Is there a way to link the WG to AD so I can create policies based on user or computer groups? Also so the reporting doesn't just state the computers IP but the computer name?
I know this can be done, but can it be done without installing anything on the client computers? I.e. just set it up on the server?
Hello!
I currently have users that are local users in the Firebox, not tied into my AD. My theory is that if someone accesses the SSLVPN because they shoulder-surfed me or my wife at Starbucks, they still don't have our domain passwords.
We both only enter passwords after making sure no one is standing behind us, and we lower the lid of the laptop so that only we can see the keyboard.
Now we have the issue of using Google WiFi at Starbucks, and whether or not it is relatively secure. The Windows firewall is on. The firewall in Trend Micro WFBS Services is on and set to block all inbound connections. The old AT&T WiFi at Starbucks had no client isolation and other users' devices were readily pingable and scannable, but Google WiFi does have client isolation. So, how secure is using the SSLVPN in that situation?
Gregg
The WatchGuard Firebox that protects your network has detected a message that may not be safe.Cause : The message could not be scanned for viruses.Content type : application/octet-streamFile name : 2016 01 January.7zVirus status : The object is not scannable (encrypted objects)Action : The Firebox locked 2016 01 January.7z.Your network administrator can unlock this attachment.I have a client who has two separate offices. One has a Watchguard XTM-330, one an XTM-515. The office with the 330 can connect properly to website A. The office with the 515 cannot.
I have done the following:
-Made a proxy exception in the HTTP Proxies policy for wildcard to Site A's domain (I have also tried the full domain
-Made an HTTPS proxy exception for Site A and its wildcard (which shouldn't matter, as pattern matching isn't set up in that proxy, but...just for grins)
-Made a Blocked Sites Exception for the FQDN of *.site-a.com
-Made a (even though I believe it unnecessary) WebBlocker exception for *.site-a.com/* .
-Checked and matched some settings in the 515 to the 330's HTTP proxy that for some reason were not there, (probably as it has been on the site longer) to match. These included "Allow Range Request Through Unmodified" and...
Hi Experts,
I am now well familiar with installing Watchguard XTM devices and setting up firewall rules to efficiently secure customers networks. I have a good understanding of how the Firebox works and troubleshooting methods. Recently i have completed a successful installation however, we have notice a significant decrease in access to both local resources on the customer LAN and the Internet. I assumed automatically it was a DNS issue. In the other hand the existing Untagled firewall had the same network configurations and everything works very smoothly. I did a little research on Untagled and i understand that the firewall acts as the DNS server and caches all DNS lookups. All DNS information is configured on the Untangled. The customer has a dedicated 3MB up and 3MB down Internet connection. After performing several test such as...
Hello!
We recently set up a BOVPN between my client and the HQ of the company that recently bought them. So far, they have not let me have access to the Cisco to see its settings.
The BOVPN is slow, sometimes as slow as 1Mbps. We have a 35/5 TWC connection, they have 10/10 speed from their provider.
I was thinking that it may be an MTU issue, so I tested with the following and I get fragmentation. The 172.23.230.3 is a server on their side of the BOVPN.
C:\ping -f -l 1472 172.23.230.3
Pinging 172.23.230.3 with 1472 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 172.23.230.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
I tried 1472, 1450, 1425, 1415, and all fragmented. At 1410, I...
Perhaps this is a stupid question....
Based on the name, I naively assumed that the "WatchGuard Mobile VPN with SSL" was an "SSL VPN" (with characteristics & featureslike this:http://searchsecurity.techtarget.com/definition/SSL-VPN). But, the WatchGuard requires a client, and that's very much NOT what I was expecting.
So, am I missing something? What is the point to WatchGuard's "Mobile VPN with SSL" over otherVPN protocols that also require a client? And if I'm looking for "SSL Tunnel VPN" capabilities (from http://searchsecurity.techtarget.com/definition/SSL-VPN) , do any of you have creative suggestions outside of "go buy one of those too"?
Thanks in advance for humoring my naivety.
I have just installed, (or still going through the install that is) of a WatchGuard T30 W Firebox. It replaced an older Cisco ASA device which I took offline last year due to it's failing and Cisco's not wanting to provide support since the device was past it's EOL.
Previously, my setup was this:
Internet DSL, (DHCP by ISP) Firewall Cisco 2911 Router LAN
This worked fine. However, the DSL failed last year and was replaced. I put the new DSL into Bridge Mode and configured PPPoE on my Cisco 2911 router. All is working great.
Now, when I placed my new T30 in the same location as my older ASA, I get no WAN connection. I have tried it behind the Router between the LAN and Router and still am getting no WAN connection.
I am 95% sure I set up the T 30 correctly, but of course could be wrong. I am just wondering if now, since the DSL is in...
Getting an error connecting to WG VPN with SSL.
Clients loops trying to connect and stated "A restart has occurred due to a tls error."
The user can login and authenticate to the /sslvpn.html page to download the client but can't initiate the VPN.
Username & Password is correct.
is there an easy way to copy/move one interface to another.
We started with int 0 as our external. BrightHouse has increased our internet speed from 100 to 350
However, int 0 only allows for 10/100.
What is best way to move config to a different interface?
thanks,
doug
Hi there!
We have several branches, and are converting them over to faster internet.
We need to connect a central office (M500) to multiple branches in one region (XTM26s), using the private network our ISP provided.
We have a fiber connection coming in dedicated to that, which ends at a single Ethernet port on the media converter.
The ISP says that each branch will have it's own VLAN tag, and that we need to port trunk the one at the central office, but each branch's side should be transparent (no VLAN setup on branch end, ISP does it)
Our overall goal is to get the link working with the one branch that is ready, but right NOW we're just trying to get the Watchguards communicating with each other over that link, and we're having no luck. So I'm hoping someone can confirm our setup, or point out what we're doing wrong. :)
The Watchguards...
I finally have a decent question to ask the community.
I have a mix of several WG devices (and one sonicwall) with ipsec tunnels. Most was using BOVPN interfaces, a couple are traditional branch office gateway/tunnel.
For all of my sites, I can ping -f -l 1472 and get a response except for one. That one 1290 is as high as it goes. 1472 makes sense due to the 28 bytes of overhead to bring it to 1500.
Here's the odd thing. If I ping to that site from the other sites I can get 1472. MTU is set to 1500 on all interfaces atall sites. I can ping internet sites from the problem site with no issue.
Site A (problem) XTM 535
Site B XTM330
Site C XTM26w
These are the highest values I can get with ping -l -f XXXX
A-B 1290
B-A 1472
A-Internet 1472
B-Internet 1472
A-C 1290
C-A 1472
B-C 1472
C-B 1472
C-Internet 1472
SSL Mobile VPN attached to Site A pinging a server...
Hello,
We run an XTMv firewall which was setup by an MSP before my time. Currently, there is an "Outgoing" rule that allows any TCP or UDP traffic from internal clients to any external address on any port. Due to crypto (I've taken several measures against it already, including application whitelisting and OpenDNS umbrella) I would like to specify which outbound ports are actually necessary to have open and define them vs. the any rules that exist right now. Question is - what's the most effective way to do this? I know how to do it on the firewall rule, but actually determining which ports are needed seems like a big task.
David
We have a Watchguard XTM520 and I need to lock down access to critical network components such as our switch, phone system, etc. What is the best way to create a policy that will only allow certain people within the organization to do so?
I was thinking about doing a http proxy policy to allow an alias group with their static IP address to connect to the resource, but everyone would have access to it anyway... So I was thinking I need to do a Deny policy, but not sure how to have an exception. Would that be based on the order of the policy? What is the best way of doing this...? I guess im mostly concerned about the 'most restrictive rule wins' rule....
Well I have my Firebox 99.9% configured but I cannot get the box to activate. I tried using the Web UI and WatchGuard System Manager. In System Manager it's telling me that the box is not active and to click "Activate Now" but I'll be darned if I can see that choice anywhere.
Additionally, when I make an attempt to activate via the Web UI, I get an "Internal Server Error" message, but I am not sure if it's from my end or from WatchGuard's end.
I have a feature key and when I go to the WatchGuard site and enter the S/N of the device I am told that it is already active.
I have placed a call to the WatchGuard tech support number but missed their call on a call-back.
Can anyone give me a suggestion as to how to activate this device?
I am attempting to finish up a network configuration with a new WatchGuard T30-W Firebox. So far, none of the "suggested" configurations have worked 100%. When I say configurations, I am referring to the physical setup on the network, not the device configuration itself, though this configuration does come into play. Here is my topology.
I have a DSL connection to the WAN; the DSL is in "Bridge" mode. Connected to the DSL is a Cisco router that is configured with PPPoE. There are two private networks, (VLANs) set up on the router interfaces. Connected to the router is a Cisco L3 switch in which both VLANs connect. All works just fine.
I want the install the Firebox, (set up in Routed mode) so that only one VLAN is connected to it. When I connect the Firebox, (External Interface) to interface on the router for this VLAN, and then from the...
We have an XP system that runs EDI software from IBM (Gentran)
This past weekend we switched the entire company over to a completely new network, including hardware and domain and IP structure and security (including the new M300 firewall) ... no the little EDI system was not included in the upgrades :p
Ever since the changeover, the Gentran software is not receiving an documents (POs etc). Telnet testing to the EDI servers on both ports 25 and 110 work just fine and succeed. The log shows a failed POP3 STAT command each time.
STAT does not appear in the POP3 proxy in the M300 firewall, but all other protocols are set to ALLOW. I do not know how to get around this seemingly simple communication error.
IBM support gives us general tests to perform which succeed each time and say it is at our end. Since everything is new, I can't really...
Assume we have two ISPs, with external IPs like 1.1.1.1-1.1.1.5 and 2.2.2.2-2.2.2.5. Multi-WAN is setup to interface overflow, with 1.1.1.1 first and overflowing to 2.2.2.2. So all externaltraffic by default gets the IP 1.1.1.1 from ISP1.
Say I want to force a specific device (ex 10.1.1.1) to go out any of our external IPs. I can do this via policy or via a dynamic NAT entry. I can force 10.1.1.1 to go out 1.1.1.2 (ISP1)successfully (it's the same subnet as the default external traffic), but I cannot get it to go out2.2.2.3 (ISP2).
From help:
"If the dynamic NAT source IPaddress is not on the same subnet as the primary or secondary IPaddress of the outgoing interface for that traffic, the Firebox does not change the source IPaddress for each packet to the source IP address specified in the dynamic NATrule. Instead, it changes the...
Just bought a T30-W for a remote office. I am used to keeping ports split up to keep subnets away from eachother (I have an XTM-515 with link aggregation and 3 different networks).
How would I go about making ports 3 and 4, along with the built-in wireless, all on the same subnet?
Port 3 will have a static IP client, port 4 will have a static IP phone (by the way, is there somewhere I can control the PoE?) and the AP will have DHCP clients.
This is running 11.10.3 U1 and is being configured with WSM.
I have a new line I wish to add to Interface 6 but struggling to get this working. I have attached the Ethernet cable from the BT white router to Eth 6 and set this as external.
The details from the ISP are...
IP Range: 213.xxx.182.240 /29
First Usable IP: 213.xxx.182.242
Last Usable IP: 213.xxx.182.246
Gateway: 213.xxx.182.241
Subnet Mask: 255.255.255.248
DNS Servers: 213.xxx.170.10 & 213.xxx.170.11
I have set Interface 6 as an additional external interface with a static IP of 213.xxx.182.242/29 and the gateway set to 213.xxx.182.241 but nothing connects. ISP and BT have run checks on the line and everything appears to be in order.
Am I doing anything wrong?