The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!
Experts Exchange > Topics > WatchGuard
Share tech news, updates, or what's on your mind.
Sign up to Post
Load Recent Content
We've just installed a new next-gen firewall and I need some assistance getting some communication between two of the interfaces.
It's a Watchguard T35 and we have our WAN on Eth0, LAN1 on Eth1, and LAN2 on Eth2.
Our WAN has a static IP, but we have /27 block of public IP's routed (at the ISP level) to our WAN for use by public facing servers.
I have that part of it working OK. Servers connected to the LAN2 all have their static IP assignment and IP checks on the internet show the correct IPs. This interface in the Watchguard is set as "Optional".
LAN1, is our private LAN and is set as "Trust". Internet traffic and NAT/port forwarding is all working OK, but I cannot seem to get access to LAN2 from LAN1 devices.
I've created a firewall policy with "ANY" for the packet filtering and have set both 192.168.1.0/24 and 203.xx.xx.0/27 in both the To and From boxes. The rule is set to allow and enabled.
But I cannot browse (using the IP or UNC name) or access any of the LAN2 resources from LAN1. Nor can LAN2 access any of the LAN1 resources.
I'm new to Watchguard and thought I might ask here for any things I may have overlooked before lodging a support ticket with Watchguard support.
It's a Watchguard T35 and we have our WAN on Eth0, LAN1 on Eth1, and LAN2 on Eth2.
Our WAN has a static IP, but we have /27 block of public IP's routed (at the ISP level) to our WAN for use by public facing servers.
I have that part of it working OK. Servers connected to the LAN2 all have their static IP assignment and IP checks on the internet show the correct IPs. This interface in the Watchguard is set as "Optional".
LAN1, is our private LAN and is set as "Trust". Internet traffic and NAT/port forwarding is all working OK, but I cannot seem to get access to LAN2 from LAN1 devices.
I've created a firewall policy with "ANY" for the packet filtering and have set both 192.168.1.0/24 and 203.xx.xx.0/27 in both the To and From boxes. The rule is set to allow and enabled.
But I cannot browse (using the IP or UNC name) or access any of the LAN2 resources from LAN1. Nor can LAN2 access any of the LAN1 resources.
I'm new to Watchguard and thought I might ask here for any things I may have overlooked before lodging a support ticket with Watchguard support.
I am installing WatchGuard SSL Vpn software which is using Open VPN software and it has TAP network driver but I can't install it unattended. Does anybody know how to install OpenVPN un-attended including TAP-Windows adapter?
I have a watchguard M270, the customer has a hosted server they connect to via ipsec. What policy could I enable to allow the ipsec vpn outbound.
I have a user who is using the Watchguard VPN client software. They have been using it on Windows 10 Pro (v 1709) for 6 months without issue. The UAC prompt suddenly started appearing this morning when they try to run the software. No updates for Windows or the software have been installed. I have 60 other users that are using it without this problem also. I am at a loss as to why this would suddenly start needing elevated privileges to run. Does anyone know why this would happen or how to fix it? I am not going to disable user account control or give them admin rights.
I had this question after viewing Watchguard Firewall xFlow Configuration.
Customer has a watchguard T10 firebox firewall for a pos system. The POS server connects directly to the trusted network port. no other computers connect to that network.
Customer wants to setup an access point for wifi. The watchguard has a 3rd port. I want to activate it as a second network and allow wireless devices to access the internet.
The watchguard firewall does not have built in wifi. We purchased an access point that we plan to connect to the 3rd port.
This is a restaurant, there are no office pc's or network printers.
Need suggestions on policy's, the device has contenfilter subscriptions. I want to enforce them on the 3rd port too if possible.
Customer wants to setup an access point for wifi. The watchguard has a 3rd port. I want to activate it as a second network and allow wireless devices to access the internet.
The watchguard firewall does not have built in wifi. We purchased an access point that we plan to connect to the 3rd port.
This is a restaurant, there are no office pc's or network printers.
Need suggestions on policy's, the device has contenfilter subscriptions. I want to enforce them on the 3rd port too if possible.
How to block RFC 1918 and create object-groups and use that object-groups to block any udp traffic inbound to the external interface on a WatchGuard Firebox (M200)?
I'm trying to connect a Watchguard T30 to an AP320 through a Cisco Catalyst 2960.
I'm able to set up trunking on the Cisco so that I can see the AP320 through the controller, however when I connect to the WLAN I get no DHCP address, and I can't get online even when I hard code the IP. Based on some logging information I've seen on the Watchguard, it almost looks as though the Cisco switch is sending packets to the wrong gateway address.
It looks like when a device was requesting an IP on the VLAN 192.168.5.1/24 subnet that request was sent to the lan 192.168.1.1 gateway.
I'm extremely new to Cisco so it's entirely possible I'm missing something obvious, but when the VLAN's are set up on the router and then trunking is configured for those VLAN's on the Cisco, is there a place where you need to specify what Gateway to use for each trunk?
I'm able to set up trunking on the Cisco so that I can see the AP320 through the controller, however when I connect to the WLAN I get no DHCP address, and I can't get online even when I hard code the IP. Based on some logging information I've seen on the Watchguard, it almost looks as though the Cisco switch is sending packets to the wrong gateway address.
It looks like when a device was requesting an IP on the VLAN 192.168.5.1/24 subnet that request was sent to the lan 192.168.1.1 gateway.
I'm extremely new to Cisco so it's entirely possible I'm missing something obvious, but when the VLAN's are set up on the router and then trunking is configured for those VLAN's on the Cisco, is there a place where you need to specify what Gateway to use for each trunk?
We have a Watchguard M200 firewall that we would like to limit inbound/outbound bandwidth to 20Mbps on our External (WAN) interface. Our ISP allows for 40Mbps total bandwidth. I've gone into Traffic Management and changed the interface to limit bandwidth to 20Mbps but this only seems to apply to upstream outbound traffic. Inbound traffic is still coming in at the fulll 40Mbps. Is it possible to also limit inbound traffic to 20Mbps?
Thank you
Thank you
I currently have a Watchguard Firebox in place and have recently purchased a Cisco Catalyst 2960 to server as our primary switch. Our Watchguard currently manages our WAP's (also Watchguard) which have a private and public wifi network which is segmented through the use of VLAN's.
I'm extremely new to Cisco and I'm trying to determine how I would go about configuring the ports on the switch to pass along all VLAN traffic which should allow the WAP's to continue functioning.
I'm extremely new to Cisco and I'm trying to determine how I would go about configuring the ports on the switch to pass along all VLAN traffic which should allow the WAP's to continue functioning.
Do You Have a Trusted Wireless Environment?
WatchGuard
A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.
We have a Watchguard XTM 2 firewall device.
We have set it up successfully with a static IP address through our modem. The modem works and plugged it directly into the computer with IPv4 manually set.
We have the WAN in X0 and the LAN is X2.
When we setup the device with the Trusted Interface of 192.168.0.1/24 with DHCP range of 192.168.0.2-192.168.0.199 it works but does not get Internet. The DNS server is set and the computer has no problem getting a DHCP address.
The only thing that looks wrong is this picture with the gateway is showing up as 0.0.0.0 but don't see a place to change it nor do I see any settings wrong. Help!
20180503_110739.jpg
We have set it up successfully with a static IP address through our modem. The modem works and plugged it directly into the computer with IPv4 manually set.
We have the WAN in X0 and the LAN is X2.
When we setup the device with the Trusted Interface of 192.168.0.1/24 with DHCP range of 192.168.0.2-192.168.0.199 it works but does not get Internet. The DNS server is set and the computer has no problem getting a DHCP address.
The only thing that looks wrong is this picture with the gateway is showing up as 0.0.0.0 but don't see a place to change it nor do I see any settings wrong. Help!
20180503_110739.jpg
I am having an issue accessing a secure ftp web site from a network. The network uses a watchguard xtm 25 appliance and then runs Server 2008 R2 as the network server. The workstations are all Windows 7 Pro.
The URL is https://oebsftp.ontarioenergyboard.ca. This should bring me to a log in page, but instead the following message
The message from IE 11 is as follows:
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://oebsftp.ontarioenergyboard.ca again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
Fire fox give the following:
Secure Connection Failed
The connection to oebsftp.ontarioenergyboard.ca was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Often the Ontario energy board upload sites are designed for IE only.
I do not see anything in the Watchguard appliance but may be overlooking something.
The server uses SEP 14.0 for both anti-virus and Firewall
As a separate issue, email using Outlook 2013 cannot use ssl either
The URL is https://oebsftp.ontarioenergyboard.ca. This should bring me to a log in page, but instead the following message
The message from IE 11 is as follows:
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://oebsftp.ontarioenergyboard.ca again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
Fire fox give the following:
Secure Connection Failed
The connection to oebsftp.ontarioenergyboard.ca was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Often the Ontario energy board upload sites are designed for IE only.
I do not see anything in the Watchguard appliance but may be overlooking something.
The server uses SEP 14.0 for both anti-virus and Firewall
As a separate issue, email using Outlook 2013 cannot use ssl either
Our ISP has given us a block IP addresses, and a gateway on a different subnet. We must use PPPoE to connect. We want to use these addresses on a Watchguard XTM box using Fireware 12.1.1
We have set the PPPoE connection to use the gateway IP address, and added the 5 main IP addresses as secondary ones on the external interface. These can be thought of as follows (not the actual IP addresses):
Gateway : 80.80.79.79
Assigned IP Range 80.80.80.1/29
When trying to configure a BOVPN, we would like our IP address to show as 80.80.80.1 but it always appears as 80.80.79.79.
We've modified the other firewall policies such as HTTPS client to use one of the IP addresses in the block and this works fine, just not the BOVPN one. Can someone direct me to where I should specify the IP address for the BOVPN?
Thanks.
We have set the PPPoE connection to use the gateway IP address, and added the 5 main IP addresses as secondary ones on the external interface. These can be thought of as follows (not the actual IP addresses):
Gateway : 80.80.79.79
Assigned IP Range 80.80.80.1/29
When trying to configure a BOVPN, we would like our IP address to show as 80.80.80.1 but it always appears as 80.80.79.79.
We've modified the other firewall policies such as HTTPS client to use one of the IP addresses in the block and this works fine, just not the BOVPN one. Can someone direct me to where I should specify the IP address for the BOVPN?
Thanks.
Hi, I have a really odd problem with a Watchguard XTM25-W Firewall. It has the latest Fireware on it and I've reset it and run the setup wizard from scratch on it. I have a Draytek VDSL model plugged into Port0 and have set up PPPOE authentication on the watchguard and the watchguard connects to the internet. I have successfully downloaded the Live Security feature key and it's valid for 2 more months.
The problem I have is that if I plug a laptop directly into Port 1 on the Watchguard and set up a static IP the laptop can see the internet. However if I plug Port 1 into an established 48 port switch nobody on the switch can see the Watchguard, and in fact the Port1 light on the Watchguard doesn't even light up (it lights up if you plug the Laptop into it)
As far as I am aware when you reset a Watchguard and run the setup Wozard it sets up enough default settings to get you a basic internet connection but I'm wondering if there is now some additional configuration needed to allow the internet connection to be shared.
Bit of further background, the Watchguard is replacing an existing Draytek VDSL Router which was the original Default Gateway so I have set up the Watchguard with the same IP address as the Draytek Router (and of course unplugged the Draytek)
Would really appreciate some suggestions on this.
Many thanks
The problem I have is that if I plug a laptop directly into Port 1 on the Watchguard and set up a static IP the laptop can see the internet. However if I plug Port 1 into an established 48 port switch nobody on the switch can see the Watchguard, and in fact the Port1 light on the Watchguard doesn't even light up (it lights up if you plug the Laptop into it)
As far as I am aware when you reset a Watchguard and run the setup Wozard it sets up enough default settings to get you a basic internet connection but I'm wondering if there is now some additional configuration needed to allow the internet connection to be shared.
Bit of further background, the Watchguard is replacing an existing Draytek VDSL Router which was the original Default Gateway so I have set up the Watchguard with the same IP address as the Draytek Router (and of course unplugged the Draytek)
Would really appreciate some suggestions on this.
Many thanks
Good day-
I'm attemtping to forward port inbound requests on port 80 to internal port 16000 for viewing of a DVR camera system. Can someone guide me over policy manager? I'm not understanding the kb from watchguard.
Best,
Craig
I'm attemtping to forward port inbound requests on port 80 to internal port 16000 for viewing of a DVR camera system. Can someone guide me over policy manager? I'm not understanding the kb from watchguard.
Best,
Craig
We have a WatchGuard M300. We currently have an internet connection that is too small for our needs. Our issue is the upload speed is capped at 20Mbps. With the M300 can we add a second internet connection and have our internet traffic divided evenly between these two connections?
We have several locations. Each location has several DNS servers, all replicating to each other. In DNS we have several Conditional Forwarders. At all locations except one I can ping and RDP into any of the servers in the Conditional Forwarders list. However in one of the locations I am unable to ping to any of the Conditional Forwarder IPs. All locations are connected using a Watchguard firewall using a VPN. When I do a tracert from the location that is unable to get to any of the Conditional Forwarder locations, it goes to the local DNS server, then out to local ISP DNS server. I have been reading and searching for articles that might help however I am unable to find a solution.
Hi All
This is not a question as such im looking for information ideas on how i can pass VLAN's across a ipsec VPN tunnel
Ive got 16 VLANS that is hosted at one site located a few hundred kilometers away from my secondary site and i want to be able to push the vlans from the main site to the secondary site and then be able to distriube those via a switch at the remote site
The sites currently will be connected via either Sonicwalls or WatchGuard UTM Appliances
Any help or suggestions on this would be greatly appreciated
This is not a question as such im looking for information ideas on how i can pass VLAN's across a ipsec VPN tunnel
Ive got 16 VLANS that is hosted at one site located a few hundred kilometers away from my secondary site and i want to be able to push the vlans from the main site to the secondary site and then be able to distriube those via a switch at the remote site
The sites currently will be connected via either Sonicwalls or WatchGuard UTM Appliances
Any help or suggestions on this would be greatly appreciated
Hello Experts,
I have got XTM 26 series watchguard Firewall in the company. We are now in the phase of upgrading internet bandwidth from 20 Mbps to 100 Mbps. According to service provider, I have to setup firewall for traffic shaping but I am not sure watchguard support it or not?
Parameters to configure on firewall are; Shaping Rate, Shaping burst, Extended burst.
I do not want to go with other option of adding a router before the firewall, as it may stops all applications running in branch office.
Can anybody help me with?
I have got XTM 26 series watchguard Firewall in the company. We are now in the phase of upgrading internet bandwidth from 20 Mbps to 100 Mbps. According to service provider, I have to setup firewall for traffic shaping but I am not sure watchguard support it or not?
Parameters to configure on firewall are; Shaping Rate, Shaping burst, Extended burst.
I do not want to go with other option of adding a router before the firewall, as it may stops all applications running in branch office.
Can anybody help me with?
Webinar: Miercom Evaluates Wi-Fi Security
WatchGuard
It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!
I am currently experiencing an annoying VPN issue
I have a WatchGuard M300 cluster based in datacentre 2 which has an existing site to site VPN to datacentre 1
The same customer has a satellite office with a Watchguard xtm33 that has a site to site VPN to datacentre 1. The satellite office is double NAT'ing, with an external IP in a 1 to 1 NAT direct through to a private IP range that is the external interface on this Watchguard.
datacentre 1 will be turned off soon so I need to connect the satellite office to datacentre 2, however when I set it up I get a timeout error on the Datacentre 2 side (it's like it cannot even see the external interface nevermind start negotiating) and the satellite side doesn't even attempt to start the VPN. I have checked all of the settings, all traffic is definitely being passed through the satellite offices provider interface and other services are working. As there is a VPN in place and working on both sides I cannot understand why the issues exists, but seems buggy. The firmware on the satellite WatchGuard is old, its the only thing I can think to change. Or its the 1 to 1 NAT, never had an issue before but its a question mark.
I have a WatchGuard M300 cluster based in datacentre 2 which has an existing site to site VPN to datacentre 1
The same customer has a satellite office with a Watchguard xtm33 that has a site to site VPN to datacentre 1. The satellite office is double NAT'ing, with an external IP in a 1 to 1 NAT direct through to a private IP range that is the external interface on this Watchguard.
datacentre 1 will be turned off soon so I need to connect the satellite office to datacentre 2, however when I set it up I get a timeout error on the Datacentre 2 side (it's like it cannot even see the external interface nevermind start negotiating) and the satellite side doesn't even attempt to start the VPN. I have checked all of the settings, all traffic is definitely being passed through the satellite offices provider interface and other services are working. As there is a VPN in place and working on both sides I cannot understand why the issues exists, but seems buggy. The firmware on the satellite WatchGuard is old, its the only thing I can think to change. Or its the 1 to 1 NAT, never had an issue before but its a question mark.
Watchguard to Draytek site to site VPN - 2 tunnels required.
WG side has local IP of 192.168.1.1/24 and this needs linking to the draytek which has 2 LAN 10.0.0.1/24 and 192.168.100.1/24
I need a tunnel for both
Now i can set this up with one tunnel no issue. but cant see anywhere to add a second tunnel on the draytek end. Ive herd GRE might be the answer my question but havnt used this before.
How do i add a second tunnel. I have also tried a second VPN with the other tunnel but this causes both VPNs to alternate and not work correctly. any help or questions welcome
WG side has local IP of 192.168.1.1/24 and this needs linking to the draytek which has 2 LAN 10.0.0.1/24 and 192.168.100.1/24
I need a tunnel for both
Now i can set this up with one tunnel no issue. but cant see anywhere to add a second tunnel on the draytek end. Ive herd GRE might be the answer my question but havnt used this before.
How do i add a second tunnel. I have also tried a second VPN with the other tunnel but this causes both VPNs to alternate and not work correctly. any help or questions welcome
We have Watchguard m400. The firewall is blocking EXE download. I want to allow only help desk to be able to download EXE, drive etc. How can i do this ?
thanks
thanks
i currently have a watchguard firebox with UTM and using vmware.
im currently upgrading the environment to the latest vmware and nsx.
is it recommended to eliminate the watchguard and ONLY use NSX?
im currently upgrading the environment to the latest vmware and nsx.
is it recommended to eliminate the watchguard and ONLY use NSX?
I inherited a Class B network years ago and am just now wanting to do a major overhaul. Currently the LAN network is 10.1.0.0/16. It is currently just a flat network with servers and clients dispersed throughout. I want to segment the network into the following categories: Servers (25ea now), Workstations (100ea now), Printers (30ea now), Utility devices (20ea now). All of our wireless clients are connected on the outside of the firewall and are outside the scope of this question. Our firewall is a WatchGuard device.
Should I rework the ip address scheme? If so, can someone layout an example of what I should do?
thanks!
Lance
Should I rework the ip address scheme? If so, can someone layout an example of what I should do?
thanks!
Lance
I am putting together some phone equipment and servers in a datacenter cabinet. The datacenter is providing us a redundant router connection using HSRP. The cabinet has two Ethernet cables: primary, secondary.
We need external routable addresses for each of the two border controllers for the phone system. They have a WAN port and a LAN port so they can have an external (outside the firewall) connection and also have a local IP address in the same subnet as the servers in the cabinet.
We are trying not to purchase another $2000 Cisco switch for the setup to accept the 2 Ethernet connections.
We have a WatchGuard M370 firewall device with several ports that can be configured in many ways.
We have two layer 2 switches available in the cabinet for use outside and/or inside the firewall. It is a layer 3 device.
I need help in the configuration of this system.
One suggestion was to take the two datacenter network cables and plug them into a standard Layer 2 switch then patch that switch into an external interface on the firewall. After so many attempts I am trying to remember but I think the path to the internet was broken when BOTH router cables were plugged into that switch. I am going back to the datacenter tomorrow to try more things but I wanted to get some input from you guys first. I have the datacenter IP sheet where they provide me the configuration info but didn't want to post live addresses on this site. Basically they gave me a \29 subnet and …
We need external routable addresses for each of the two border controllers for the phone system. They have a WAN port and a LAN port so they can have an external (outside the firewall) connection and also have a local IP address in the same subnet as the servers in the cabinet.
We are trying not to purchase another $2000 Cisco switch for the setup to accept the 2 Ethernet connections.
We have a WatchGuard M370 firewall device with several ports that can be configured in many ways.
We have two layer 2 switches available in the cabinet for use outside and/or inside the firewall. It is a layer 3 device.
I need help in the configuration of this system.
One suggestion was to take the two datacenter network cables and plug them into a standard Layer 2 switch then patch that switch into an external interface on the firewall. After so many attempts I am trying to remember but I think the path to the internet was broken when BOTH router cables were plugged into that switch. I am going back to the datacenter tomorrow to try more things but I wanted to get some input from you guys first. I have the datacenter IP sheet where they provide me the configuration info but didn't want to post live addresses on this site. Basically they gave me a \29 subnet and …
38
Solutions
114
Contributors
Smart Security. Simply Done.
For over 20 years, WatchGuard has pioneered cutting-edge cyber security technology and delivered it as easy-to-deploy and easy-to-manage solutions. With industry-leading network security, secure Wi-Fi, and network intelligence products and services, WatchGuard enables more than 80,000 small and midsize enterprises from around the globe to protect their most important assets.
www.watchguard.com
- Our Mission
- Who We Are
- Careers
- Blog
- Contact Us
- Reviews
- Expert Hall of Fame
© 1996-2018 Experts Exchange, LLC. All rights reserved. Covered by US Patent.