Quantcast
Channel: WatchGuard
Viewing all 1338 articles
Browse latest View live

VPN iOS 11.x X750 Fireware 11.3.8

May 30, 2018, 3:37 am
$
0
0

Hi there.

Im trying to connect an iPhone (iOS1.2x) through VPN to a Watchguard X750 with Fireware XTM 11.3.8

I followed step by step this tutorial.

https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/mvpn/ipsec/mvpn_ipsec_ios_vpn_c...

But everytime i try to connect i get an error in the Watchguard:

Text
2018-05-30 12:29:47 iked ******** RECV an IKE packet at xxx.xxx.xxx.xxx:500(socket=11 ifIndex=39) from Peer yyy.yyy.yyy.yyy:26916 ******** Debug 2018-05-30 12:29:47 iked Found IKE Policy [IOS11_mu, dev=anyE] for peer IP=yyy.yyy.yyy.yyy.yyy, numXform=1, pkt ifIndex=39 Debug 2018-05-30 12:29:47 iked WARNING: Rejected phase 1 aggressive mode from yyy.yyy.yyy.yyy to xxx.xxx.xxx.xxx (no matching policy) cookies i=35655691 4c6e91d8 r=00000000 00000000 Debug

Ive tried the same procedure on a Watchguard M300 with Fireware XTM...

Search

Mapped drives over SSL VPN

May 31, 2018, 6:30 am
$
0
0

Good morning,

I feel like am, yet again, asking another noob question but here goes:

I am looking for a good solution for us to map network drives over the Watchguard SSL VPN. Unfortunately, we are using a Windows 7 machine as a small file server so we are unable to utilize GPOs or Active Directory. Server upgrade is at least a year away. Nor do we have internal DNS or WINS. So, I was thinking about temporarily changing our mapped drives from //servername/share to //ipaddress/share. We are able to connect to the VPN now with no issues and are able to access mapped drives - however we have an application that connects to an MS SQL database on our file server to //servername/instance. Changing the DB path in the registry does not fix this. So my question is as follows:

Would it be better to play around with MS SQL's settings to connect to...

Should IPS be enabled on BOVPN policies?

May 31, 2018, 8:12 am
$
0
0

I have a newly set up BOVPN that seems to be working great.  However, I have some issues with IPS blocking certain applications such as my security camera software.   

So, my question is whether IPS should even be enabled on the BOVPN policies?

Auto-Load Balancing on Externals

June 4, 2018, 2:41 pm
$
0
0

So, talking to a WatchGuard SE I was told that if I get an M570 and setup three external interfaces...when propagating out only access to traffic via WiFi (open with no UTM)....the external ports will auto-load balance.


This would mean that if I get three Comcast cable modems @ 200/20 my effective throughput would be 600/60!!! Rock on...first, I dont buy it or everyone would do it....second, if it does work I assume that this is a PBR setting or is the device smart enough to just know (I wont even get into HTTPS sites and what not at this point). So, was the SE full of it?    

The goal here is effectively a huge guest network with +/- 600 client devices. 

Watchguard proxy deny executables

June 8, 2018, 1:15 pm
$
0
0

Hi Guys,

I need your help blocking the .exe on http and https policies. for some, i was able to block .exe file but some .exe file can still download.

Thanks

Watchguard Firebox OS Hosed?

June 9, 2018, 3:51 pm
$
0
0

Has anyone ever had a Watchguard Firebox loose or have it's configuration toasted for no apparent reason?

I was online one minute and then the next minute I was not.  Through troubleshooting I discovered that I was unable to PING my Gateway, which in this case is my Watchguard Firebox.  I tried the normal reset steps and all lights look perfectly fine on the Firebox, but I cannot PING the Firebox at all.  I know there is an Internet connection because when I bypass the Firebox I can get to the WAN.

Has anyone ever seen a configuration or OS get hosed without any apparent reason?  We had no power surges, (and this Firebox is connected to a UPS with surge protection.)

I guess I am stuck having to reset the box to factory defaults and re-configuring it.

VPN diagnostic message I have no clue about

June 12, 2018, 3:02 pm
$
0
0

I ran a diagnostic under "System Status""Diagnostics""VPN" on a Watchguard T10 that has a BOVPN connection back to our Corporate HQ. The remote site is a 192.168.155.0/24 network and the Corporate is a 192.168.0.0/22 network. I'm able to access some IP addresses and not others from the remote site back. Inside the diagnostics results was the selection of text below:

"[Conclusion]
Tunnel Name: Cola
tunnel route#1(192.168.155.0/24<->192.168.0.0/22) - Established
Incoming VPN traffic was detected for this tunnel after the diagnostic report started.
Outgoing VPN traffic was detected for this tunnel after the diagnostic report started.
The outgoing traffic for tunnel route (192.168.155.0/24<->192.168.0.0/22) is denied by firewall policy (Inconclusive).
Recommendation: Check your firewall policy configuration.
The incoming traffic for tunnel...<-><->

Enabled SMTP TLS - Inbound Google Mail Problems..

June 15, 2018, 5:02 am
$
0
0

Bit of a head scratcher this one.

Exchange 2013 sitting behind WatchGuard Firebox. TLS has been enabled on both the server and the SMTP proxy policy (ESMTP settings). Uploaded the pfx to the Firebox and all systems look good. External testing tools report TLS enabled and certificate chain complete.

However, started to receive complaints about missing inbound emails. All of which appear to originate from the gmail domain or clients who are also using Google's email servers.

All other email appears to be good. Can anyone suggest a fix for this please? 

Search

Dimension Configuration

June 15, 2018, 6:23 am
$
0
0

I'm sure I'm just missing something simple but looking for insight.

Dimension, Executive Dashboard, Top Clients: some host names appear but about 70% of the entries just show the IP address.  If I had something misconfigured, I'd think it'd be all or nothing - not just some host names showing up.

Dimension, Executive Dashboard, Top Destinations:  All IP addresses - no host name resolution at all for external destinations. Some internal destinations show the hostname some don't, like above.

Ideas?

Inbound/Outbound "white list"

June 15, 2018, 8:48 am
$
0
0

A supplier is building us a server (for online backups).

In the pre-reqs doc they've asked us to provide "... additional network access for monitoring the hardware for all media agents/proxies deployed within the customer environment and for remote access to the servers. The table below shows the SSL access and whitelisting details for LogMeIn and Site 24x7", and given us this table:

So, I've set up a policy like this:

As they've asked for "Inbound/Outbound' I've put the Host names they've provided in both the From and To lists (along with the internal IP address we've reserved for the server).

Does that look like the right thing to do?

How to use external 2 as default internet gateway for Trusted network Watchguard

June 18, 2018, 12:20 am
$
0
0

Hi, 

I have a Watch guard Firebox M300 with one Trusted interface and one External interface at the moment. We are getting a new internet connection and I am planning to set it as External 2 interface.

I wonder how my Trusted interface which is my network can use External 2 interface as the default internet gateway.

Thanks

Multiple Static IPs from ISP split between Multiple Buildings, Single Fiber

June 18, 2018, 2:04 pm
$
0
0

Hello community! I have a question regarding recommendations on what I need to achieve my current goal. Short version is our ISP installed a single fiber line into building A and then split it to buildings B, C and D that are on the same campus. My issue comes with each building has different requirements from remote vendors in which they connect. I was not part of the initial build or I would have done it slightly different.

I am looking a Watchguard M200. I have other smaller versions in different facilities but have never had the pleasures of dealing with the current scenario which is why I would like input to see if I'm overthinking how I want to proceed or if there's a better solution someone else has had.

Here is what I'm tasked with:

  • Single Fiber connection with a group of dedicated IPs.
  • 4 Separate buildings
  • Fiber is converted to...

Firebox - Routing issue

June 19, 2018, 5:35 am
$
0
0

Hello,

it's easy: I have a new T15 with three interfaces connected:

1. External
2. Internal
3. Optional/Custom

"External" is connected to a ubiquiti access point with DHCP, network 192.168.1.0/24, that provides an internet access (WISP).

"Internal" is connected to a guest wireless network and the firebox itself has DHCP server enabled, network 172.16.24.0/23.

"Optional/Custom" is connected to a management network within my network infrastructure, ip 192.168.92.99/24.

Well... my PC is in the main office network: 192.168.1.0/24 that has the same of "External" notation, so when I try to get the firebox management page at 192.168.92.99, the firebox routes to the "External" because it has the same subnet.. So I can't manage it.
Yes the easy way is to change the network between "Ubiquity" and "External" interface.
But....If I cant do this, How can I...

WatchGuard IKEv2 Mobile VPN with Windows 10 Failing

June 19, 2018, 10:08 am
$
0
0

We are trying to create a Mobile IKEv2 setup with the native Windows 10 VPN client.

I have followed all steps for the VPN setup successfully (http://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/mvpn/ikev2/mvpn_ikev2_client_con....

However, upon connection, received the error:
iked ({FW-EXTERNAL-IP}<->{CONNECTING-IP})IKEv2 IKE_AUTH exchange from {CONNECTING-IP}:12805 to {FW-EXTERNAL-IP}:4500 failed. Tunnel='WG IKEv2 MVPN'. Reason=IPSec proposal did not match. Received hash SHA1, expected SHA2_128.

Upon further digging, it seems that by default, Windows 10 IKEv2 VPNs use an insecure implementation.

I have our IKEv2 settings in the firewall configured as such:

Phase1
SHA2-256-AES(256-bit)
Diffie-Hellman Group 14

Phase2
ESP-AES256-SHA256

I found one page that suggest we can use a powershell command to edit the VPN settings (...<->

Fun New WatchGuard Error 20598

June 19, 2018, 1:33 pm
$
0
0

Cant seem to find anything on the KB.....

Any clue folks?

Search

Firebox - policy issue

June 22, 2018, 8:12 am
$
0
0

Hello,

I have a T15 with External, Trusted and Optional-1 connected to their own networks.

I would like to deny all the traffic from External and Trusted to the Optional-1.

So I added a "deny" packet filter rule with Type:Any from Ext/Trusted to Optional-1. 

But it doesn't work.

I'm in the Trusted network and I can ping the Optional-1 interface ip.

https://i.imgur.com/xbapUDk.png

Why? What's wrong?

Firmware Upgrade on XTM 520 without Support Contract

June 25, 2018, 10:38 am
$
0
0

I just purchased a NIB XTM 520 online for using in my homelab. I've never used WatchGuard before and got a good price on it so thought I'd give it a spin. I originally wanted to play with it and just use the basic features, but also wanted to make sure it was up to date, so I downloaded the relevant firmware files, but upon trying to install them I was notified that I couldn't without an active support contract. I realize this is good for them to keep maintenance contracts in place for products, but is there any way to upgrade this without a support contract since it is end of life (I'm not even able to activate the device online because of this.)

If not, it's not a big deal as I'll just load pfSense or OPNsense on it and continue on my way. I saw someone suggest reaching out to them to see if WatchGuard could do something to get around...

WatchGuard keeps logging DNS Proxy entries eben though logging is disabled.

June 27, 2018, 11:40 am
$
0
0

Trying to weed through all of my logs to get to useful data to diagnose a separate issue I noticed my switch is generating a ton of DNS requests that keep getting logged.

The odd thing is, both DNS-Proxy-00 and DNS-Outgoing.1 have logging disabled...

Any ideas why these entries are still getting logged?

IPSec VPN failing

June 28, 2018, 7:11 am
$
0
0

We are trying to implement an IPSec VPN on our Watchguard M200. We are using the ShrewSoft client.

Clients are unable to reliably connect to the VPN, or reliably use domain resources (connecting to file servers or internal Sharepoint, for instance). In my own testing, I can successfully connect, but not browse around for very long, if at all. Checking what I can of the logs, I can see that for some reason, it begins denying the authentication of the session. 

I'm unsure of where to start looking to try and correct whatever the problems are. I don't find the logs/reports terribly intuitive or helpful, but that may just be me. 

Has anyone encountered this issue, or have suggestions?

port blocking policy

June 28, 2018, 9:29 am
$
0
0

is there any way to create a rule with XTM 850 to block all the ports and allow the necessary ports needed? because on the watchguard forums to prevent botnet attack, port 1024 higher need to be blocked.

Thanks

Viewing all 1338 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>