passing all of the IPs from a /29, but I guess my question is a little different.
We just had a fiber-to-copper handoff put in by time warner, with a /28 (gateway is .1, usable is.2-.14), and a watchguard XTM 1050 as our router. We havn't switched over yet because there are a couple things that I'm a little worried about. The previous IT Director did a pretty solid job of making a mess of how things are setup in terms of network management. Right now we're on a point-to-point internet solution with a multi-port modem for our current watchguard and our sbc (we have a hosted voip system in our office). Would I be able to map one of the statics to a port on the watchguard and enable a "Pass All Traffic" rule?
↧
Watchguard monitor VPN traffic with SNMP
I've got a Watchguard XTM 510 set up with a site-to-site IPsec VPN. I'm trying to get the traffic data for this VPN connection via SNMP. However, I can't seem to figure it out.
I can query any of the physical interfaces (eth1-eth6) via SNMP, and get the traffic data. However, I don't know which interface is the VPN. I assumed it's interface "tun0", but during testing, the octet counters for tun0 never changed, no matter how much data I'm moving through the VPN. None of the other non-physical interfaces change either.
Is there a setting I need to adjust in my firewall? Is there a different place I need to look for the interface?
Thanks for the help!
--Nick
↧