Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17



Network threats can come from anywhere, at any time, and can take you down before you even know they’re there. Uniquely architected to be the industry’s smartest, fastest and most effective network security products, WatchGuard solutions put IT security pros back in charge of their networks with widely deployable, enterprise-grade security and threat visibility tools suitable for any organization, regardless of budget, size, or complexity. WatchGuard has deployed nearly a million of its integrated, multi-function threat management appliances worldwide, to businesses that range from SMEs to large distributed enterprises.

Share tech news, updates, or what's on your mind.

Sign up to Post

At NY Data Center, and UK and US Offices the IP addresses accessing in and being accessed out.

Objective is to identify suspicious / unauthorized access or data transfer .
Introducing the WatchGuard 420 Access Point
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

I'm in the process of setting up SSO for users so we can control our internet access. We only want domain users to access internet and none domain users such (visitors) need to be blocked.

I have read a couple of articles but am still a little unsure which method to use, so here I am asking experts for guidance. I would also appreciate if someone can write step-by-step setup guide or an article that I can follow with some screen prints?

Please also point out any "gotcha"

This article says that "Event Log Monitor” has to be installed on all domain controllers, but later its talks about pushing out SSO client to machines which is also used for authentication, so am a bit confused if this is needed or not? Please clarify

and then this video also talks about "Exchange Monitor" for authentication.. do I need all of these options or will one suffice?

much appreciated!


Can anyone please tell me step by step how to stop a Watchguard XTM25 from blocking downloads of EXE files from a server hosted website (so need to add an exception as an IP address) .

Many thanks

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
I know very little about watchguards (or really most complex firewalls).  I have 2 watchguards in location A and location B.  looking at the policies on the main office's watchguard, I have 16 rules.  wonder which are needed?  

This is an XTM21 (old unit, right?)

it takes a few seconds to go from screen to screen / get the list of firewall policies, etc. 'retrieving data' on screen for 9 seconds... there's 16 policies in the list.  Is that a long time for pages to load?

a) do you just replace watchguards after x years because they are old?
b) do you reboot them on a schedule? How often? every week? month? year?

This watchguard is set up for:Exchange on the SBS server on the LAN, General surfing from inside the office, VPN to the other location and phones being able to connect to the exchange server from outside.

How many rules should those take?

Looking at the policies, I think this is what are set up. I inherited this network so may be unneeded / defaults that came with the box?
FTP OUTboundSMTP ( to Any external)
GeneralProxy (From HTTP-proxy to ANY  Trusted)
SMTPtoMailSrv (From ANY to 75.127.x.x->
HTTPtoMAILSrv (From ANY to 75.127.x.x->
POP3toMailsrv (From ANY to 75.127.x.x->
IMAPtoMailsrv (From ANY to 75.127.x.x->
HTTPStoMailsrv (From ANY to 75.127.x.x->
RDPtoMAILsrv (From ANY to 75.127.x.x->
Voicecom mail system (From ANY to 75.127.x.x->
Watchguard …
I have to enable TLS 1.0, 1.1 and 1.2 in Internet Explorer on my laptop before a VPN can connect? how can I change this settings so I don't have to enable these in IE?

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Hate to admit how little I know about UTMs .

Have a watchguard UTM (X10e), that I am trying to make changes in a firewall policy for people to access a new camera system that requires different ports than the old camera system.

FIgured I'd just edit the existing policy that someone else set up - the new system will get the same IP as the old system.... I just need to change the ports.  the old system used different ports than the new one.

I go into the web UI (, log in as admin go to firewall / firewall policies.  On that screen, I highlight the camera policy and choose the edit button.

The policy loads but I don't see how I delete existing ports / add ports on the properties page... There's a watchguard  program I could (need??) to use?  There's no add / remove buttons on the properties page, like on the policy page.

Am I missing something?  

By the way, I keep saying I need to learn UTMs.... any thoughts on Watchguard vs other brands?   Best way to learn about how to use / manage them?
Microsoft updates are getting too large and take too long to download. I work for a school and we have over 250 windows computers that share 100MB internet and they take a long time to update and update at bad times. i am trying to create a wsus server, but keep getting connection errors. we have a xtm525 watchguard firewall and was told there may be a way to prevent the updates at different times. is this correct? Does anyone know how?

thank you
Good Day,
We have a WatchGuard XTM-22 at one our schools and it is not working - we have no internet access for any device on our network.
Here is the setup for this unit:

Port 0 - Main internet feed
Port 1 - to our internal network
Port 2 - Mgmt
Port 3-  Another internet feed DSL
Port 4 - unused
Port 5 - Another internet feed DSL

(We have very limited / poor internet speeds available in this remote community.  The IT Consultant before we took over was able to configure the unit to use the internet feeds from Ports 0 and 5, which is all that could be used at the time.  Port 3 feed is redundant and can be used as a backup for port 5 by switch cables).

Right now, here is the status of the lights on the front of the WatchGuard unit, going from left to right:

Failover:  Flashing green
WAP:  Off

Ports 5,4,3:  Both Link and 100/1000 lights off
Ports 2,1,0:  Both Link and 100/1000 lights flashing green in unison

Status:  Solid Red
Attn:  Solid Orange
Mode;  Flashing Green
Power:  Solid Green

I have tried to connect my laptop via RJ45 cable directly to Port 2 to access the unit, but there is no activity on this link and I don't get a DHCP address.   Web browser access to both the external IP and internal IP addresses won't work either.

Any suggestions on what is causing this problem?  I have no experience with this particular unit and the network setup is quite convoluted - five VLANs.  I think there is a backup config file from about a year ago.
Looking for the Wi-Fi vendor that's right for you?
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

I have an Exchange 2013 server behind a WatchGuard M200 Firewall. Both have appropriate SSL certificates installed, and the WatchGuard is configured as an SMTP proxy.

Everything works brilliantly, except, email from two domains is not received. Everyone else works absolutely fine. I am unclear why.

On the Exchange end, the logs for working emails end like this:

250 2.1.5 Recipient OK
354 Start mail input; end with <CRLF>.<CRLF>
,Proxy destination(s) obtained from OnProxyInboundMessage event
"250 2.6.0 <> [InternalId=85388244811933, Hostname=EXCHANGESERVER.DOMAIN.LOCAL] Queued mail for delivery"
221 2.0.0 Service closing transmission channel

Open in new window

However, for two domains, the conversation ends like this:

250 2.1.5 Recipient OK
354 Start mail input; end with <CRLF>.<CRLF>

Open in new window

It looks as though the sender has been given permission to go ahead with sending their message, and then not done so. However, the message is attempted a few dozen times, about ten minutes apart, before the sender gives up.

On the WatchGuard end, there is one difference between how senders show in logs.

For the working senders, I see lines for both 'ProxyMatch, ProxyAllow:’ and then ‘ProxySMTPReq’, however, for broken senders, I see just ProxyMatch, which is not followed up with ProxySMTPReq.

One of the broken senders is coming from Office 365, however, so are dozens of other senders, so I don't think the issue is there.

Any advice?
I've got a Watchguard 500 series at the main office and a 2 series at a home office.  I've needed to setup a VPN between the two devices to get an IP phone to function properly.  

With the current home office setup I have one interface set as 'external' and connect the cable modem directly here.  Then I have a 2nd interface as 'trusted' which connects to the users home router.  The phone and computer connect to the home router and the VPN works fine.

At the new home office location however the home equipment is a cable modem/router combo - so I have no dedicated WAN port - just 4 LAN ports.

Maybe I'm over thinking this but I'm stumped on how to configure this with the different home router/cable modem combo.

I've been using 'mixed' mode and am wondering if I need to be using 'drop in' mode - ?
Set up Watachguard BOVPN and seems to connect yet not traffic is being passed.  See attached
I have a watchguard M400 (Fireware XTM 11.10) Firewall/Router with about 14 Branch Office VPN'c coming into it. We have a new software these BOVPN's need to access. There are two application servers running the software. I would like to load balance the connections to these servers. Can someone point me in the correct direction?
Recently we added a new TPG IPVPN Connection (MPLS Network with Hosted Firewall) to eth2 on our watchguard but cant get it to work properly (see attached picture)

For some reason i cannot ping any Sydney LAN IP Addresses (on network) from QLD Office to Sydney Office.

What do i need to enable / configure on the wathguard so i can ping internal lan addresses from qld office ?

QLD Office LAN is on network.
Sydney office LAN is on network

From QLD office I can ping,,, OK, but if I try to ping the Watchguard LAN IP Address or another device in the same Sydney network from QLD Office it times out. Any ideas ???

Sydney Office Watchguard Configuration is as follows:

I have 3 interfaces setup on my Watchguard x750e firewall with following parameters:

Eth0: IP: (External) - This is connected to a ISP Managed Cisco 1900 Series Router. This is a routed subnet services TPG NBN Conneciton.

Eth1: IP: (Trusted)

Eth2: IP: (External) - This is connected to a TPG NTU and is a IPVPN Connection. This also requires RIPv2 and has dynamic routing setup.
Dynamic Routing Configuration:
1. Enabled Dynamic Routing is enabled.
2. Enable RIP is enabled
Rip Configuration :
router rip
network …
Been battling this for 2 days.

Sat morning at 6:30 am was receiving email from filter service Fusemail to server. At 7 am noticed emails being deferred and building up in a queue on Fusemail Portal. Nothing changed in these 15 minutes. Fusemail's portal says "error reading banner" on public IP of server and the remote. OWA mx record.

I have done the following to troubleshoot,

Rebooted several times.
Recreated default receive connectors,
Looked thru the IIS system, no issues.
Exchange 2010 IS sending emails as normal.
Double checked the MX records for Fusemail, They are accurate,
Entered the ip addresses of Fusemail servers in the Watchguard T30 FIrewall box to send mail to port 25 (they were NOT there before  but emails were coming in)
Can go to and enter the public IP and port 25, and it is OPEN,

All emails were coming in before any changes made. They simply stopped and they are of no real help, just saying "your server is not allowing connections".

If I cannot find the answer here, they are getting migrated to Office 365 asap.. They, like other businesses cannot be down on email for days..

Any ideas?
Just a general question at this point...We have a network which is joined to another office using a branch office VPN with a Watchguard Firewall at one end and a Netgear VPN router at the other.  Do you know if it's possible to create a second permanent VPN connection from the Watchguard to a software PPTP VPN provided by Windows 2012 on a virtual hosted server?

Hello EE Members,

I need access to a watchguard xtm 330 but I don't have the passwords for the admin/user accounts and I was wondering if it is possible to reset a watchguard xtm 330 admin or a user password without doing a factory reset or loosing any of it's settings

Does anybody know how to connect to a laptop in a remote location that is connected to the network via an SSL VPN client.  The laptop connects to a Watchguard Firewall [System manager v 11.9.4] via an SSL VPN client v11.9.3.
Are You Ready for GDPR?
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


I have a server running filezilla server and is configured with ftp over tls.

I know this server is fine because I can connect and upload files fine from a number of locations.   However I have an issue in one particular location behind a watchguard firewall.

The connection establishes successfully and sometimes it can upload a file or part of a file before it fails when configured to ftp over tls.
If I change to ftp it works fine.

I have read that this can sometimes be an mtu issue but don't know how or where to change this.   Please can anyone shed light on this.  

Attached is the filezilla server log and errors it sees.
Need some assistance with Watchguard XTM515 firewall configuration.  We are installing a new PBX and the vendor requires some port translation and I am having difficulty figuring out how to configure the firewall to accommodate the needs.

We need the following:

Port: 16000-16511 UDP to internal IP address,
Port 5060 UDP to internal IP address number,
Port 6050 UDP (SIP) needs port number conversion to port 5060UDP Port 2727 UDP (MGCP) to internal IP address number,
Port 9300 UDP (PTAP) to internal IP address number

The 1st, 2nd, and 3rd are straightforward.   The third line with the port translation is where I am having difficulty.

Any help would be appreciated.

I have a group of users who regularly travel with their laptops and i want to be able to have more control on what they are browsing when away from the network.

At the moment when they are in the office they go out through our Watchguard which acts as a transparent proxy and has Websense setup to filter what they can see.

In addition to this when they are connected via SSL VPN externally the traffic is forced down the tunnel and again they use the transparent proxy.

The problem i have though is if they dont connect to the VPN when say in a hotel they can browse what they want.

Is there a way that i can stop browsing access unless they are connected through the VPN.

I know that we could specifiy a proxy in the internet settings but because the Watchguard is a transparent proxy i dont believe this would work.

Any advice would be great.

I am trying to pass multicast traffic between 2 VLANs that are connected by a Watchguard firewall.  No matter what I do, I cannot see and multicast traffic on the "traffic monitor;" on the Watchguard.  I am using a Cisco 2960 with IGMP turned on.  I can stream to everyone in the same VLAN , just not to second VLAN (via watchguard).   Any ideas?
Trying to allow access to the game For Honor.

Watch guard is blocking the games I have checked traffic monitor.

2017-02-20 15:43:41 Deny 11085/udp 51031 11085 1-Trusted 0-External Denied 36 126 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2017-02-20 15:44:05 Deny 11080/udp 53387 11080 1-Trusted 0-External Denied 32 126 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"

I have allowed UDP ports 11080-11085 still blocks also put host address in exception list to no avail.

Any ideas?
On a Cisco ASA, if I need to allow the traffic to come in on an interface and leave on the same interface I need to use the following command:

same-security-level permit intra-interface

Now on a watchgaurd firewall, (I'm not very familiar with the watchguard), how do I do this exact same thing?  Any assistance would be greatful.  Thanks!


Network threats can come from anywhere, at any time, and can take you down before you even know they’re there. Uniquely architected to be the industry’s smartest, fastest and most effective network security products, WatchGuard solutions put IT security pros back in charge of their networks with widely deployable, enterprise-grade security and threat visibility tools suitable for any organization, regardless of budget, size, or complexity. WatchGuard has deployed nearly a million of its integrated, multi-function threat management appliances worldwide, to businesses that range from SMEs to large distributed enterprises.

Vendor Experts