Quantcast
Channel: WatchGuard
Viewing all 1338 articles
Browse latest View live

Update to OS V11.10.2 issues with behind NAT

August 14, 2015, 5:44 am
$
0
0

I had a little trouble getting all of my devices to the latest OS version. Thought I'd share.

I have a 14 XTM33-W Fireboxes -- 12 with public static addresses, 2 behind NAT because of circumstances beyond my control.

Most of the devices including the two behind NAT were at OS version 11.10. A few devices were at 11.9.3.

I scheduled an OS update to 11.10.2 and all went as expected except the for the 2 behind NAT devices.

I tried to update the devices individually from system manager and from the web interface. From the system manager the update failed after a minute or so timeout. From the web interface, the OS file never uploaded. I let this cook for over an hour.

After thinking about it for a while, I remembered that back in the day, I could backup, restore, update a firebox from the Policy Manager launched from the system manager and it...

Search

Watchguard blocking some vpn ssh traffic while letting other ssh traffic pass

August 17, 2015, 11:02 am
$
0
0

So I'm connecting to our Watchguard XTM 515 via PPTP VPN. I have several Linux servers on the same subnet that I'm connecting to via SSH. I can connect to all of them just fine except one. When I check the Watchguard logs it shows the traffic to that server is being blocked. The log entry is as follows:

FWDeny, Denied, pri=4, disp=Deny, policy=Unhandled-MUVPN-Packet.out-01, protocol=ssh/tcp, src_ip=10.10.214.128, src_port=42830, dst_ip=10.10.214.213, dst_port=22, src_intf=0-PPTP, dst_intf=1-Trusted, rc=101, pckt_len=60, ttl=63, pr_info=offset 10 S 2271602342 win 65535, src_user=xxx@Firebox-DB

I don't have any rules/policies specifically granting ssh traffic to the servers that are working, nor blocking ssh traffic to the server that's not.

Anyone know what could be causing this and what I need to do to get this working?

How do I configure WatchGuard Web Blocker exceptions by User?

August 20, 2015, 12:11 pm
$
0
0

We would like to enable many categories of the WebSense categories, however we may need some staff to access some of the sites.  For example: most staff should not be allowed to access Facebook, however we have a staff member that needs to access it.

How can we do this

Can Watchguard SSL VPN perform pass through Windows Authentication?

August 23, 2015, 4:51 am
$
0
0

Hi

We recently upgraded our firewalls to WatchGuard M200s, primarily to improve VPN throughput.

Previously we'vehandled internal network configuration ourselves, but the WatchGuard was recommended by our VMware DR support company.

Question: Using the WatchGuard SSL VPN, is it possible to achieve 'Windows Authentication' for usages such as connecting to SQL Server, TFS, certain internal web pages etc?

We're using AD authentication for the login, but so far we're unable to make useful 'Authenticating' connections.

Obviously the connecting machines are workers home machines, so not on domain or anything.

With the WatchGuard using AD for authentication I would have presumed they'd gone the obvious extra step and supporting this. Or is this something that's only possible over more standard VPN configs?

While I've discussed it with the support...

ShoreTel VOIP over IPSec VPN Question

August 24, 2015, 1:39 pm
$
0
0

We are in the process of implementing a new ShoreTel system in our office and i'm trying to figure out the best way to get our remote people connected.  We have an HA pair of  WatchGuard XTM 850 boxes in our main office, and the remote people are connected through IPsec tunnels to XTM 25 boxes at that homes.  Our IP phones in the main office are set up to signal our local switches to use the voice VLAN, and then send the DHCP request on that VLAN and download their configs from the HQ server.  I'd like the remote phones to be set up the same as the local ones if at all possible, so somehow i need to configure the XTM 25 boxes to pass that traffic to the right place to get a DHCP response from that remote vlan.  Any suggestions?  Thanks.  

Firebox - Route - traffic between internal IP's

August 26, 2015, 7:01 am
$
0
0

I am trying to do some penetration testing and only have a single license for our CMS. I built a duplicate network outside our corporate environment. I am trying to determine... If it is possible to route traffic from our web page site to an optional network Host IPV4 address. Both are connected to the firebox.

My goal - when an authenticated user selects a hyperlink on our external webpage, they are directed to the CMS which resides on an optional network. I already have a working Snat that gets external traffic to the server hosting the webpage. The webpage server's IP is 192.168.116.5, and the CMS I want to redirect to is at 192.168.120.4.

Snat only works with external interfaces, NAT and 1-1 NAT have not been a solution. Is there a rule / route, etc I can build to accomplish this obstacle.

I want a rule that says when the user...

Upgrade from 11.9.4 to 11.10.2 update 1

August 26, 2015, 12:43 pm
$
0
0

Are there any gotchas during this upgrade? I assume just make a backup before I go for it correct? All policies and configurations are migrated to the new version automatically correct? I have not had to do an upgrade yet. This is for an XTM 5 series watch guard.

Firebox setup

August 27, 2015, 6:40 am
$
0
0

Hi

I have a firebox XTM26 latest O/S, with two external networks in a failover configuration, this works fine

The wireless settings however are doing my head in, its in mixed routing mode (need that to make wan failover work), which puts all networks lan and wireless etc on separate subnets

I have configured the wireless to be a trusted network, and wireless clients can get on the internet but as they are on a different subnet they don't have access to the servers etc on the LAN

according to Watchguard help files they should, but how, is the IP proxied to the correct subnet?

LAN is a 192.168.1.x subnet, wireless is 192.168.4.x

DNS, DHCP is all on the LAN, via a normal SBS2011 network

To get this to work I have disabled wireless and use one of Watchguards access points, that uses the LAN and everything is good, but would like to use all the...

Search

Anyone use WatchGuard XTM & Dimension Logging & WebBlocker?

August 27, 2015, 6:58 am
$
0
0

I am in the process of complimenting WebBlocker on my WatchGuard. Either I just don't understand how this is supposed to work, or I am missing some part of the setup.

I do have a tech case open with WG, but thought I'd ask to see if anyone had any tips on setup/usage that I may not know about.

My predicament:

I have HTTPS proxy setup for a test AD group to block Facebook. Just to see how this will all work to being with. I have the sert exported/imported and the deep packet inspection setup as when I browse to FB, I do get my "blocked by WatchGuard" message.

My problem is that this doesn't seem to be in any of the logs on Dimension. I don't see any deny logs in the user detail report on Dimension. All the settings I have been asked to look at are correct.

I have been dealing with this setup for almost 2 weeks now. I'm beginning to think...

WatchGuard Remove DVCP Tunnel

August 28, 2015, 7:29 am
$
0
0

I have a client with some WatchGuard XTM 330/515 devices. They are being replaced (thank god) but in the interim I have the need to edit some of the existing tunnels. Unfortunately using either the web interface or WatchGuard System Manager, I receive errors about how the tunnels are "DVCP Created objects and cannot be modified". 

These appear to be wizard generated tunnels from some sort of VPN Manager. I have absolutely no idea how to edit or clear out these tunnels as I can't do anything with them despite having write access.

Anyone have any clues? WatchGuards really aren't my strong suit. 

Much appreciated.

WAN Virtulization, WatchGuard

August 30, 2015, 7:23 pm
$
0
0

When will legacy security manufactures start implementing WAN virtulization? I'm ready to implement WAN virtulization but dedicated WAN virtulization/optimization devices are just too expensive when you factor in the massive amounts of cheap bandwidth available today. So I have a 20 Mbps fiber DIA connection and a 150X20 Mbps cable connection in one office for around $1100 a month. My DIA connection is about to be increased to 100 Mbps for the same price. That's just my main office and our branch offices are in metro areas with the same access to cheap bandwidth. Also I bet if I called Comcast I could get them to upgrade me to their 300 Mbps service with little price increase. What happens when looking at Talari, Ecessa, Mushroom or any of the others is pricing jumps way up with these bandwidth levels.

So it would be nice to see someone...

Centurylink and Watchguard direct connection

August 31, 2015, 7:26 am
$
0
0

We just had CenturyLink install a partial gig internet connection.  I am trying to set up our WatchGuard XTM 330 directly to the cable and bypass the Centurylink modem. They have a PPP username and password, which I was successful in connecting and getting an IP address, but they also specify a CE-VLAN 201, which I have been unable to configure properly to obtain internet access.  

Is this possbile? Or is there a better solution?  We have a couple of on premise services like FTP that I would like to point to this connection (it is faster than our other ISP).

Thank you.

How can I limit bandwidth for an external IP range on an XTM?

September 3, 2015, 7:21 am
$
0
0

I have an XTM515 with a few CCTV DVRs behind it.

I upgraded one of the DVRs to full IP cams with 5MP cams.

I have a supervisor who watches the cameras from home, all 16 on the screen at once...
This is sucking up almost all available upload speed we have, affecting VoIP at times.

I already checked the DVR, I cannot modify frame rate per user, and we need full frame rate at times.

I currently have a rule in place for Any-External --> DVR on certain ports. (I know exposing the DVR to the world is not smart, but the bosses demanded access anywhere and without VPN (due to wanting access from phones, tablets, etc without hassle). I have the DVRs off on their own little private optional network with nothing coming back to the main network.

How can I limit bandwidth to a block of IPs for the supervisor who works from home? (DHCP, but always within...

Install Custom application

September 7, 2015, 8:10 am
$
0
0

 Hello,

How can I automatically install my custom application /add ins on client pc once the Mobile VPN with SSL client get connected.

Actually I want to track few specific activities of the client , which my application will track. But I want to install it automatically through WatchGuard Mobile VPN Client.

Please help.

Thanks&Regards.

Anjan Maity 

WatchGuard Dimension upgrade to 11.10

September 9, 2015, 2:21 am
$
0
0

I have upgraded Dimension to the latest version (watchguard-dimension_2_0_U2_apt)

but this one doesn't allow me to monitoring my devices (WatchGuard XTM 330).

When I added it to the devices list, the Logging status is NO and Managed is Disabled.

During adding devices to the list is asking me to download Config file (*.wgd) with notification:

" (This will regenerate your device credentials. The file will contain both management and logging settings for your device.)"

Honestly I have no idea where and how to upload this file to make Dimension getting data from Firebox. 

Any help will be appreciated.

Search

Watchguard to route traffic back in event of ADSL drop out

September 10, 2015, 4:55 am
$
0
0

Hi All

OK this is going to take some explaining. We have 18 sites, they are all linked via a WAN supplied and maintained by our Dealership Management System supplier (CDK). They look after this as this WAN also links back to their hosting centre is and that's where our Dealer Management system is hosted.

However on Each site I have a simple internet breakout that is firewalled with Watchguard XTM devices. This proxies http traffic etc and does most of the jobs that a UTM should do, all hunky dory.
There are static routes in place on each watchguard device for each site sites IP range to use the WAN in place by CDK so the watchguards aren't having to VPN or anything. This is all ok. Happy

However, especially being around Devon and cornwall, not only are our internet lines speed pretty shocking in places they are damn unreliable too. So is...

WebUI/System Manager inaccessible on M400

September 10, 2015, 7:15 am
$
0
0

Hey Guys,

Twice in the last 3 days the Web UI has become inaccessible on my M400. When this occurs I also cannot reach the device from Watchguard System Manager. The only resolution I have found to this is restarting the device.

Has anyone else experienced this?

WatchGuard setting Session

September 14, 2015, 10:25 pm
$
0
0

Dear All,

I'm new to watchguard. We have a leased Line which is shared in three locations. 

All Domain users will be authenticated by Watchguard.

How to disable the internet connection automatically after 11:30 in the night for one of the locations .

Is there any setting in watchguard which helps us to do this...

Thanks in  advance

VPN Error

September 15, 2015, 2:11 am
$
0
0

Here with Logs

*** WG Diagnostic Report for Gateway "Egypt Difc" ***

Created On: Tue Sep 15 11:17:58 2015

[Conclusion]

Error Messages for Gateway Endpoint #1(name "Egypt Difc")

Sep 15 11:17:54 2015 ERROR 0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.

[Gateway Summary]

Gateway "Egypt Difc" contains "1" gateway endpoint(s).

Gateway Endpoint #1 (name "Egypt Difc") Enabled

Mode: Main PFS: Disabled AlwaysUP: Disabled

DPD: Disabled Keepalive: Enabled

Local ID<->Remote ID: {IP_ADDR(x.x.x.x) <-> IP_ADDR(x.x.x.x)}

Local GW_IP<->Remote GW_IP: {IP_ADDR(x.x.x.x) <-> IP_ADDR(x.x.x.x)

}

Outgoing Interface: eth0 (ifIndex=4)

ifMark=0x10000

linkStatus=2 (0:unknown, 1:down, 2:up)

Stored user messages:

Sep 15 11:17:54 2015 ERROR 0x02030015 Message retry timeout. Check the connection between local and remote gateway...

<-><-><-><->

Accessing Wix.com under a Watchguard firewall gives issues

September 17, 2015, 8:26 am
$
0
0

I have tried a few different things but somehow I cannot seem to get the Watchguard XTM 5 series to allow Wix.com to load properly. We can go to Wix.com but when you choose things such as Premium is only loads part of the page. I have allowed an exception for *.wix.com*/* in my Webblocker but I think something else is also being blocked. When checking the log it seems that it is Advertisements that is being blocked. When I uncheck Advertisements in webblocker it seems to work but I need to make sure we block ads for everyone. Also it seems those ads change from time to time so I don't believe I can go by a specific URL to allow through. Any ideas on what I need to do to allow Wix.com and still block ads? 

Viewing all 1338 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>