Quantcast
Channel: WatchGuard
Viewing all 1338 articles
Browse latest View live

SMB - Access denied - Policy not working

March 26, 2020, 7:26 am
$
0
0

Hi all, hope someone can help.

I've setup a policy (port forwarding), like I did many others and still denied access.

As example, AFP - which is working, as well as VPN, Cloud.

For SMB, used ports 137-138-139 and 445, both UDP and TCP.

Deny fromIP to_IP http/tcp 61096 80 0-External Firebox Denied 52 123 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 1033495147 win 8192"

Deny FromIP TO_IP http/tcp 55594 80 0-External Firebox Denied 52 123 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 3640414337 win 64240" geo_src="CAN" geo_dst="CAN" Traffic

Does this only have to do with port 80? Not sure how to read this block.

I did not use the pre-made policy in Packet Filter, I created a custom one forwarding to internal IP of NAS.

Any help greatly...

Search

Fireware 12.5.3 has been released

March 26, 2020, 4:59 pm

Watchguard web blocker down this morning?

March 27, 2020, 8:37 am
$
0
0

Any other WG people seeing timeouts to the web blocker service?  Had that was set to fail closed, so if webblocker was not responding it would deny the sites.  I had to flip them to allow.  First time I've had that happen.

Reason: service unavailable helper='Webblocker server is not available'

2020-03-27 10:39:05 webblocker categorize_url: curl returned error: Failed to connect to rp.cloud.threatseeker.com port 443: Connection refused Debug 

2020-03-27 10:36:38 webblocker scan_wb: server='Global' is currently inactive Debug


Two WatchGuard T15 firewalls decommissioned 85 days after installation

March 27, 2020, 9:04 am
$
0
0

This is just a "situation" without a simple answer.

We have two air-gapped networks at this small office. The Exchange Server is on one network and the file server and workstations are on the other. No internal connection between the two networks.

These two networks were initially setup on a couple of old Watchguard firrwalls that were no longer supported.

On Dec 31, 2019 and January 2, 2020 I replaced these firewalls with T15s duplicating the basic policy properties of the old firewalls.

-------------------------------------------------------------------------------------------------
Firewall 1 lost functions with no recent changes to anything.

85 days later we could no longer receive inbound smtp from our 3rd party email security shop. The messages would build up in their queue. When they switched to a different public IP address in their...

Conncected through WatchGuard SSLVPN but unable to ping anything

March 31, 2020, 10:07 am
$
0
0

So I have configured my WG (Fireware 12.4) for SSL VPN. I am testing with a computer at a remote site. I am able to connect over SSL VPN and I an receiving an IP Address, DNS Servers and even see I am connected on the WG. However I am unable to ping anything at my main site except the IP Address of the Firebox (10.10.10.1/8) or access any network resources. Windows Firewall is turned off on client, Policies are setup for my SSLVPN Group to Any Trusted. I've tried setting up my VPN on the watchguard to force all clients through tunnel, allow all access and even explicitly put in my internal IP addresses. I'm running a continuous ping from the remote computer to an internal server in my network (no response) and the traffic monitor is allowing everything, no deny. Has anyone ran into this issue before? I tried setting up a dynamic NAT...

WatchGuard L2TP Credential Issue

March 31, 2020, 12:29 pm
$
0
0

Some of our remote using who are using L2TP to connect to our WatchGuard M440 are having some issues. The VPN connects just fine, but every time the VPN connects a *Session is getting added to credential manager in Windows.

Our users AD and VPN usernames are the same. When this *Session get added to credential manager after the VPN connects it has the same username. The issue is when anyone tried to open email or access network shares it is using this *Session in credential manager to authenticate to AD related items, like email and shares.

Right now I made a bat file that removes the *Session from credential manager. So right after someone connects the VPN they have to run the bat file then they can work.

What do I need to do so this *Session stops getting added to credential manager every time the VPN is connected???

Also this is...

Dimension memory usage

April 1, 2020, 10:46 am
$
0
0

Has anyone seen an issue where Dimension wants to use 2x-plus the allocated RAM?

Started getting alerts from Veeam One about memory pressure on my Dimension VM.  It was using a little more than twice what I had allocated which was 8GB.  Bumped it up to 16GB and it started using 30GB.  Bumped it to 50GB just to see what it does and yep, was using over 100GB of RAM.

I blew away the VM and recreated and same issue.  Both Dimension and Fireware current.

Currently have 4GB allocated and Veeam One shows it using 9.8GB RAM.  However in Dimension itself Server Management it only shows it using 138MB.

Ideas anyone?

Setting up an WG firebox Cloud in Azure

April 2, 2020, 2:30 am
$
0
0

Hi All

I'm tyring to configure a Watchguard in Azure for remote VPN/ users to use.

I've created this device in a seperate RG on a sperate VNET. I've got most of it working but having issues getting the comm's to my other VNET to work properly.

If i setup VNET peering, I end up having traffic routing over the "external" interface when i access the other VNET. When I try and ping the internal interface, i'm getting a IP Spoofing error.

So from what I can see is it's a routing issue, but when I look up the routes on bothh interfaces, they both have the peering network in ther.

Appreciate if anyone could assist,



Search

Mobile VPN IKEv2 Problems

April 3, 2020, 9:55 am
$
0
0

Beginning of this week I set up Mobile VPN via IKEv2 using the Fireware Web GUI's wizard.

It went fine and worked from a remote Macbook. I ended up updating the M300 Firebox's OS from 11.0.x (can't remember the exact sub-version) to the latest version, 12.5.3. Well, after that the VPN IKEv2 broke. When attempting to connect from a Macbook, on the laptop it would say user authentication failed. Fireware Web GUI traffic monitor would show something in the likes of "ike cert chain failed".

I tried removing the "WG IKEv2" profile on my Macbook's System Prefs Profiles and then removed the "WG IKEv2" setup under System Prefs Network. Then re-adding it from a newly downloaded "WG IKEv2.mobileconfig" from the Firebox. Still the same issue.

So I tried disabling IKEv2 in Fireware Web GUI and re-launching the wizard. Now when I get to the end of...

Watchguard SSL and L2TP/IPSEC VPN always drop at set time

April 7, 2020, 9:12 pm
$
0
0

Good Day

Have a Watchguard T30-W box which is closing user SSL and L2TP/IPSec VPN sessions after 7 hours and 36 minutes.

This applies to all users and doesn't matter what time.. Login time is irrelevant.

The solution is to reconnect the VPN, which makes this a tiny pain verse's a show stopper; but I've been looking into to the why.

I've dug through the firewall logs and see it happening consistently (more so now that a lot of people are working remote).

The VPN logs look correct with the user logging in, and then logging out 7 hours and 36 minutes later. The only reason I've noted it, is more than one person is reporting the same sort of scenario getting kicked out and having to log back in. IE. If everyone one logs in around the same time, then they all get booted at the same which cause me grief with large groups of annoyed people :-)

A...

T30-W Upgrade path - recommendations?

April 7, 2020, 10:13 pm
$
0
0

Good Day

Have a T30-W which I'm looking to upgrade.

Its used in a small office with about max 10 users, acting as a wifi access point, and provides access for 5 concurrent VPN users.

The main reason for upgrading, is pitiful throughput performance with HTTPS content inspection enabled.

It was so bad that I had to turn it off NOTE: When I turn HTTPS content inspection off, the watchguard overide web page functionality no longer works (the watchguard based DNS web filtering) which requires you attempt to connect up via HTTP first, type in the overide password, and then change HTTP to HTTPs witin the web browser..

With 1 user active, Pages that normally took 5 secs were taking much longer (sometimes 60+ seconds to load) . Adding 5 concurrent users into the mix and there was rioting.

As a test, late at night while no one else was active, I went...

Firebox SSL VPN Slow

April 8, 2020, 2:40 am
$
0
0

Hi Folks, 

We are using a Firebox SSL VPN which was setup for us so the staff can access the network file structure outside of the office - it works fine when one or two people are connected. But when 13 people are connected it seems to run very slow - our staff are not working with large file transfers either. 

Can lots of idle connections slow the VPN down? 

What steps can be taken to improve the VPN?

Thanks

Exceptions to Tunnel All VPN

April 17, 2020, 10:02 am
$
0
0

Has anyone tried (and succeeded) setting up a Tunnel All SSLVPN with WatchGuard and then creating specific exceptions so those routes can go out using the local ISP GW instead of the SSLVPN tunnel?

I'm reviewing some Microsoft guidance on the topic (https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-office-365-optimizatio...) but thought I'd reach out to the community for their experience...

Looking to make exceptions for traffic such as Streaming Media, Zoom/Google Meet, Etc..

Edit: I did put in a Support Ticket with WatchGuard.

IKEv2 Split Tunneling on Watchguard / Windows 10

April 22, 2020, 6:21 am
$
0
0

I have a Watchguard M300, sitting in front of a Windows Server 2016 network. All my users are Windows 10. My level of knowledge on this is....average !

Up until a week ago, all my users were connecting in using the native WG SSL VPN client. We've had this in place for years. Most staff worked from home sporadically, and maybe at most 2-3 concurrent users. With recent events, I now have 15 up concurrent users and started to see poor performance via SSL.

Decided to roll out and asses IKEv2. Initial feedback back was positive and connection seems to be more robust than SSL.

However, I hadn't realised that by default ALL traffic is routed to through the Firewall by default. On the SSL config, we had the " Force all client traffic through tunnel" disabled.

As one example, we're using Teams, so now all our staff video conferences are going...

BOVPN tunnel blocking packets one way.

April 22, 2020, 2:01 pm
$
0
0

I have a tunnel between my hospital and another that we routinely send DICOM images to.  Today they decided that they wanted to send some to us.  To me this should be fine as I setup the tunnels to be bi-directional, but my M500 running 12.5.2 is blocking "Unhandled external packets"

FWDeny, Denied, pri=4, disp=Deny, policy=Unhandled-External-Packet-00, protocol=acr-nema/tcp, src_ip=10.201.250.54, src_port=61285, dst_ip=10.202.240.66, dst_port=104, dst_ip_nat=172.20.50.251, src_intf=Tunnel-PVFWR, dst_intf=1-Trusted, rc=101, pckt_len=52, ttl=122, pr_info=offset 8 S 3158299849 win 32, 3000-0148
Yes I have port 104/tcp open for both directions.  
Search

User count exceeded from Optional Interface

April 26, 2020, 6:07 am
$
0
0

I have a XTM330 which I wish to use to create a DMZ to provide public Wifi separate from internal network.  

I have created optional network and created static route to external router, however traffic from optional interface is being denied with User Count Exceeded message. 

Cannot connect to XTM 2

April 28, 2020, 12:25 am
$
0
0

Hi there.

I've recently decided to start-up an XTM series 2 for my home firewall. After factory resetting the box, I'm getting no signal on the PC<. I've also noticed that the eth1 port is not flashing on the back of the box, even though it is connected to the PC.

I'm wondering if anyone has any idea on how to connect my PC to the XTM?

Watchguard SSL VPN - Different Groups to Access Different Resources Plus MFA

May 1, 2020, 5:23 am
$
0
0

So to start of my question is exactly that of this post here except that I'm using MFA and multi-domains:

https://community.spiceworks.com/topic/2207990-watchguard-ssl-vpn-different-groups-to-access-differe...

So basically I have a WatchGuard SSLVPN client that using RADIUS authentication for DUo MFA. I have the need to separate users into groups and allow them access to different resources. Things to keep in mind:

  1. The user groups are in separate AD domains
  2. Both user groups need to use MFA when accessing VPN.

I know this is a stretch but has anyone configured something like this on a WatchGuard device in particular to a single SSLVPN - multiple domains and MFA?

Watchguard BOVPN DHCP\DNS

May 6, 2020, 7:41 am
$
0
0

I'm going to be setting up another office with 40 people using an m270 at the BO and m370 at HQ. Normally when I set up home offices, I use dhcp on the firewall and public dns servers. I then add my domain in the forward dns queries tab.

This seems to work fine but with this new office it'll have more people and more devices than my others so I would prefer if the computers, which are all domain joined to my DC at HQ, to get there IP address from HQ DCs\DHCP servers instead and use those DNS servers as well. Thoughts on this?

Also, it seems a lot of work to set up firewalls at all locations, is there a way to send all traffic through the tunnel so the m270 wouldn't need it's own web filter policies, content inspection certificates, total subscription service, etc? I know Sophos does something like this with their RED box. Concast did say...

Fail to get application identification information for connection?

May 18, 2020, 10:33 am
$
0
0

T35-W  Fireware 12.5.2

I'm seeing a message in the logs that I can't find any documentation for.  Having problems with this particular website, but not sure what this error message means:

2020-05-18 13:16:46 pxy 0x127cbe00-7400 fail to get application identification information for connection'-1: 10.0.1.43:62910 -> 74.217.0.xxx:443 [~!A xrs] {N} | -1: 74.94.236.xxx:62910 -> 74.217.0.xxx:443 [!B] {N}[C]', error='Bad file descriptor Debug

Any ideas?  The Watchguard tech search and my google-fu have failed me.  :(

Viewing all 1338 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>