Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.
Course Of The Month
8 days, 4 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
WatchGuard
8
Solutions
37
Contributors
Network threats can come from anywhere, at any time, and can take you down before you even know they’re there. Uniquely architected to be the industry’s smartest, fastest and most effective network security products, WatchGuard solutions put IT security pros back in charge of their networks with widely deployable, enterprise-grade security and threat visibility tools suitable for any organization, regardless of budget, size, or complexity. WatchGuard has deployed nearly a million of its integrated, multi-function threat management appliances worldwide, to businesses that range from SMEs to large distributed enterprises.
Share tech news, updates, or what's on your mind.
Good Day,
We have a WatchGuard XTM-22 at one our schools and it is not working - we have no internet access for any device on our network.
Here is the setup for this unit:
Port 0 - Main internet feed
Port 1 - to our internal network
Port 2 - Mgmt
Port 3- Another internet feed DSL
Port 4 - unused
Port 5 - Another internet feed DSL
(We have very limited / poor internet speeds available in this remote community. The IT Consultant before we took over was able to configure the unit to use the internet feeds from Ports 0 and 5, which is all that could be used at the time. Port 3 feed is redundant and can be used as a backup for port 5 by switch cables).
Right now, here is the status of the lights on the front of the WatchGuard unit, going from left to right:
Failover: Flashing green
WAP: Off
Ports 5,4,3: Both Link and 100/1000 lights off
Ports 2,1,0: Both Link and 100/1000 lights flashing green in unison
Status: Solid Red
Attn: Solid Orange
Mode; Flashing Green
Power: Solid Green
I have tried to connect my laptop via RJ45 cable directly to Port 2 to access the unit, but there is no activity on this link and I don't get a DHCP address. Web browser access to both the external IP and internal IP addresses won't work either.
Any suggestions on what is causing this problem? I have no experience with this particular unit and the network setup is quite convoluted - five VLANs. I think there is a backup config file from about a year ago.
…
We have a WatchGuard XTM-22 at one our schools and it is not working - we have no internet access for any device on our network.
Here is the setup for this unit:
Port 0 - Main internet feed
Port 1 - to our internal network
Port 2 - Mgmt
Port 3- Another internet feed DSL
Port 4 - unused
Port 5 - Another internet feed DSL
(We have very limited / poor internet speeds available in this remote community. The IT Consultant before we took over was able to configure the unit to use the internet feeds from Ports 0 and 5, which is all that could be used at the time. Port 3 feed is redundant and can be used as a backup for port 5 by switch cables).
Right now, here is the status of the lights on the front of the WatchGuard unit, going from left to right:
Failover: Flashing green
WAP: Off
Ports 5,4,3: Both Link and 100/1000 lights off
Ports 2,1,0: Both Link and 100/1000 lights flashing green in unison
Status: Solid Red
Attn: Solid Orange
Mode; Flashing Green
Power: Solid Green
I have tried to connect my laptop via RJ45 cable directly to Port 2 to access the unit, but there is no activity on this link and I don't get a DHCP address. Web browser access to both the external IP and internal IP addresses won't work either.
Any suggestions on what is causing this problem? I have no experience with this particular unit and the network setup is quite convoluted - five VLANs. I think there is a backup config file from about a year ago.
…
1 Comment
I have an Exchange 2013 server behind a WatchGuard M200 Firewall. Both have appropriate SSL certificates installed, and the WatchGuard is configured as an SMTP proxy.
Everything works brilliantly, except, email from two domains is not received. Everyone else works absolutely fine. I am unclear why.
On the Exchange end, the logs for working emails end like this:
However, for two domains, the conversation ends like this:
It looks as though the sender has been given permission to go ahead with sending their message, and then not done so. However, the message is attempted a few dozen times, about ten minutes apart, before the sender gives up.
On the WatchGuard end, there is one difference between how senders show in logs.
For the working senders, I see lines for both 'ProxyMatch, ProxyAllow:’ and then ‘ProxySMTPReq’, however, for broken senders, I see just ProxyMatch, which is not followed up with ProxySMTPReq.
One of the broken senders is coming from Office 365, however, so are dozens of other senders, so I don't think the issue is there.
Any advice?
Everything works brilliantly, except, email from two domains is not received. Everyone else works absolutely fine. I am unclear why.
On the Exchange end, the logs for working emails end like this:
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
,Proxy destination(s) obtained from OnProxyInboundMessage event
"250 2.6.0 <CALsXffyfLq_=XyviTgL9AFYCZ0T2UBBFq8rH5ppQoBzSKUSO3Q@mail.gmail.com> [InternalId=85388244811933, Hostname=EXCHANGESERVER.DOMAIN.LOCAL] Queued mail for delivery"
QUIT
221 2.0.0 Service closing transmission channel
,Local
However, for two domains, the conversation ends like this:
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
,Local
It looks as though the sender has been given permission to go ahead with sending their message, and then not done so. However, the message is attempted a few dozen times, about ten minutes apart, before the sender gives up.
On the WatchGuard end, there is one difference between how senders show in logs.
For the working senders, I see lines for both 'ProxyMatch, ProxyAllow:’ and then ‘ProxySMTPReq’, however, for broken senders, I see just ProxyMatch, which is not followed up with ProxySMTPReq.
One of the broken senders is coming from Office 365, however, so are dozens of other senders, so I don't think the issue is there.
Any advice?
I've got a Watchguard 500 series at the main office and a 2 series at a home office. I've needed to setup a VPN between the two devices to get an IP phone to function properly.
With the current home office setup I have one interface set as 'external' and connect the cable modem directly here. Then I have a 2nd interface as 'trusted' which connects to the users home router. The phone and computer connect to the home router and the VPN works fine.
At the new home office location however the home equipment is a cable modem/router combo - so I have no dedicated WAN port - just 4 LAN ports.
Maybe I'm over thinking this but I'm stumped on how to configure this with the different home router/cable modem combo.
I've been using 'mixed' mode and am wondering if I need to be using 'drop in' mode - ?
With the current home office setup I have one interface set as 'external' and connect the cable modem directly here. Then I have a 2nd interface as 'trusted' which connects to the users home router. The phone and computer connect to the home router and the VPN works fine.
At the new home office location however the home equipment is a cable modem/router combo - so I have no dedicated WAN port - just 4 LAN ports.
Maybe I'm over thinking this but I'm stumped on how to configure this with the different home router/cable modem combo.
I've been using 'mixed' mode and am wondering if I need to be using 'drop in' mode - ?
Set up Watachguard BOVPN and seems to connect yet not traffic is being passed. See attached
BOVPN.JPG
BOVPN.JPG
I have a watchguard M400 (Fireware XTM 11.10) Firewall/Router with about 14 Branch Office VPN'c coming into it. We have a new software these BOVPN's need to access. There are two application servers running the software. I would like to load balance the connections to these servers. Can someone point me in the correct direction?
Recently we added a new TPG IPVPN Connection (MPLS Network with Hosted Firewall) to eth2 on our watchguard but cant get it to work properly (see attached picture)
For some reason i cannot ping any Sydney LAN IP Addresses (on 10.50.2.0/24 network) from QLD Office to Sydney Office.
What do i need to enable / configure on the wathguard so i can ping internal lan addresses from qld office ?
QLD Office LAN is on 10.4.26.0/24 network.
Sydney office LAN is on 10.50.2.0/24 network
From QLD office I can ping 210.10.228.14,210.10.228.1
Sydney Office Watchguard Configuration is as follows:
I have 3 interfaces setup on my Watchguard x750e firewall with following parameters:
Eth0: IP: 210.10.228.14 (External) - This is connected to a ISP Managed Cisco 1900 Series Router. This is a routed subnet services TPG NBN Conneciton.
Gateway: 210.10.228.13
NetMask:255.255.255.252
Eth1: IP: 10.50.2.90 (Trusted)
Netmask: 255.255.255.0
Eth2: IP: 10.252.0.6 (External) - This is connected to a TPG NTU and is a IPVPN Connection. This also requires RIPv2 and has dynamic routing setup.
Gateway: 10.252.0.5
Netmask: 255.255.255.252
Dynamic Routing Configuration:
1. Enabled Dynamic Routing is enabled.
2. Enable RIP is enabled
Rip Configuration :
router rip
network 10.252.0.4/30
network …
For some reason i cannot ping any Sydney LAN IP Addresses (on 10.50.2.0/24 network) from QLD Office to Sydney Office.
What do i need to enable / configure on the wathguard so i can ping internal lan addresses from qld office ?
QLD Office LAN is on 10.4.26.0/24 network.
Sydney office LAN is on 10.50.2.0/24 network
From QLD office I can ping 210.10.228.14,210.10.228.1
Sydney Office Watchguard Configuration is as follows:
I have 3 interfaces setup on my Watchguard x750e firewall with following parameters:
Eth0: IP: 210.10.228.14 (External) - This is connected to a ISP Managed Cisco 1900 Series Router. This is a routed subnet services TPG NBN Conneciton.
Gateway: 210.10.228.13
NetMask:255.255.255.252
Eth1: IP: 10.50.2.90 (Trusted)
Netmask: 255.255.255.0
Eth2: IP: 10.252.0.6 (External) - This is connected to a TPG NTU and is a IPVPN Connection. This also requires RIPv2 and has dynamic routing setup.
Gateway: 10.252.0.5
Netmask: 255.255.255.252
Dynamic Routing Configuration:
1. Enabled Dynamic Routing is enabled.
2. Enable RIP is enabled
Rip Configuration :
router rip
network 10.252.0.4/30
network …
Been battling this for 2 days.
Sat morning at 6:30 am was receiving email from filter service Fusemail to server. At 7 am noticed emails being deferred and building up in a queue on Fusemail Portal. Nothing changed in these 15 minutes. Fusemail's portal says "error reading banner" on public IP of server and the remote. OWA mx record.
I have done the following to troubleshoot,
Rebooted several times.
Recreated default receive connectors,
Looked thru the IIS system, no issues.
Exchange 2010 IS sending emails as normal.
Double checked the MX records for Fusemail, They are accurate,
Entered the ip addresses of Fusemail servers in the Watchguard T30 FIrewall box to send mail to port 25 (they were NOT there before but emails were coming in)
Can go to canyouseeme.org and enter the public IP and port 25, and it is OPEN,
All emails were coming in before any changes made. They simply stopped and they are of no real help, just saying "your server is not allowing connections".
If I cannot find the answer here, they are getting migrated to Office 365 asap.. They, like other businesses cannot be down on email for days..
Any ideas?
Sat morning at 6:30 am was receiving email from filter service Fusemail to server. At 7 am noticed emails being deferred and building up in a queue on Fusemail Portal. Nothing changed in these 15 minutes. Fusemail's portal says "error reading banner" on public IP of server and the remote. OWA mx record.
I have done the following to troubleshoot,
Rebooted several times.
Recreated default receive connectors,
Looked thru the IIS system, no issues.
Exchange 2010 IS sending emails as normal.
Double checked the MX records for Fusemail, They are accurate,
Entered the ip addresses of Fusemail servers in the Watchguard T30 FIrewall box to send mail to port 25 (they were NOT there before but emails were coming in)
Can go to canyouseeme.org and enter the public IP and port 25, and it is OPEN,
All emails were coming in before any changes made. They simply stopped and they are of no real help, just saying "your server is not allowing connections".
If I cannot find the answer here, they are getting migrated to Office 365 asap.. They, like other businesses cannot be down on email for days..
Any ideas?
Just a general question at this point...We have a network which is joined to another office using a branch office VPN with a Watchguard Firewall at one end and a Netgear VPN router at the other. Do you know if it's possible to create a second permanent VPN connection from the Watchguard to a software PPTP VPN provided by Windows 2012 on a virtual hosted server?
Thanks
Thanks
Hello EE Members,
I need access to a watchguard xtm 330 but I don't have the passwords for the admin/user accounts and I was wondering if it is possible to reset a watchguard xtm 330 admin or a user password without doing a factory reset or loosing any of it's settings
Regards,
Paul
I need access to a watchguard xtm 330 but I don't have the passwords for the admin/user accounts and I was wondering if it is possible to reset a watchguard xtm 330 admin or a user password without doing a factory reset or loosing any of it's settings
Regards,
Paul
Does anybody know how to connect to a laptop in a remote location that is connected to the network via an SSL VPN client. The laptop connects to a Watchguard Firewall [System manager v 11.9.4] via an SSL VPN client v11.9.3.
Are You Headed to Black Hat USA 2017?
Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net
Hi,
I have a server running filezilla server and is configured with ftp over tls.
I know this server is fine because I can connect and upload files fine from a number of locations. However I have an issue in one particular location behind a watchguard firewall.
The connection establishes successfully and sometimes it can upload a file or part of a file before it fails when configured to ftp over tls.
If I change to ftp it works fine.
I have read that this can sometimes be an mtu issue but don't know how or where to change this. Please can anyone shed light on this.
Attached is the filezilla server log and errors it sees.
I have a server running filezilla server and is configured with ftp over tls.
I know this server is fine because I can connect and upload files fine from a number of locations. However I have an issue in one particular location behind a watchguard firewall.
The connection establishes successfully and sometimes it can upload a file or part of a file before it fails when configured to ftp over tls.
If I change to ftp it works fine.
I have read that this can sometimes be an mtu issue but don't know how or where to change this. Please can anyone shed light on this.
Attached is the filezilla server log and errors it sees.
Need some assistance with Watchguard XTM515 firewall configuration. We are installing a new PBX and the vendor requires some port translation and I am having difficulty figuring out how to configure the firewall to accommodate the needs.
We need the following:
Port: 16000-16511 UDP to internal IP address 10.0.0.12,
Port 5060 UDP to internal IP address number 10.0.0.11,
Port 6050 UDP (SIP) needs port number conversion to port 5060UDP Port 2727 UDP (MGCP) to internal IP address number 10.0.0.11,
Port 9300 UDP (PTAP) to internal IP address number 10.0.0.11
The 1st, 2nd, and 3rd are straightforward. The third line with the port translation is where I am having difficulty.
Any help would be appreciated.
We need the following:
Port: 16000-16511 UDP to internal IP address 10.0.0.12,
Port 5060 UDP to internal IP address number 10.0.0.11,
Port 6050 UDP (SIP) needs port number conversion to port 5060UDP Port 2727 UDP (MGCP) to internal IP address number 10.0.0.11,
Port 9300 UDP (PTAP) to internal IP address number 10.0.0.11
The 1st, 2nd, and 3rd are straightforward. The third line with the port translation is where I am having difficulty.
Any help would be appreciated.
Hi
I have a group of users who regularly travel with their laptops and i want to be able to have more control on what they are browsing when away from the network.
At the moment when they are in the office they go out through our Watchguard which acts as a transparent proxy and has Websense setup to filter what they can see.
In addition to this when they are connected via SSL VPN externally the traffic is forced down the tunnel and again they use the transparent proxy.
The problem i have though is if they dont connect to the VPN when say in a hotel they can browse what they want.
Is there a way that i can stop browsing access unless they are connected through the VPN.
I know that we could specifiy a proxy in the internet settings but because the Watchguard is a transparent proxy i dont believe this would work.
Any advice would be great.
thanks
I have a group of users who regularly travel with their laptops and i want to be able to have more control on what they are browsing when away from the network.
At the moment when they are in the office they go out through our Watchguard which acts as a transparent proxy and has Websense setup to filter what they can see.
In addition to this when they are connected via SSL VPN externally the traffic is forced down the tunnel and again they use the transparent proxy.
The problem i have though is if they dont connect to the VPN when say in a hotel they can browse what they want.
Is there a way that i can stop browsing access unless they are connected through the VPN.
I know that we could specifiy a proxy in the internet settings but because the Watchguard is a transparent proxy i dont believe this would work.
Any advice would be great.
thanks
I am trying to pass multicast traffic between 2 VLANs that are connected by a Watchguard firewall. No matter what I do, I cannot see and multicast traffic on the "traffic monitor;" on the Watchguard. I am using a Cisco 2960 with IGMP turned on. I can stream to everyone in the same VLAN , just not to second VLAN (via watchguard). Any ideas?
Trying to allow access to the game For Honor.
Watch guard is blocking the games I have checked traffic monitor.
2017-02-20 15:43:41 Deny 172.16.54.147 216.98.55.90 11085/udp 51031 11085 1-Trusted 0-External Denied 36 126 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2017-02-20 15:44:05 Deny 172.16.54.147 216.98.55.90 11080/udp 53387 11080 1-Trusted 0-External Denied 32 126 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
I have allowed UDP ports 11080-11085 still blocks also put host address in exception list to no avail.
Any ideas?
Watch guard is blocking the games I have checked traffic monitor.
2017-02-20 15:43:41 Deny 172.16.54.147 216.98.55.90 11085/udp 51031 11085 1-Trusted 0-External Denied 36 126 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2017-02-20 15:44:05 Deny 172.16.54.147 216.98.55.90 11080/udp 53387 11080 1-Trusted 0-External Denied 32 126 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
I have allowed UDP ports 11080-11085 still blocks also put host address in exception list to no avail.
Any ideas?
On a Cisco ASA, if I need to allow the traffic to come in on an interface and leave on the same interface I need to use the following command:
same-security-level permit intra-interface
Now on a watchgaurd firewall, (I'm not very familiar with the watchguard), how do I do this exact same thing? Any assistance would be greatful. Thanks!
same-security-level permit intra-interface
Now on a watchgaurd firewall, (I'm not very familiar with the watchguard), how do I do this exact same thing? Any assistance would be greatful. Thanks!
Hi I am receiving this bounce back email error.
The error that the other server returned was: 552 Requested mail action aborted: exceeded storage allocation
trying to send PDF attachments larger then 7 MB . I attached the Watch Guard and Exchange SMTP settings, they are set to 20 MB.
The line length in Watch Guard is set to 9000 changed from 1000 and I still keep getting this bounce back error.
I tried sending from gmail and Outlook exchange and sending to different email addresses on the same server and I still get the same bounce back error.
Please Help, Thanks!
WGsmtp.png
EXCHsmtp.png
The error that the other server returned was: 552 Requested mail action aborted: exceeded storage allocation
trying to send PDF attachments larger then 7 MB . I attached the Watch Guard and Exchange SMTP settings, they are set to 20 MB.
The line length in Watch Guard is set to 9000 changed from 1000 and I still keep getting this bounce back error.
I tried sending from gmail and Outlook exchange and sending to different email addresses on the same server and I still get the same bounce back error.
Please Help, Thanks!
WGsmtp.png
EXCHsmtp.png
I'm having an issue creating a WPAD file for IE11. It seems there is a lot on the web with lots of WPAD examples, but their all outdated as the IsInNet commands just don't work anymore.
I want the WPAD file to be able to go direct on certain URLS or domains and through the proxy for everything else. Now I've got something working but when users are on the VPN and try to access one of our websites it tries to resolve it via it's internal IP address as oppose to it's public address.
Also, for whatever reason all traffic seems to be going through the proxy, even though the firewall is configured not force all traffic through the tunnel.
Sorry if this is a bit complex, would appreciate any assistance, as I'm sure there must be someone out there that has created a WPAD file to properly work on IE11.
Here is my WPAD example;
--------------------------
function FindProxyForURL(url, host)
{
if (
shExpMatch(host, "*.officeapps.live.com")||
shExpMatch(host, "*.officeapps.live.com")||
shExpMatch(host, "*broadcast.officeapps.liv
dnsDomainIs(host, "sway.com")||
dnsDomainIs(host, "www.sway.com")||
dnsDomainIs(host, "eus-www.sway.com")||
dnsDomainIs(host, "eus-000.www.sway.com")||
dnsDomainIs(host, "eus-001.www.sway.com")||
dnsDomainIs(host, "eus-002.www.sway.com")||
dnsDomainIs(host, "office365.com")
)
return "DIRECT";
else { return "PROXY proxyaddress:8080; DIRECT";}
}
…
I want the WPAD file to be able to go direct on certain URLS or domains and through the proxy for everything else. Now I've got something working but when users are on the VPN and try to access one of our websites it tries to resolve it via it's internal IP address as oppose to it's public address.
Also, for whatever reason all traffic seems to be going through the proxy, even though the firewall is configured not force all traffic through the tunnel.
Sorry if this is a bit complex, would appreciate any assistance, as I'm sure there must be someone out there that has created a WPAD file to properly work on IE11.
Here is my WPAD example;
--------------------------
function FindProxyForURL(url, host)
{
if (
shExpMatch(host, "*.officeapps.live.com")||
shExpMatch(host, "*.officeapps.live.com")||
shExpMatch(host, "*broadcast.officeapps.liv
dnsDomainIs(host, "sway.com")||
dnsDomainIs(host, "www.sway.com")||
dnsDomainIs(host, "eus-www.sway.com")||
dnsDomainIs(host, "eus-000.www.sway.com")||
dnsDomainIs(host, "eus-001.www.sway.com")||
dnsDomainIs(host, "eus-002.www.sway.com")||
dnsDomainIs(host, "office365.com")
)
return "DIRECT";
else { return "PROXY proxyaddress:8080; DIRECT";}
}
…
WatchGuard
8
Solutions
37
Contributors
Network threats can come from anywhere, at any time, and can take you down before you even know they’re there. Uniquely architected to be the industry’s smartest, fastest and most effective network security products, WatchGuard solutions put IT security pros back in charge of their networks with widely deployable, enterprise-grade security and threat visibility tools suitable for any organization, regardless of budget, size, or complexity. WatchGuard has deployed nearly a million of its integrated, multi-function threat management appliances worldwide, to businesses that range from SMEs to large distributed enterprises.
