Firewall Policy POP3, SMTP, IMAP Proxy Edit Proxy Action Attachments Add
application/octet-stream=Pattern Match
application/pdf=Exact Match
Test it work for Watchguard firebox M400
↧
Watchguard Firebox Allow PDF Attach files in Email proxy
↧
Gateway Wireless Controller and old WAPs
For those of you with old wireless access points that stopped being managed due to expiration, check out this response:
https://community.watchguard.com/watchguard-community/discussion/662/aps-purchased-prior-to-new-lice...
Gregg
↧
↧
Watchguard Branch Office VPN with VLAN and DNS
I have several small satalite home offices with mostly T70 and T30 units plus m370 at HQ. Typically I'll have things set up as shown below where the Home vlan is for their personal network and Trusted vlan has a vpn back to hq.
Is this the best way to configure the branch office network? How would you typically set this up? Users have mentioned relability issues with the wifi going down. I looked at the AP settings and it uses the DNS servers across the VPN at HQ so I think this may be part of the problem. I don't want no internet at hq to affect branc hoffies.
VLAN 1 - Trusted - 192.168.100.254/24
DHCP Server 100.1 - 100.100
DNS myhqdomain.local, 192.168.168.254.1, 192.168.254.2 (IP addressses across BOVPN at HQ)
Gateway - Use Interface IP
Interfaces 5,6,7
VLAN 5 - Home - 192.168.50.254/24
DHCP Server 55.1 - 55.100
DNS home.local,...
↧
watchguard VPN duplicate routes
We have a server behind our warehouse firebox. We connect to a lot of healthcare facilities firewall of all different brands and types so we cannot control their subnet at all for phase 2 and need to use what they supply us so they can transfer images to us.
Issue is I have 20 different facilities and this is now starting to happen where a new facilitiy we need to connect with has the same phase 2 subnet as another facility we are already connected to.
error:
BOVPN tunnel route :10.254.90.181-10.0.0.0/24 duplicates a route that already exists in BOVPN tunnel
10.0.0.0/24 is used by another tunnel already.
We use a unique gateway for each since each facility is a different company completely
What can I do here?
↧
Watchguard t10-w enable builtin wireless
I would like to enable the builtin wireless to be on the same network as the LAN. I am a noob to Watchguards so I have no idea what I'm doing. Any tips would be great.
↧
↧
How to bridge 2 physical switches - watchguard
Hello,
My organization has been using a WatchGuard Firebox T30 for a couple of years.
The WG is connected to a Comcast router in the WAN port. It is in mixed routing mode.
We have 2 switches, all the organization computers, printers, etc are split between the switches.
The WG was configured using a trusted internal interface on port 1 and a bridge on ports 2 and 3.
Somehow this stopped working last week and now I can't get the LAN to be unified again.
I only have access to the WebUI and have very little experience with network configuration.
The DNS server is supposed to be hosted by a server on the LAN but I don't know how to check if itworks.
The main problem right now is that the computers on switch B can access the internet, the server, the WG but not the devices on switch A. The devices on switch A don't have access to internet nor to...
↧
Can I whitelist incoming email domains with SpamBlocker ?
Using SPAMBLOCKER, can I white-list incoming email domains if necessary ? Some corporate senders use unique automated email addresses for sending monthly documents to their customers for example. We currently have SpamBlocker but haven't been using it. But I need to make a change. Our current cloud service provider has been sending NDRs to Citibank, American Family Insurance and others causing me headaches.
↧
Can I use WatchGuard with SpamBlocker as a 'remote' email security filter ?
I don't want port 25 visible to the world at my business facility where we have an Exchange Server. Can I use a WatchGuard Firwall with SpamBlocker connected to a separate ISP at another facility and have it forward filtered email to the Exchange server here ? Preferably without a VPN between the facilities. ie. can a Watchguard SMTP Proxy send to another public IP address ?
↧
Watchguard Connect to SSLVPN Client
We have a Watchguard M200 with the SSL VPN configured. I'd like to be able to be able to connect via SMB and WMI to these clients while they are connected to our network via VPN. The goal is to be able to inventory these computers with PDQ Inventory and deploy to them with PDQ Deploy while they are connected.
All SSL VPN users are pulled from an AD group. We have a subnet 192.168.113.0/24 that is used just for VPN clients.
I've added a rule to allow from Any-Trusted (I'll lock this down further after I have it working) to the subnet above as well as the SSLVPN-Users AD group (firewall-type and SSLVPN-type) for ports TCP/UDP 445, UDP 137-138, and TCP 139 (just starting with the SMB rule), but don't seem to be getting anywhere.
This is the error I'm getting, which seems like the firewall is denying the traffic because it doesn't know what...
↧
↧
Watchguard - redirect query of FQDN to local source
Hi everyone,
Watchguard Firewalls are still virgin soils to me. My question here is:
Is there any way to redirect querys for e.g. 'one.example.com' to a local source in our network? The destination ip is reachable through ping/tracert, so routes are fine, I guess. But the DNS resolution is another story :(
↧
Is T15 sufficent for small law office of 6 users?
Hi,
Due to cost, I'm leaning on a 3yr T15 with total security for a 6 person office.
WG recommends T35 but that shoots my cost up nearly 2x.
I have a 20mg fiber connection coming in, basic law firm internet use, research, browsing, nothing with heavy demand that I know of. 5 daily users on desktops, 1 user present on and off with an ipad mostly and desktop.
↧
Remote client blocked after being listed as exception on firewall/blocked sites
WatchGuard T15 - Using the Web UI, we have had more than 1 remote client be added to the /dashboard/system/blocked Sites, even after their public IP is added to the /Firewall/Blocked Site Exceptions list.
This happens when the client is accessing our internal Exchange Server from a remote network using their phone-on-wifi, from Windows-10 mail and then using OutlookWebApp all from the same network. The first two clients are using Exchange Active Sync and sync on their own, The OWA user finds they cannot reach the OWA page because their public IP is on the System/Blocked Sites list (with a 20 minute time out) that is perpetually starting over.
How is a remote client being added to the System/Blocked Sites list when they are listed as an exception in the /Firewall/Blocked Site Exceptions list.
↧
VPN between two watchguards on same subnet
Hello All,
We have a datacenter, a client has two separate rooms located 90meters apart. A request came through the two rooms need to talk to each other, over a VPN.
I can link both rooms via an ethernet cable and connect a Watcguard M300 and each end.
Would a BOVPN VPN work? Can you create a VPN over an ethernet connection, when both IP ends are in the same subnet?
Thanks very much
Jas
↧
↧
Watchguard VPN connections - limits to retry attempts
Hi,
Just wondering if anyone knows - is there a settings\restriction within the Watchguard firewall whereby if a user connects to the VPN and then disconnects (for even a second) there is a delay in the time it will allow them to attempt a re-connect? Likewise if they are unsuccessful is there a setting to manage this? Im trying to fault diagnose and Im just wondering if I am getting a red herring on this due to restrictions on reconnect attempts?
Thanks
↧
Static NAT Redirecting Traffic to WatchGuard Device, not NATted IP
Like many others, I'm trying to set up a way for my remote users to temporarily access our internal resources while they work from home. To avoid them having to install the VPN client, I've set up an Remote Desktop Gateway to be accessed from a public address.
By default, the RD Gateway login page wants to use port 443. We also have a regular website on a different IP that serves our web site with HTTPS traffic on 443, another few IPs that we do VoIP traffic to remote phones over 443, plus the WatchGuard SSL VPN.
I've set up a static NAT with port 443 that points the external IP to the internal IP. However, when you try to access that site, it brings you to the WatchGuard login site to download the VPN client. It ignores the rule.
I had a similar problem when setting up the VoIP connection not too long ago, and it had to do with policy...
↧
New to Watchguard - need help with firewall policies
Hey all,
I'm working on evaluating the WatchGuard product line to see if it will fit with what our company is looking for and I'm having a difficult time setting up one to one nat so I can make an internal website accessable by a static IP (other than the WG IP). I have achieved this before with an Edgerouter but the WatchGuard interface is throwing me for a loop.
I tried following the WatchGuard instructions for one to one nat but their firewall section has to do exclusively with SMTP traffic when mine is purely HTTPS and HTTP. Any insights are greatly appreciated!
↧
Office 365 MFA being blocked on WatchGuard Firewall
I've recently disabled the Outgoing policy on our WatchGuard firewall and now our Office 365 MFA approval notifications are being blocked if the mobile devices with the Microsoft Authentication app is connected to the Wi-Fi. If the mobile devices is using the mobile data/4G network it works fine.
If I enable the Outgoing policy if works fine again, so it definitely something to do with the Outgoing policy that is blocking it, even though in traffic monitor I can see it being Allowed through the default HTTPS Proxy.
Does anybody know what blocking this or what the recommended setting are?
FW v12.5.2.B609628
Many thanks.
↧
↧
Watchguard Cloud WIFI, Guest Network and MPLS Network
I was wondering if anyone can help me out.
I have a Watchguard Cloud WIFI AP and I want to make into a guest network. I have it set the AP with a VLAN and NAT IP address information and then I set up my Aruba 2930F switches with the same VLAN ID and tagged the correct port but it seems the traffic can not bypass the default gateway on my Watchguard WIFI.
The goal is to have the Guest Network go from the AP location, down the MPLS network and out a Watchguard Firewall on the other side of the MPLS network which is where my internet comes in.
↧
Watchguard SSL VPN and Virgin Media (UK) and a WFH nightmare
Ok, this one's doing my head in.
Have an existing M270 set up at client site, SSL VPN has been in place for years. All been working fine up until yesterday.
All remote PCs are Win 10 Pro, fully patched. VPN SSL Client 12.5.x
All PCs connect to the VPN. When a user tries to connect to the RDS Server they use (there are 4, depending on people's roles) using Remote Desktop Connection everything is fine. APART FROM all the people that are using Virgin Media as their ISP where the RDC connection fails, saying it can't find the server.
Pinging the server gives a 92.something or other address which resolves to an ad company in Belfast called barefruit.co.uk
Ok, say I, they've done this crap before (and they have) and the solution at the time was to turn off the "Advanced Network Error Search" viahttps://my.virginmedia.com/advancederrorsearch/and...
↧
Firewall not working in bridge mode on XTM 22
Hi Watchgurus
I've recently acquired an old/legacy Watchguard XTM 22 for use on a small network for the purpose of adding some simple firewall policies.
Not wanting to making any changes to the internal LAN, I've put it in bridge mode so that it looks like this
[world]---[xtm22]---[internal LAN]
and set up the policies under firewall using the firewall XTM web UI.
However, I've tested a simple deny Ping policy to block ping from internal going to the outside world and it isn't working. It appears the switch is simply blindingly switching the traffic in transparent mode without doing any packet filtering.
The WG is running Fireware 11.6.8.B451352.
I've seen some document stating that firewall in bridge mode requires use of Application Control, but the device is discontinued and I am no longer able to subscribe to that service - not to mention...
↧