XTM 510 V11.10.5
WSM V11.10.7 (Watchguard Server Center)
I would like to add several other mail domains to our local Quarantine server. I am seeing that the Quarantine DB is set to 24Mb. How can i increase this size? Is this a good idea?
Regards
Budding Networking Expert
I have an XTM-515 at our main building and a T10 at a remote worker's home office. (Soon to be a T30-W)
The main building has 2 WANs in failover
WAN1: 30x5mbps
WAN2: 20x2mbps
The remote worker has 2 WANs that will be in failover with the T30-W
WAN1: 100x20mbps
WAN2: 35x2mbps
The issue I am having is that whenever the main building even sneezes, he is calling to complain about his VoIP phone static or his RDP connection getting laggy.
The VoIP phone uses less than 100kbps, the RDP uses less than 200kbps.
Latency across the BOVPN is about 55ms
I have a traffic management rule in place that gives the BOVPN a guaranteed 768kbps. I also have another rule in place that throttles the Iron Mountin Live Vault backups to 768kbps each for a total of 1.5mbps upload speed from the backups.
It seems he has issues whenever someone downloads a large file...
Bonjour Spicy people.
asking peoples opinion as to whether watchguard APT is worth having, and any cheaper alternatives. we have watchguard firewalls in place and the subscription to the APT seems quite expensive, and reading in to the benefits I am not sure if they out way the costs.
has anyone had any experience of APT, what are the benefits and drawbacks of this system.
Hi,
I'm having some trouble with applying templates to my XTM 26 devices.
I have made some changes to my template, but when i try to apply the template, to my XTM 26 devices, it gives me this error:
Hi to all,
I have a watcguard xtm850 and I want to create a policy for SSL VPN to access some LDAP users to different servers. Now it is configured that all users who connect can go everywhere. I wish it were not that way.
I tried to disable the rule "Allow SSLVPNUSERS", one created by default, and create another specific but does not work. Can you help me? I can connect to firewall but I can not ping or access the server specified in the rule.
Thanks so much,
Seba
Has anyone managed to access a Watchguard Mobile IPSec VPN from an Android device? There are some instructions that Watchguard provide using Android's own VPN settings but I can't connect - it fails although the settings I'm using are correct (with the type set to IPSec Xauth PSK, and the correct server address, the correct IPSec identifier, and the correct pre-shared key).
There is a Watchguard app for it but there are no options in the app, and you are meant to open a .wgx configuration file with the app for it to work. However Android doesn't give an 'Open With' option to open the file, it just says that it can't find an application to open it with.
Any ideas please anyone? Or will I have to just use PPTP?
Many thanks
Hi,
The weblocker work correctly,if i go to the deafult page :4100 i can authenticate with my LDAP user but i can go to any web page and so surf freely.
I have already set the policy rule for http and https proxy for LDAP group.
More when I open the web page for the first time no redirects me to the authentication page despite having put the flag on "Redirect users to authentication page."
Do you have ideas?
But
Someone help before I lose whatever left of my hair (trust me, not a lot)
I have a very simple network setup, WatchGuard Firefox T-50W. I am trying to do Wi-Fi authentication with aRADIUS serveron Windows Server 2012 R2.
I have few VPN profiles on that same router with RADIUS authentication going to the same server and everything works great! However, when I try to do WiFi authenticationfrom that same router to the same server, I get:
"An Access-Request message was received from RADIUS client(ipaddress) with a Message-Authenticator attribute that is not valid."
few google searches suggest that the shared key between the RADIUS server and the router are mismatched. However, I am able to authenticate my VPN profiles just fine using the same settings.
I double and triple checked all my policies and everything seems to be ok. My router is...
XTM-25W in operation for over a year and general configuration with security subscription services activated and nothing funky enabled-
Refuses to load streaming videos (regardless of browser and computer) from:
wsj.com/videos
thegreatcourses.com
No errors in system logs that I've found... I suspect the http proxy needs tuning/modification, but no idea what to change...other than to add the sites to the exception list worst case so that they bypass proxy..
I'm trying to get Anywhere Access set up on our 2012 R2 server. I'm getting an unhandled internal packet on port 80.
2016-05-03 14:22:32 Deny *server_ip* *external_ip* http/tcp 59442 80 1-***-LAN Firebox Denied 52 128 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 170266857 win 8192"
Not sure what to do or where to go, I've tried adding an Any rule to test, same error.
I would like to establish a secure DMZ using a WatchGuard firewall and L3 switch with IP routing enabled. The switch handles all routing and connects to the firewall via a Trusted interface. All traffic in and out of the DMZ VLAN should pass through the firewall. The DMZ needs very limited access to a device on our private LAN.
The traditional technique is to use an Optional/Custom interface (so that the DMZ traffic does not get mixed up with the Trusted traffic). Routes would be needed on the switch to force the DMZ VLAN traffic through the firewall. Even though ACLs on the switch could handle most of the traffic restrictions between VLANs, I would still want to use an Optional/Custom interface for flexibility and best practice.
I had another thought I would like input on. What about creating a VLAN interface on the firewall instead...
I understand how the subscription services work on polices with outgoing connections (ie client going to the internet).
How does applying the Web Blocker for adult sites (for example) work on incoming policies (ie server) that are Any-Exernal TO SNAT of a local server? Would applying an Application Control policy which blocks Tor block incoming connections via Tor on this type of policy?
If subscription services work bi-directionally, I am not sure what kind of behavior the web blocker or application control would have on incoming policies. Can anyone offer insight?
Hi experts,
I have HTTP packet filter policy that says:
Allow Any-Trusted to FQDN (*.gov.tt) on port 80
I would assume it will allow all connections to that domain since the wild card is used. However i still cant access urls such as customs.gov.tt or finance.gov.tt. I also noticed that these urls are resolved to different DNS addresses. So i have to manually add these addresses as FQDNs as well such as *.customs.gov.tt. Am i utilizing the policy incorrectly or does FQDN more tricky than i taught. I would like to simply allow trusted users to access any website following .gov.tt
Regards
Hi,
Is it possible to configure the sub-interface on external interface of watchguard and is it possible to add the multiple IPs to external interface.
Regards
Sridhar
Hi. One of our sites has a NVR installed that was accessible externally. We were port forwarding through a consumer grade Dlink router and everything was working fine. Yesterday we switched to a DSL service and I also replaced the dlink with a Watchguard T10 and now I cannot access the NVR website externally. From what i see in the logs we hit the NVR, but the web login page is blank. I have setup a static NAT from my external interface to the local IP of the NVR. I have also opened up all of the TCP and UDP ports that were set on the Dlink (hell I have even tried opening ALL ports for a test). Logging is enabled on both the watchguard from my remote site and the watchguard at the NVR site and no ports are being reported as blocked. I have called the ISP and they swear that they are not blocking ports. We have the same issue with a...
Two remote BOVPN connections are behaving differently and I would like to understand why. Diagnostics DNS lookup for a site (google.com) shows one local IP for one firewall and one external IP for the other (using the local DNS server at the home office):
BO#1:
Allow [LOCAL_FW_IP] [DNS_SERVER] 34523 53 Firebox 0-External Allowed 56 64 (Any From Firebox-00)
BO#2:
Allow [EXTERNAL_FW_IP] [DNS_SERVER] 46375 53 Firebox 0-External Allowed 56 64 (Any From Firebox-00)
Relative to each remote firewall, I've verified the following are identical: NAT, Routes, Interface configuration, DNS servers, BOVPN tunnels/gateways. The behavior is that the BO#2 firewall cannot resolve DNS queries and thus cannot automatically obtain the OS updates. All clients are fine on both networks. I can setup a route on BO#2 to force traffic to the local DNS server to...
WG OS 11.11 has a Radius SSO option.
We have a Cisco ACS 5.5 Appliance and I cannot figure out how to configure the Cisco side to do this. "configure the RADIUS server to forward RADIUS accounting packets to a Firebox IP address on port 1813"
I am just not sure where to configure this in the Cisco ACS, am I adding in a AAA client, External Proxy, Remote Logging?
I just checked my traffic report on my Firewall and have noticed that in the last 12 hours UDP Port 6889 has gotten suddenly popular with external IP addresses from Japan, China, Sweden and Vietnam. Here is an example, (this one is from Japan.)
-----
2016-05-20 22:07:44 Deny src_ip=126.203.67.88 dst_ip=192.168.1.118 pr=6889/udp src_port=27642 dst_port=6889 src_intf=0-External dst_intf=Firebox msg=Denied pckt_len=131 ttl=103 policy=(Unhandled External Packet-00) proxy_action= proc_id="firewall" rc="101" msg_id="3000-0148"
-----
The firewall is doing it's job by dropping these unhandled external packets but I am just a bit curious as to why this port is suddenly hot? I know BitTorrent uses it, but I don't deal with BitTorrent. Also, World of Warcraft uses ports 6881 - 6999 for its Blizzard downloader and I do play WoW, but I don't think...
I'm working on a fresh setup for the M300 firewalls.
First time it happend I thought it was weird, second a problem. Through the web interface I was able to upgrade the firmware to 11.10.5, it is in the attached screen shot.
After it was done with the firmware upgrade I use the Watchguard System Manager to access the firewall. From here I launch policy manager and do what I need to with the feature keys, configs etc. Well thing is both times on these 300's Policy manager won't open. I say Yes to creating a new config, and it runs through the steps and appears to minimize and just won't open. I've done plenty of setups but this thing behavior is new.
I'm suspecting a java issue but I'm at a loss. I can still access the web UI and the feature key is still there. I need to get into Policy Manager to get an existing config on the...
What is the best way to do VoIP through an XTM 25 or T-series firewall? Should I use an outbound packet filter or the SIP-ALG proxy for VoIP?
The issue:
I have a client who got Fonality phones and they have random call quality issues going through their XTM 25-W running 11.10.7 U1. The ISP is TWC 50x5 for an office of 16 users. I called TWC today, and they said they made some changes to help optimize VoIP performance (I think they disabled their QoS and something else).
I have tried QoS enabled and disabled on the firewall...off is worse, but still have problems with it on.
All Fonality said was that they need QoS on ports 5222 TCP, 5060 UDP, and 10000-30000 UDP. They did not suggest doing so with a packet filter vs. with a proxy.
How can I get the best call quality, with a filter or with a proxy?
Their main switch is an unmanaged HP...
