I'm trying to setup the log and report server and I'm getting this message
Error: unable to pull data from log server. Please check the log server.
Log server: 10.7.48.25
Error message:
Any ideas?
↧
WatchGuard Report Server Notification
↧
Can I restrict SSL VPN access?
We're currently using SSL VPN to give our users access to the network when their out of the office and it's working fine.
We have an outside vendor that needs access to a specific desktop on our network. Can I set them up with SSL VPN access and restrict them to that specific computer without affecting our other VPN users? From what I can see SSL VPN is an all or nothing setup so I hope I'm missing something.
↧
↧
VPN error after upgrade
I just upgraded from a XTM running 11.11.4 to an M370 running 12.0.2. After doing so, I am not able to get my SSL VPN to connect. Below is part of my log. Any idea what would be causing this prblem?
2018-03-19T07:15:29.706 OVPN:LOG:1521458129,D,TCPv4_CLIENT READ [1196] from [AF_INET]xxx.xxx.xxx.xxx:444: P_CONTROL_V1 kid=0 sid=a18895dc 39e77896 [ 3 sid=eecbecb5 e186ee0b ] pid=1 DATA 16030100 57020000 5303015a af9bd3b7 e5665170 ca0dd551 71e07080 692423c[more...]
2018-03-19T07:15:29.706 OVPN:LOG:1521458129,N,VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /O=WatchGuard_Technologies/OU=Fireware/CN=Fireware SSLVPN Server
2018-03-19T07:15:29.722 OVPN:LOG:1521458129,D,PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=00757AD8, ptr=00000000, ad=00757B08, idx=0, argl=0, argp=645D6B5B
2018-03-19T07:15:29.722 OVPN:...
↧
Watchguard multi-wan
Dear experts,
I have dual ISP line connected to my watchguard. But I only want to designated internal ip segment traffic go out respectively. I try to set rules in policy manager, but it doesn't work.
the inbound and outbound traffic from internal IP 1 should route to ISP 1
and the another traffic from internal IP 2 should be route to ISP 2
But after I traced the traffic, all outbound or inbound traffic only route from ISP 1. Anyone know how to set the policy ?
ISP1: 118.122.117.205
![]( "Image: https://content.spiceworksstatic.com/service.community/p/post_images/0000300956/5ab89fea/attached_image/AQDVD59C6EWWI_G2UT6Y3%5BH.png")
![]( "Image: https://content.spiceworksstatic.com/service.community/p/post_images/0000300959/5ab8a264/attached_image/A93F_CJ8T8F4_ARA____GXN.png")
![]( "Image: https://content.spiceworksstatic.com/service.community/p/post_images/0000300960/5ab8a27c/attached_image/A93F_CJ8T8F4_ARA____GXN.png")
ISP2:45.117.97.196
Internal IP segment 1: 10.121.0.0/24
Internal IP segment 2: 10.121.1.0/24
↧
Q4 2017 Internet Security Report + New Threat Landscape Visualization Tool
Hello Spiceheads!
We have a couple of announcements for you:
This week, we released its quarterly Internet Security Report covering Q4 2017. Every quarter we examine anonymized data from our Firebox UTM appliances all across the world and report on the most common malware variants and network attacks that our appliances block. This gives valuable real-world information on the most common network and computer threats aimed at small and medium-sized businesses and distributed enterprises.
This quarter, active Fireboxes blocked more than 30 million malware variants and 6.9 million network attacks. We found growth in macro-less Word document attacks, a major jump in new or “zero-day” malware variants that did not match existing antivirus signatures, and much more.
Click here to read some of the major findings from the Q4 2017 Internet...
↧
↧
Watchguard - Scanning Password Protected PDFs
Currently our Watchguard Firewall scans most incoming attachment and everything seems to work correctly. However we have customers from time to time who are sending sensitive info by way of password protected PDFs. This causes our firewall to be unable to scan the item and then 'cloaks' the file requiring us to go and unlock the file. Is there any better method to go about not having to constantly unlock PDF files that have been password protected?
Thanks for your help in advance
↧
New Fireware version released 4/4/18
Fireware v12.1.1 came out 4/4/18. DNSWatch looked nice in the beta. It also has support for more dynamic DNS providers, among other things.
Gregg
↧
Setting up Watchguard Firewall to use multiple IPs
Hello,
I have been trying to get my watchguard working for quite some time, and finally decided to take the time and get it working the right way. I have comcast business internet, and they have provided me with 5 ip addresses:
x.25
x.26
x.27
x.28
x.29
a netmask of 255.255.255.248
and a gateway of x.30
I have to use their business modem in order to get the 5 ip addresses, and it is unable to be set to bridged mode.
I have been reading up, and it looks like I need to assign one port on the firewall as an external port, and give it one of the external IPs as primary, and the rest as secondaries. My question is, is there a specific address I need to give as the 'primary', or do you just pick one and add the rest as secondaries?
Also, how do I determine the slash notation I need to use with these ips? I have seen people use /29 /30 etc but I am not...
↧
blocking website address type
I wanted to block the top level address type in Watchgaurd to elimiate "typosquating" to occur when people type in (dot)cm instead of (dot)com
where is this done in the policy settings? I am using the system manager
↧
↧
Need to change my external IP for a VPN gateway (secondary IP tab)
Hello,
I need to change my external address (new ISP) currently have VPN gateways and Tunnels on the external interface ie 212.1.1.1 can i use the secondary IP tab for a transition for the new IP address 174.1.1.1 with new VPN tunnels to existing clients and their remote IP will be 174.1.1.1.
Does the secondary IP need to in the same subnet as existing external IPs, Can the secondary IP be used for VPNs.
Thanks for any info
Jas
↧
mobile ssl vpn - reports who, when and how many times a user has connected
Hello,
I would like to get a report about who, when and how many times a vpn ssl user starts a connection to our environment.
I'd like to get it easily and clearly.
Any ideas?
(watchguard XTM400, OS 12.xx)
↧
Option 3 DHCP (SonicWall can)
So, I need to setup Option 3 on a DHCP scope of a particular VLAN to propagate the IP of a different default gateway...after talking to WatchGuard (who has a work around, no, no, no, it WILL do it, it just gives you an error....no, no no, you need 12.1...oh, your on 12.1...but it works....all but that error.......)
I know SonicWall supports it right out of the box https://www.sonicwall.com/en-us/support/knowledge-base/170505809847447
But, when we try on the WG this is what we get....
↧
Disable UPNP feature on M5600?
Hello,
Looking to disable UPNP feature via the WSM but not seen this feature anywhere.
Please could someone point me in the right direction.
Thank you
↧
↧
How to view BOVPN pre-shared key
Hello All,
Is there a way to view the pre-shared key for XTM M5600/v12.1?
Thanks for any info.
↧
Oops they broke it again....(WatchGuard)...sing it!
So, I get past the issue with DHCP offering up an assigned Gateway...that was an "Upgrade" to 12.1.1 (or, aparently you always could do it, it just was not in any instructions anywhere, no documentation, they do not support it and you have to do it via Putty CLI)...
So, now with 12.1.1 there is no DPI nor web blocking on 443 mostly, and ZERO if you use Chrome (and we in particular were looking to redirect the Gateway on 40 Chromebooks). All while SonicWall had one of their reps in the facility on hand to prove just how superior their products are. Then, two hours on hold just to get an operator to get a case assigned to a guy who was going on lunch.
Done. I am simply going to suggest they get the SonicWall...not worth the fight.
↧
Weird Problem with WatchGuard Firewall
Hi to all Spicemasters,
I encountered a very weird problem with one website. In my school this website is not blocked. I tried to do nslookup and tracert but all results are positive, meaning I can see the site. But when we try to browse to any computer connected to the domain it cannot find the site. When I checked the Traffic Monitor in WatchGuard I found that the said firewall is not blocking the site.
So now I am confused as to what is causing this issue. Below are some screenshots.
I appreciate for any support.
Thanks in advance spicemasters!
Rodney
↧
SSLVPN fails on 12.1.1 - client logs show auth failures
Good morning folks.
I updated our devices to 12.1.1 overnight. I get a call this morning that the SSLVPN isn't working.
I watch the firebox (M300) logs and I see -- openvpn_add failed, sslvpn ip pool isn't initialized.
A little odd. I check and everything looks the same as the last time I was in that portion of the config.
Our users use the client offered by the firebox.... I haven't suggested to our users to login to the firebox and pull a new client -- yet.
I also have OpenVPN installed on my PC and tried it. I get an auth failure.
Two issues? Not sure. I'm going over my settings as much as I can.
Has anyone else had anything like this?
↧
↧
Has anyone used the WatchGuard Access Portal?
WatchGuard released an Access Portal last year, anyone using it? For SSO?
↧
Blocking VPN apps on BYOD iPads
We have a BYOD environment with about 700 student iPads and no MDM. We're using a WatchGuard M570 with WebBlocker and App Control to try and manage the content available to students. I've been having issues with students using VPN apps to bypass our content restrictions. Currently, we have just 3 policies for student traffic - an HTTP proxy, an HTTPS proxy, and a catch-all TCP/UDP packet filter. I have Web Blocker and App Control enabled on both proxies and App Control for the packet filter. The VPN apps are currently getting out through the packet filter policy and the only way I know to block them is to have App Control drop all SSL/TLS traffic. Obviously, that breaks lots of other things.
Is there a way to block SSL/TLS traffic at the packet filter policy and add exceptions for things we need like the app store and ebook apps?
Or am I...
↧
DHCP and Avaya Handsets not picking up correct IP address
I have just upgraded my T35 to 12.1.1 which now includes the option to provide a gateway value other than the IP address of the relevant WG Interface itself.
Senario
vLAN1 = DATA (INT 1)
WG DHCP set with Option 242 to tell the Ayav Handsets to move to vLAN10
IP Range 172.19.x.x
vLAN10 = Voice (INT 2)
WG DHCP set with Option 242 to tell the Ayav Handsets IP info of the call server etc.
IP Range 10.x
Issue
The Avaya handset from factory gets and IP of 172..x from the WG DHCP interface on vLAN1 then reboots to vLAN10.
On reboot, instead of getting a 10.x address, it hangs onto the 172.x address.
Has anyone seem this behaviour?
↧