QoS Watchguard between Wan e Vpn Policy

July 26, 2016, 11:05 am

≫ Next: How to setup a DMZ on WatchGuard XTM505

≪ Previous: Watchgaurd Firewall Interface Routing

Hello,

I have enabled successfully within the VPN using Qos Marking Type Ip Precedence using the values (Voip:6, RDP:4, ANY;2). Qos it works.

Now the goal is to define a lower priority to traffic that outgoing from the WAN giving higher priority to all traffic passing in the VPN without WAN policy limiting.

In summaryif theris'nt traffic across the VPN, all the available traffic can be taken from policy WAN Interface. If start some traffic in policy vpn interface then the traffic from policy wan Interface must decrease (value1).

I tried to set in Externale Interface - Advanced the QoS whit value 1 ( always ip precedence)

but it does not work. WAN traffic has precedence over traffico vpn.

it's possible to do it?

Thanks!

↧

How to setup a DMZ on WatchGuard XTM505

July 29, 2016, 4:47 am

≫ Next: QoS desktop users

≪ Previous: QoS Watchguard between Wan e Vpn Policy

How do you configure a DMZ on a Watch Guard Firewall and also be able to contact ONLY one server on the LAN?

DMZ Server- Hostname- VM1 (Cotent Gateway)

LAN Server - Hostname-VM2 (Content End point)

Can you please provide detailed steps?

↧

QoS desktop users

August 9, 2016, 7:11 am

≫ Next: XTM26 Problem connecting with printer across Vlans

≪ Previous: How to setup a DMZ on WatchGuard XTM505

Hey Guys,

Is it possible to QoS or rate limit desktop users htting the WAN from a M400?

I would like to limit the rate that each user can, for example, hit 80/443 to 1mb/s.

↧

XTM26 Problem connecting with printer across Vlans

August 19, 2016, 1:38 am

≫ Next: How to see # of concurrent connections on WG XTM515, XTM510, T30, & XTM535?

≪ Previous: QoS desktop users

I have a wired lan on 192.168.1.xxx and a wifi lan on 192.168.3.xxx

My XTM26 has a policy to connect the 2

I need to put some of the PC's onto the Wifi now and am getting trouble making the connection.

I can ping from the device on 3 to the printer on 1

the config utility on the XTM says it can allow the connection on port 80 but I cant find out what port the printer is when it sits on a print spooler.

2016-08-18 15:57:06 Deny 192.168.3.78 192.168.1.101 51241 9100 2-WG-Wireless-Access-Point2 2-LAN Denied 52 127 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 1450743473 win 8192"

I added to the SMB policy a return path from the printer (192.168.1.101)

From

WG-Wireless-Access-Point2
192.168.1.101

Any-External
Any-Trusted
WG-Wireless-Access-Point2

Anyone help me please?

↧

How to see # of concurrent connections on WG XTM515, XTM510, T30, & XTM535?

August 23, 2016, 8:19 am

≫ Next: Accomodate Storage in Dimension DB

≪ Previous: XTM26 Problem connecting with printer across Vlans

Hi guys,

I just replaced an old WatchGuard firewall with a T30. On the old firewall, there was a section called "Connection List" where I could see the total number of active connections. For the life of me, I can't find this information on any of my current firewalls. Can you guys point me in the right direction?

↧

Accomodate Storage in Dimension DB

August 24, 2016, 5:10 am

≫ Next: Static IP VPN SSL Watchguard

≪ Previous: How to see # of concurrent connections on WG XTM515, XTM510, T30, & XTM535?

Greetings Experts,

Currently i have a Dimension Server with say 10 devices logging to it. The Server is almost full and as a result it would start overwriting old data. Some devices logging are not really necessary and i would like to remove them and all its content (historical data) from the Dimension DB. If i remove a device from the Dimension WebUI, would this remove all its contents from the Dimension DB and free up space? How can i accomplish this?

Regards

↧

Static IP VPN SSL Watchguard

August 24, 2016, 5:35 am

≫ Next: How do I Force Split Tunnel VPN on Watchguard?

≪ Previous: Accomodate Storage in Dimension DB

Hello!

I'm having a debian machine connect towards a watchguard SSL VPN with openvpn.
Everything works perfectly, except that i cannot set static ip on the tun0 interface on the debian machine.

And someone told me that i must configure that in watchguard, but i cannot for the life of me figure out where in watchguard i can set specific client ip related to SSL VPN.

Any ideas?

↧

How do I Force Split Tunnel VPN on Watchguard?

August 25, 2016, 11:40 am

≫ Next: WatchGuard M300 WebBlocker - strange issue...

≪ Previous: Static IP VPN SSL Watchguard

Hi, I haven't used WatchGuard a whole lot, and I'm not sure if there's a way to force split tunnel VPN for the Mobile clients. I know how to do this with a SonicWALL. I see the option to disable Split Tunnel. Not sure if leaving unchecked actually forces split tunnel, though.

↧

WatchGuard M300 WebBlocker - strange issue...

August 30, 2016, 7:37 am

≫ Next: Watchguard proxy log reporting

≪ Previous: How do I Force Split Tunnel VPN on Watchguard?

Hi folks,

I have a WatchGuard M300 firewall. This has Web Blocker applied for http & https proxy. Mostly appears to be working fine. (just set to work on my machine at the moment for testing).

Strange issue, if I go to http://www.youtube.co.uk or https://www.youtube.co.uk I get the blocked message, if I go to http://www.youtube.com or https://www.youtube.com I am allowed through to the website - but videos will not play.

YouTube is blocked through the policy and seems to partly work as above. Any idea why the .com version of this policy is not working...

Support call already opened... thoughts?

Ta,

Jim

↧

Watchguard proxy log reporting

August 31, 2016, 2:21 am

≫ Next: SSLVPN "Failed to get domain name" error

≪ Previous: WatchGuard M300 WebBlocker - strange issue...

Hi all

We have a Watchguard firewall that is generating logs from the HTTP and HTTPS proxies that we have set. We'd like to run some reports against that data, but find ourselves quite limited by the Watchguard reporting tools.

Is there a way of filtering out all the extraneous traffic (e.g. Windows Updates, CDN traffic, etc.) and just show the user's browser traffic using the Watchguard reporting tools?

Alternatively, is there a tool that can generate meaningful reports from the Watchguard logs or at least allow us to build our own reports and apply our own filters?

Thanks

↧

SSLVPN "Failed to get domain name" error

September 4, 2016, 5:16 pm

≫ Next: [IGNORE] moving (SSLVPN "Failed to get domain name" error) to group policy

≪ Previous: Watchguard proxy log reporting

Firebox T10 or T50, depending upon my mood
Fireware 11.11.2 CSP1 build 510504
WSM 11.11.2 build 508548
ISP = Verizon FiOS 50x50 service
Windows 10 Pro 64-bit management computer

I posted this one on the WatchGuard forums:

"Using my Win 10 Pro 64-bit workstation, whenever I try to connect to ANY clients' SSLVPN, it always gives the "Failed to get domain name" error and then fails to connect.If I use my Win 7 Pro 32-bit virtual machine, I can connect without a hitch. Both systems are behind my T10, both have the same antivirus application, and Windows firewalls on or off does not matter."

After posting on the WatchGuard forums, Bruce Briggs reminded me of another thread there that mentioned TLS settings.

Wow, I am seeing some WEIRD behavior! Based upon the post to which Bruce linked, I checked my TLS settings that applied via group policy to all...

↧

[IGNORE] moving (SSLVPN "Failed to get domain name" error) to group policy

September 4, 2016, 5:16 pm

≫ Next: Trusted Int not showing in Dimension

≪ Previous: SSLVPN "Failed to get domain name" error

EDIT 9/5/16 at 11:32AM:

The root issue turns out to be how TLS is applied via group policy vs. manually.

I will move this post as soon as I figure out how!

---------------------------------------

↧

Trusted Int not showing in Dimension

September 5, 2016, 6:41 am

≫ Next: Cannot Setup a Hotspot Watchguard T30

≪ Previous: [IGNORE] moving (SSLVPN "Failed to get domain name" error) to group policy

Any ideas how to get the trusted interfact to show up in dimension? At the moment only my Vlan traffic show in reports which is wireless traffic.

If I browse to the actual Watchguard it shows the latest web traffic fine with windows usernames. But not on Dimension.

↧

Cannot Setup a Hotspot Watchguard T30

September 6, 2016, 7:26 am

≫ Next: WatchGuard VLAN

≪ Previous: Trusted Int not showing in Dimension

WSM Ver 11.11. Since they changed the software to allow multiple interfaces to connect as a hotspot, I cannot figure out how to specify the hotspot interface. All the documentation I find has a button for the selected interface, mine does not. I am using a VLANID.

Image: //static.spiceworks.com/shared/post/0019/7972/hotspot.png

↧

WatchGuard VLAN

September 8, 2016, 8:42 am

≫ Next: 403 Forbidden accessing site through WatchGuard Firebox proxy

≪ Previous: Cannot Setup a Hotspot Watchguard T30

Hi all,

I'm setting up my first VLAN on a WatchGuard and am confused about tying it to an interface. Ideally, I'd like to have one interface carry both the LAN and VLAN traffic, but when I switch the main Trusted interface type to VLAN I noticed that the IP associated with the interface disappears. My concern here is that the WatchGuard may no longer have an IP for the LAN after the change and that systems that have its current IP as their default gateway would lose internet connectivity and I might not be able to get back into the WatchGuard to manage it. Clear as mud? Basically I'm just wondering if a single interface can carry LAN and VLAN traffic or if these need to be separate interfaces.

Thanks!

↧

403 Forbidden accessing site through WatchGuard Firebox proxy

September 9, 2016, 9:49 am

≫ Next: Issues with 11.11.2

≪ Previous: WatchGuard VLAN

When attempting to access a site (www.seols.org) from a connection running through a WatchGuard Firebox HTTP proxy, the site returns a 403 Forbidden error. The site displays just fine when accessed through off network devices, both mobile and desktop. In reviewing the traffic in the Traffic Monitor, there are no denied packets or stripped headers logged when attempting to access the site.

Adding to the site to the HTTP Proxy Exceptions did not help.

I suspect the Firebox is doing something with the HTTP request that is causing the remote webserver to throw the error.

↧

Issues with 11.11.2

September 12, 2016, 11:55 am

≫ Next: SOLVED: SSLVPN "Failed to get domain name" error

≪ Previous: 403 Forbidden accessing site through WatchGuard Firebox proxy

Our UPS software stopped working after we updated XTM software to 11.11.2
The error message was: "Cannot communicate security with peer: no common encryption algorithm(s)"
UPS tried to solve this problem and they mentioned that the same problem they had with another firewall. Since this problem started exactly after we updated to 11.11.2, we downgraded to 11.11 and the problem went away.

↧

SOLVED: SSLVPN "Failed to get domain name" error

September 4, 2016, 5:16 pm

≫ Next: Watchguard Log server Email Notification not working

≪ Previous: Issues with 11.11.2

EDIT 9/5/16 at 11:32AM:

The root issue turns out to be how TLS is applied via group policy vs. manually.

I will move this post as soon as I figure out how!

---------------------------------------

↧

Watchguard Log server Email Notification not working

September 14, 2016, 3:18 pm

≫ Next: Watchguard webblocker / application control not working in IE

≪ Previous: SOLVED: SSLVPN "Failed to get domain name" error

Hello everyone, .

I am not able to properly set up email notification on Watchguard server center / Log Server. I am currently using gmail acct and pretty sure I have the correct SMTP settings.

smtp.gmail.com:465

However, when I click"Test Email", I get below msg.

Not sure what I have to do next to make this email notification work.

Thanks in advance.

↧

Watchguard webblocker / application control not working in IE

September 15, 2016, 4:31 am

≫ Next: Watchguard / Network Questions

≪ Previous: Watchguard Log server Email Notification not working

We've got an XTM505 and we're using web blocker and application control to block certain websites like facebook and dropbox and this works fine when the end user runs firefox but when using IE users can still get to both websites.

We've got the SSO client installed so I'm a little confused here especially as some other sites like betfair.com are being blocked in IE and the user is getting the correct proxy group so I'm struggling to see how they are getting to facebook and dropbox still.

My initial thought is that it's related to facebook and dropbox redirecting to https and therefore bypassing the http rule but then why is it working in firefox?

I've tried adding an https rule in the firewall but that has massive adverse effects on the corporate banking systems and so we can't really use it.

Is there anything else that I can try to get...

↧