Quantcast
Channel: WatchGuard
Viewing all 1338 articles
Browse latest View live

Restricting the Allow SSLVPN-Users Policy

June 1, 2020, 8:06 am
$
0
0

I'm wanting to lock down my VPN users a bit. We have several 3rd parties that login to our network for billing and such. Currenlty, the "Allow SSLVPN-Users" policy is set to "SSLVPN-Users (Any)" allow access to "Any". Which gives them access to VLANS and such that some of my users here on the internal network don't even have access to.

I've created a set of groups for all of the categories of remote users I have, then I've created a corresponding set of policies giving each group or groups access to the resources on my network that they might need, as well as some external URLs they'll need to access that are only accessible coming from our external IP address. I've set those policies high in my order list.

Is it safe to edit the "Allow SSLVPN-Users" policy to explicitly deny access to basically everything now? Since I have policies up...

Search

WatchGuard Multiple Public IPs on one Interface

June 1, 2020, 10:01 am
$
0
0

I just found our from our ISP we have multiple IP blocks assigned to our fiber connection.

We are also looking at bringing our websites and our dev/testing websites in house to save money. Now before I get some feedback about bringing websites in house, first this is only temporary, our company is in the process of building out a data center with the proper redundancy in place. Once that is done the VMs will be migrated there.

But in the mean time here is what I am looking for help with. I am going to use internal IPs as my "public IPs" for the sake of this forum.

I have a WatchGuard M440. Right now I have two IP blocks from my ISP. 192.168.7.1/28 and 10.10.10.1/28. Right now I am using the 192.168.7.1/28 IP block on my external interface on the WatchGuard. The 192.168.7.1/28 block is also being used for site to site VPNs as well as our...

Watchguard SSO requirement \ exceptions

June 4, 2020, 6:36 am
$
0
0

I have the SSO Agent and SSO Client installed and set up. All seemed good so far and then I went to enable SSO on the firebox and noticed the exceptions section. According to the docs:

If your network includes devices with IP addresses that do not require authentication, such as network servers, switches and routers, print servers, or computers that are not part of the domain, if you have users on your internal network who must manually authenticate to the Authentication Portal, or if you have terminal servers for the Terminal Services Agent, we recommend that you add their IP addresses to the SSO Exceptions list.

Each time a connection attempt occurs from an IP address that is not in the SSO Exceptions list, the Firebox contacts the SSO Agent to try to associate the IP address with a user name. This takes about 10 seconds. You can use...

WatchGuard + Panda Security

June 4, 2020, 9:07 am
$
0
0

In June 2020, WatchGuard acquired Panda Security, enabling customers and partners to consolidate fundamental security services under a single umbrella. WatchGuard's endpoint security services have traditionally focused on securing users off-network using DNS-level protection and multi-factor authentication. But with Panda's endpoint security platform, we've added endpoint protection AV services and innovative EDR capabilities. With the integration of Panda Security, WatchGuard will now be able to offer a full portfolio of user-centric security products and services.

Designed for maximum protection with minimal complexity, the company's flagship product, Adaptive Defense 360 is designed and packaged to take the guesswork out of endpoint security.


You can read more about our new solutions and Early Access Program here: ...

New WatchGuard T-series Fireboxes released!

June 4, 2020, 4:28 pm

WatchGuard Model Upgrade

June 8, 2020, 8:33 am
$
0
0

I am looking into doing the WatchGuard trade up program to go from the M440 to the M470. This will allow us to go to a newer model and save a few thousand along the way.

But I am still new to WatchGuard, is it possible to just take the config from the M440 and import it into the M470. From the looks of it the M470 has fewer Ethernet ports than the M440, but I am only using the first three ports on the M440.

The M440 is also the VPN gateway for 90 people, and we are using SSLVPN. I want to make sure if I move to the M470 there won't be any issues with the VPN users.

Firebox SNAT Issue

June 15, 2020, 7:17 am
$
0
0

Hi All,

I am trying to configure port forwarding for an RDS server on a firebox M200 with firmware12.5.3. I have created a SNAT with a member of the external interface IP address to the internal IP address of the RDS server, I am also setting the internal port here to 443. I have then created a firewall policy that listens for traffic on any external interface on port 4443 and sends it to my SNAT rule.

When I am testing a connection I can see the connection is allowed in the traffic monitor and it claims it has been forwarded to the internal IP address with the new port value set, but I cannot see the traffic received by the internal server when monitoring from in incoming connections on there.

It seems like the SNAT is not actually applying or sending the traffic to the right place.

I'm not sure if it will make a difference but the...

Firebox ssl vpn not doing anything when trying to connect

June 25, 2020, 2:07 pm
$
0
0

I'm trying to log into the vpn and when I click "connect" nothing happens no logs, no event, nothing.

Anyone have any ideas? 

Windows 10, firebox ssl v. 12.5.2

Search

Non-domain computer not being assigned an IP address

June 26, 2020, 8:38 pm
$
0
0

Hello -

I inherited a small business network configuration and I'm stumped as it relates to the problem described below and would really appreciate any thoughts people may have.

The network sits behind a Watchguard firewall appliance with an on-premises DC server that serves as the AD host, DNS host and DHCP server (running on Win Server 2012 r2). I upgraded all of the workstations from Win 7 to Win 10 this week with no problems (including adding a few brand new machines to the network - some with the same computer name as existing boxes that I was replacing and at least one with a brand new computer name in AD). Finally, today, I tried to connect a non-domain computer to the network by ethernet but was unable to get the DHCP server to provide an IP address. I tried resetting winsock and netsh from CMD prompt, tried uninstalling and...

New Fireware 12.5.4 released

June 30, 2020, 1:25 pm

Voip and failover on watchgaurd t-15w

July 3, 2020, 5:03 pm
$
0
0

Hi All,
I've just setup failover on our firebox t15-w. The failover device is a Netgear Nighthawk MR2100 4G router. I've set up the Nighthawk in Modem mode and configured the interface type on the firebox as external with DHCP configuration mode in port Lan 2 and also configured link monitor etc... When I disconnect our ADSL line by unplugging the ethernet cable from the WAN port on the firebox, the Nighthawk modem kicks in instantly and we have connection to the internet. However, the only thing that doesn't work is our VOIP phone, both incoming and outgoing.
Are there any additional rules that need to be set in the firewall policy?

Any help would be much appreciated.

Watchguard 11 concurrent logins can't be changed for ad group

July 17, 2020, 12:06 pm
$
0
0

Good Day,

Using Fireware XTM850 with Fireware XTM Pro, OS version 11.10.2 (Build 484746) 

We've got SSL VPN users authenticated via Active Directory working, however we've recently stumbled upon a snag.

The VPN users have taken to sharing their credentials with each other, so we want to limit their SSL VPN logins to a single session.

Problem is, when we try to do this on the WatchGuard, we get an error saying it can't be done.

Anyone know how to fix this?

Watchguard, Multi-WAN and MPLS

July 17, 2020, 9:23 pm
$
0
0

We have a Watchguard M470 at our main office*, and a MPLS setup to our other sites.

Currently, our satellite sites are all set up to route back to the main office, and out through the WG. Needless to say, it's a bit of a bottleneck. We're in the process of upgrading internet at all our sites (each will get its own firewall), and I'm wondering if there's a way to transition over without disrupting too much.

So lets say the current ISP IP is w.x.y.z. All the MPLS sites are connected together, and route out through that external IP. Our new service is a.b.c.d.

Is there a way to connect both so that all the MPLS sites can still see the main and each other and route internal traffic on w.x.y.z, but route internet traffic out through a.b.c.d?

And does any of this make sense? It's a weird setup, and I'll be happy when it's simplified soon.

...

VPN with no user interaction

August 1, 2020, 7:27 pm
$
0
0

Would love to see Watchguard offer a IKEv2 vpn option that used certificates to authenticate instead of username/password combos, but in the meantime has anyone been able to push out credentials to clients? iOS and Win10 specifically

Watchguard Firewall, Any way to auto-block by geolocation?

August 5, 2020, 7:02 am
$
0
0

We have an M370.

We have certain ports open for a few particular devices that require access from the outside world. I have these under GeoLocation control, but I still get log messages when people try anyway (Russia...) I need logging for these ports to help detect issues as well as to verify things are working, but I dont want to get inundated with denies popping up from them getting blocked by geolocation.

Is there a way to auto-block the IPs when they attempt to connect? For instance, I have a demo honeypot rule that auto-blocks the IP of anyone trying the default 3389 RDP port.

Do I need to somehow make a 2nd rule for this? (i.e. rule 1 to allow if in the US, and rule 2 to autoblock anyone else trying?)

Search

AES-GCM BO-VPN performance of Watchguard M270

August 13, 2020, 6:19 am
$
0
0

Hi,

does anyone have any real world (or even lab) values for M270 AES-GCM branch office VPN troughput? I'm happy either with 128 or 256bit encryption.

I'm connecting over 1Gbit line and can get only ~7Mbps troughput and cannot really say if the problem is M270 or fortigate on the receiving end.

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/ipsec_alg... states that "If you specify AES-GCM in your BOVPN or BOVPN virtual interface configuration, you might see performance increases on Fireboxes without a hardware crypto chip "

Not sure if the M270 has a dedicated crypto chip, but the statement paints a picture that using AES-GCM should still be atleast on par with AES-CBC

Vendor requires phone call with a watchguard rep in order to quote pricing

August 19, 2020, 6:43 am
$
0
0

We are looking for a quote for a new watchguard firewall from our vendor. We know what we need and asked our account mgr to send us quote but this is the first time he told us we need to have a discussion with a security resource or a WatchGuard rep before they can get pricing.

Just wondering is this is normal? I don't mind getting on a call but in my experience we usually don't get much out of them that we don't already know unless its an item we have no knowledge or experience with.

Watchguard OSPF Troubleshooting

August 20, 2020, 12:05 pm
$
0
0

Any Watchguard Firewall experts out there? We have some firewalls set up with OSPF to redistribute routes across our WAN. I'm trying to do some troubleshooting to understand how a preferred route is being calculated. All the documentation i find online is for Cisco commands, such as sh ip route or sh ip ospf neighbour that shows where routes have been learned from. However the same command on watchguard doesn't do that, only lists local routes.

New Fireware versions available

August 20, 2020, 1:52 pm
$
0
0

Latest Software Releases as of 08/20/20:

- Fireware v12.6.2 for Firebox T20, T40, T80, Firebox M270, M370, M470, M570, M670, M400, M500, M440, M4600, M5600, Firebox Cloud, FireboxV


- Fireware v12.5.5 for Firebox T10, T15, T30, T35, T50, T55, T70, Firebox M 200/300

- Fireware v12.1.3 Update 3 (for XTM appliances)

For DNSWatch users, what has your experience been like?

August 21, 2020, 3:30 pm
$
0
0

I used DNSWatch in its infancy and it went down once, killing my biggest client's Internet access, and I have not used it since then. I want to try again starting with my home office as my testing ground, and I'd like to hear what your experiences have been with it.

How does it stack up to your previous filtering DNS, if any, such OpenDNS, CleanBrowsing, etc.?

Gregg

Viewing all 1338 articles
Browse latest View live
Search