So, cleaning up a few stagnant connections from Dimension I notice this today....it is not an issue, just wondering where on earth that number comes from......thing is a few years older than I am....
↧
Fifty Years of Dimension
↧
Watchguard XTM 505 and UniFi AP
Hello,
I have had the watchguard and unifi AP's set up for awhile now, but we have added another external interface with a faster provider as a failover.
I however want to make the new provider route traffic for our AP's, I was thinking that creating a Dynamic NAT would solve this but this would prevent individuals on the WiFi from accessing company shares as I would beileve I would have to create a VLAN or another trusted network to make this work.
Any ideas on how I could accomplish this?
Thank you!
↧
↧
Dimension Reporting Host Names
Those of you running Dimension - with out AD DHCP/DNS...how are you reporting on device use? In theory I could apply a static map of a known IP to a host name (or what ever I want to call it). At one facility we have about 150 BYOD devices and no local servers - DHCP is out of an M200 on ten VLAN's...
According to the screen shot below, I infer that Dimension will get the Host Name from the Firebox....being as the Firebox KNOWS the host name within the DHCP table....
Other than AD...what am I missing (static mapping will not work as it changes from day to day with the DHCP pool per VLAN)
Currently we see traffic via Dimension based on IP and look to Firebox to tell us the hostname.
↧
Watchguard list of DHCP leases
Is there a way to see all my current DHCP leases from a Watchguard XTM 585 device. The "Status report" on the management computer is useless for this function as it truncates the list of leases after 20 or so entries.
↧
Firebox, SSL Website and VPN
Hey,
I'm trying to set up a SSL Website behind a Firebox.
It's working really well so far, I added a firewall policy with a domain matcher with an SNAT and it seems to be working just fine.
The problem is now that the firewall policy redirects all traffic going into port 443 to the website, effectively disabling my ability to establish a VPN connection since that is using port 443 as well.
Is there some way to configure the firebox to split those?
↧
↧
Dimension in a VirtualBox VM
Hi,
What the title says... Is it possible to run Dimension in a VirtualBox VM?
I understand that it's not officially supported and/or endorsed, just want to know if someone's done it (and what pitfalls to avoid, if any) before I embark on what might be a long and fruitless experiment.
Thanks
Alex
↧
Dimension Alternative
Hi,
I would like to know if there are any Dimension alternatives out there, preferably free.
When I jumped in the water with watchguard neither their reps nor the reseller I bought from bothered to mention that the report server is crap and had been deprecated for some time. Of course, I didn't even ask about Dimension. Now I know what Dimension is and I'm really not keen on spending a lot of hours setting up a vm environment that I'm totally unfamiliar with (hyper-v or vmware's ESXI) just for this. I would much rather have software that I can just install and get reports out of (mostly interested in intrusion attempts).
The short of it is that watchguard's web site is quite reminiscent of universities' web sites - you only find the information you need if you've been at it for 3 years. Seehttps://xkcd.com/773/
Thanks!
Alex
↧
VPN Gateway with multiple tunnels - only one tunnel works at a time
I have a T30 that I just updated from FW v12.1 to 12.3.1. In 12.1 I used a VPN Virtual Interface and all was good, but that would not come up at all in 12.3.1. WG support suggested building a policy based VPN instead, which I have done. It is close to working, the only problem being that there are multiple tunnels for the gateway and only a single tunnel will work at any given time. The working tunnel will drop without warning and one of the other tunnels will come up. So I setup a test where I am running
ping -t 172.16.16.4
simultaneously from servers 10.0.2.x and 10.0.3.x
10.0.2 is giving me a response
10.0.3 is not
I then re-key the tunnel for 10.0.3 and it will begin giving a response, but 10.0.2 will stop.
I can go back and forth but can't get both to work at the same time.
Any ideas?
↧
Mac addresses of interfaces Watchguard XTM
Looking everywhere but cannot locate the mac addresses of the interfaces on our xtm515. Searching online returns method to change a mac address but doesn't show/tell where to find existing. Connecting to an Aris cable modem that uses Pass Thru for a static IP assignment but wants the mac address of the interface. Anyone know where to find?
↧
↧
Watchguard rule for specific email
Is there a way to create a rule for a Watchguard firewall which will block a specific email address outbound. What we have are numerous Centos systems which will backup to our backup server. Reports of a successful or failed backup are sent to the former owner of the business instead of the new one. We are still trying to figure out the inner workings of these systems. But for now we want to know if we can create a rule in a Watchguard firewall which will catch when something is sent to the former owner's email address and instead, redirect it to the new owner's email address.
Thanks
↧
Watchguard, how to route traffic through a different gateway...
Hi folks,
Hopefully a simple process... (WatchGuard M300).
eth0 = ISP1. (195.x.x.0 - 255)
eth1 = ISP2. (89.x.x.0 - 255)
eth2 = LAN
I can route any machine on eth2 through eth0 or eth1. That is easy.
eth1 (ISP2) is setup with multiple secondary networks. Anything routed out through eth1 shows as coming from the primary address on that gateway.
How do I set a particular machine on eth2 (LAN) to not only route through eth1 (ISP2), but also route through a secondary network of eth1 (ISP2)?
I can create an outbound policy [from 'JIM PC' on LAN] to [External] that uses policy-based routing [ISP2], but that machine gets the primary IP address shown as its out address. I want to not only point it to [ISP2] but specifically 89.x.x.50, rather than say 89.x.x.2, which is the primary... (I think that makes sense...)
Any help appreciated...
Best,
Jim
↧
WatchGuard & Azure Site to Site VPN - Constant RPC issues at multiple customers
I work in a MSP where in the last year or so our default at least for smaller customers when server refresh occurs has just been:
- WatchGuard onsite, usually like T35 or T55.
- Azure hosted VM - DC, File.
- RemoteApp hosted if possible for LOB Applications that need to be centrally installed/not cloud based already.
- Site to Site VPN from WatchGuard to Azure, setup as per WatchGuards guides on this.
Everything is setup and working fine. But then in the last 6 months we have had now four customers all start having similar issues that appears to affect RPC traffic (Domain authentication). The most common symptom will be users on PCs onsite unable to access network drives hosted in Azure.
I have contacted both WatchGuard and Microsoft about this.
WatchGuard claim that because all traffic can get through, rules just say "any" over the BOVPN then...
↧
Weird issue setting up ssl vpn.
Hi, we're trying to set up an SSL VPN on our watchguard firebox. Authentication is in the firebox itself, so we're not using radius. When trying to connect to the vpn (using the watchguard generated WG-MVPN-SSL client), I'm seeing the following from the client:
Text
2019-02-27T11:53:44.114 Launching WatchGuard Mobile VPN with SSL client. Version 11.11.1 (Build 503995) Built:May 20 2016 14:35:00 2019-02-27T11:54:27.431 Requesting client configuration from X.X.X.X:443 2019-02-27T11:54:29.430 VERSION file is 5.29, client version is 5.29 2019-02-27T11:54:30.461 OVPN:HOLD:Waiting for hold release 2019-02-27T11:54:30.540 OVPN:LOG:1551290070,D,MANAGEMENT: CMD '' 2019-02-27T11:54:30.540 OVPN:LOG:1551290070,D,MANAGEMENT: CMD 'hold release' 2019-02-27T11:54:30.540 OVPN:SUCCESS: hold release succeeded 2019-02-27T11:54:30.540 OVPN:PASSWORD:Need...↧
↧
https proxy - failed to connect b channel
Having an issue accessing a website at a remote office. I am getting the following messages. Same website works from other offices. Not sure what this means. Can anyone shed some light? This is on an XTM T55-W with 12.1.1 OS.
2019-02-27 19:59:08 pxy 0xc0c8a0-1171 connect failed Connection timed out 42: 192.168.20.143:60303 -> 50.19.204.225:443 [A xr] {B} | 43: 50.199.160.161:60303 -> 50.19.204.225:443 [!B c] {B}[P] Debug
2019-02-27 19:59:08 https-proxy 0xc0c8a0-1171 42: 192.168.20.143:60303 -> 50.19.204.225:443 [A xr] {B} | 43: 50.199.160.161:60303 -> 50.19.204.225:443 [!B fc] {B}[P]: failed to connect B channel Debug
↧
DNS Settings
I've been having an ongoing issue for quite a while and haven't spent much time with it but I'm back.
I'm seemingly unable to get internal and external addresses to resolve in the Fireware UI dashboard as well as Dimension.
At one point I had internal clients resolving but not external. (Fireware UI Dashboard - "Top Clients" and "Top Destinatons") I believe I had external resolving at one point but then internal addresses weren't and so on. I have the same problem with Dimension.
I assume it's a DNS setting however, using WSM and going to Hostwatch - both internal and external FQDN's show.
Ideas?
↧
Response denied by Watchguard HTTP Proxy
Reason is: Server response timeout
Method: POST
Host: (company)
Can anyone please give a heads up on how to tackle this issue? Thank you in advance
↧
Watchguard SSO with RADIUS
Hi All
I was wondering if anyone couple please assist with a SSO issue I'm having with out configuration.
We have Watchguard M470 running 12.3.B580368 and a Windows Server 2012 NPS server. Our Wifi APS' are Ubiquity with a Soft Controller (UniFI AP).
We have SSO working on our Wifi with authentication agains our NPS. (i.e. people use their AD credentials to sign into the wifi). And we have this information now beeing passed to the WG (Come up in the Authenticateion List) but they are coming in as either domain\username@RADIUS or email@domain.com.au@RADIUS (depending on what you use when you sign into the wifi).
When I try and access the internet/services via the Wifi Connection, none of my rules match and I don't get anywhere. In the traffick monitor, I can see the connection denied with "Unhandled Internal Packet" because I assume it...
↧
↧
Watchguard Setting for Incoming Traffic
Hello, my company use Watchguard XTM525 at HQ and XTM25 at branch office.
I have problem accessing website, i need to fill some form in this website but everytime i send the response, my browser status stuck on Waiting for.....it's like the web server try to send some response but can't pass through.
This problem only happen if my internet connection connected through watchguard, because when i try to bypass my internet connection from ISP hardware direct to my PC, connection to website is normal.
I check traffic monitor in Watchguard and didn't found any blocked traffic for this website
Did i miss some setting in Watchguard that prevent incoming connection to reach internal network?
↧
Watchguard x20e edge behind ISP/Modem
Hello all,
So currently I am using my watchguard to hand out DHCP to my Layer 3 switch. I have vlans set up so lets say the first 15 ports you will get an internal IP of my home network, the other ports you will get an IP on the subnet of my lab environment.
I now want to start learning significantly more about firewalls. I want to see how I can set up this firewall behind my ISP/Modem and still provide everything that I need for my lab environment.
Would love for someone to explain this to me and point me in the right direction. I am fairly confident I can get this set up without too many issues..but its not something that I have done before.
Purpose is to learn more networking and FW administration. Would love some learning ideas too (preferably in order so each topic I learn helps me get to the next topic ext).
Any point in the right...
↧
How to add an external interface without it adding a default route
Hi,
BACKGROUND: We currently are running a watchguard, with a simple setup: 1 external interface connecting to our SP. And a few trusted interfaces connecting to internal networks. Our default route of 0.0.0.0 has a gatweway of our ISP as per the first line in the image down below.
DESIRED CHANGE: We have recently procured some private data connections to a data center to house our servers. We are being handed this connection at Layer 3 (ie, a routed stub network /29, and then a subnet at the data center that will route to/from that connection). From what I can tell, I need to set this as an external interface (which is going to cause me to have to re-examine all my policies and create aliases and whatnot, because now I need to differentiate for any-external..no biggie, just some work).
What i have found is that when I add a new external...
↧