Smart Security. Simply Done.

For over 20 years, WatchGuard has pioneered cutting-edge cyber security technology and delivered it as easy-to-deploy and easy-to-manage solutions. With industry-leading network security, secure Wi-Fi, and network intelligence products and services, WatchGuard enables more than 80,000 small and midsize enterprises from around the globe to protect their most important assets.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have a WatchGuard M370 Firebox with L2TP and IPSec.  My users login to the firebox and then to a terminal server or in some cases their desktops. It's basically a 2 factor system, they login to the firebox and then to the server - I want to keep that.   I have a bunch of users who take home laptops and work at home and I'm wondering if there's a way to have my Group Policy enforced while they are on VPN.  My VPN is a dmz so it's not actually part of the network,  however, if you type and IP address chances are you'll get where you need to go.  SO for example my home users connect to a terminal server in the DMZ.  They are using Laptops we created here, but if they are not acknowledged on the domain after 60 days I'm having to put them back on the domain because the trust relationship fails.  I want to try to avoid this.  Is there a way to do it?
hi guys,
i got a watchguard and azure cloud server.
got a branch office vpn gateway/tunnel confiugred between watchguard and azure server. and all works good for local users within watchugard network.

now am trying to create a mobile ssl vpn in watchguard for remote users, so they can connect to local network of watchguard and connect to cloud server. - but mobile vpn works:can connect to all local devices but could not reach cloud server... i know am missing some config or routes to connect mobile vpn and brachoffice tunnel vpn and also config in server to reach mobile ssl vpn back ?  ?? is this anyone done before or any ideas ?
Hi I need to open inside to outside tcp ports 4105,4117 and 4118 for my watchguard to go out through my Cisco2911 -K9 router.

How do I do this in CLI?

I have tried
Extended IP access list 120
    10 permit tcp any eq 4105 any eq 4105
    20 permit tcp any host "external IP" eq 4105
Extended IP access list 121
    10 permit tcp any eq 4117 any eq 4117
    20 permit tcp any host "external IP" eq 4117
Extended IP access list 122
    10 permit tcp any eq 4118 any eq 4118
    20 permit tcp any host "external IP" eq 4118

Thanks in advance
My current setup is this- I use a Watchguard firewall.
Interface 0 is external.
Interface 1 is trusted-
Interface 2 is trusted-
There is a VPN to another office that is

Our phone system is
If I plug a phone into the .2 network the phone will connect up without an issue.
If I plug a phone into the .3 network the phone will NOT connect up.

I assume there needs to be a policy in place to get the two to talk. I am unsure of what the policy needs to be.
Hi experts.   I have a customer that got an encryption virus and we are dealing with it.   I am looking for any kind of way to setup the network so we don't get those, even if the client did click on the bad email.   We have taught most of our users to forward it to us if  it looks suspicious.  Always check the from address and that will tell you more.   But they still clicked on it and invited it in.,     We have 2 servers and about 25 workstations.  Have a Watchguard firewall and Bitdefender on all the machines.  
Any guidelines would be appreciated.
I'm looking for someone to help setup a new watchguard T15 and a BOVPN to an existing XTM25.  I know enough to be dangerous (maybe even that much).

I'd envision to have the person on the phone / remoted into my PC which would be on the LAN side of the T15 and I'd have team viewer connection to a PC on the LAN side of the XTM25 to set up the vpn (you are probably saying there's better ways to do the setup, but that's an indication of what I do and don't know).

We have a head office and a satellite office, connected through a VPN, for network traffic. This is working fine. We have an Avaya IP Office telephone system in head office and would like to use 5 x IP phones in the satellite office that connect to it. The phone network in head office is on a separate IP subnet  / VLAN to the main network. We are struggling to get the phones to work over the VPN.

Setup is as follows:

Head Office
Watchguard XTM330 Firewall (Main Network, VLAN1) (Phones, VLAN 5)

Satellite Office
Draytek 2860 (One Network

We have our VPN configured as a LAN to LAN on the Draytek with both subnets added under Network settings, and their diagnostics show that traffic destined for the phones network in head office does route through the VPN. I don't think that we have the Watchguard (uses BOVPN) set up properly to get the phones to connect. The Watchguard acts as a DHCP server for the phones network. IP phones in head office work fine.

Any help to get the phones connected would be appreciated.
I am installing WatchGuard SSL Vpn software which is using Open VPN software and it has TAP network driver but I can't install it unattended. Does anybody know how to install OpenVPN un-attended including TAP-Windows adapter?
I have a user who is using the Watchguard VPN client software. They have been using it on Windows 10 Pro (v 1709) for 6 months without issue. The UAC prompt suddenly started appearing this morning when they try to run the software. No updates for Windows or the software have been installed. I have 60 other users that are using it without this problem also. I am at a loss as to why this would suddenly start needing elevated privileges to run. Does anyone know why this would happen or how to fix it? I am not going to disable user account control or give them admin rights.
I had this question after viewing Watchguard Firewall xFlow Configuration.
We have a Watchguard M200 firewall that we would like to limit inbound/outbound bandwidth to 20Mbps on our External (WAN) interface. Our ISP allows for 40Mbps total bandwidth. I've gone into Traffic Management and changed the interface to limit bandwidth to 20Mbps but this only seems to apply to upstream outbound traffic. Inbound traffic is still coming in at the fulll 40Mbps. Is it possible to also limit inbound traffic to 20Mbps?

Thank you
We have a WatchGuard M300. We currently have an internet connection that is too small for our needs. Our issue is the upload speed is capped at 20Mbps. With the M300 can we add a second internet connection and have our internet traffic divided evenly between these two connections?
Hi All

This is not a question as such im looking for information ideas on how i can pass VLAN's across a ipsec VPN tunnel

Ive got 16 VLANS that is hosted at one site located a few hundred kilometers away from my secondary site and i want to be able to push the vlans from the main site to the secondary site and then be able to distriube those via a switch at the remote site

The sites currently will be connected via either Sonicwalls or WatchGuard UTM Appliances

Any help or suggestions on this would be greatly appreciated
Hello Experts,

I have got XTM 26 series watchguard Firewall in the company. We are now in the phase of upgrading internet bandwidth from 20 Mbps to 100 Mbps.  According to service provider, I have to setup firewall for traffic shaping but I am not sure watchguard support it or not?

Parameters to configure on firewall are; Shaping Rate, Shaping burst, Extended burst.

I do not want to go with other option of adding a router before the firewall, as it may stops all applications running in branch office.

Can anybody help me with?
Watchguard to Draytek site to site VPN - 2 tunnels required.

WG side has local IP of and this needs linking to the draytek which has 2 LAN and

I need a tunnel for both

Now i can set this up with one tunnel no issue. but cant see anywhere to add a second tunnel on the draytek end. Ive herd GRE might be the answer my question but havnt used this before.

How do i add a second tunnel. I have also tried a second VPN with the other tunnel but this causes both VPNs to alternate and not work correctly. any help or questions welcome
Watchguard mobile VPN stops receiving data whenever I reboot my laptop. It requires me to uninstall and install again to make it working. Can some please suggest me the cause of the issue.
I have a wireless envorment with:

Server 2012 R2 running the NPS service for RADIUS authentication to the AD
Ubiquiti UniFi APs that are set to forward auth to the RADIUS NPS server

Now I have that setup, and it works, and authenticates the users AD login, and connects to the network just fine, the issue I have, comes after that, when the user is not authenticated through the single sign on through RADIUS for the WatchGuard firewall. I have followed what little information WatchGuard has on this, but most of their information points to MSDN pages, that get me no where.  I understand that the WatchGuard needs to receive accounting packets with information from the NPS server, but it doesn't seem to be getting them, as the firewall still tries to route users to authenticate through the web portal.

Not sure where to go from here in order tell which system to send to what and where, and how.
At NY Data Center, and UK and US Offices the IP addresses accessing in and being accessed out.

Objective is to identify suspicious / unauthorized access or data transfer .
Good Day,
We have a WatchGuard XTM-22 at one our schools and it is not working - we have no internet access for any device on our network.
Here is the setup for this unit:

Port 0 - Main internet feed
Port 1 - to our internal network
Port 2 - Mgmt
Port 3-  Another internet feed DSL
Port 4 - unused
Port 5 - Another internet feed DSL

(We have very limited / poor internet speeds available in this remote community.  The IT Consultant before we took over was able to configure the unit to use the internet feeds from Ports 0 and 5, which is all that could be used at the time.  Port 3 feed is redundant and can be used as a backup for port 5 by switch cables).

Right now, here is the status of the lights on the front of the WatchGuard unit, going from left to right:

Failover:  Flashing green
WAP:  Off

Ports 5,4,3:  Both Link and 100/1000 lights off
Ports 2,1,0:  Both Link and 100/1000 lights flashing green in unison

Status:  Solid Red
Attn:  Solid Orange
Mode;  Flashing Green
Power:  Solid Green

I have tried to connect my laptop via RJ45 cable directly to Port 2 to access the unit, but there is no activity on this link and I don't get a DHCP address.   Web browser access to both the external IP and internal IP addresses won't work either.

Any suggestions on what is causing this problem?  I have no experience with this particular unit and the network setup is quite convoluted - five VLANs.  I think there is a backup config file from about a year ago.
Recently we added a new TPG IPVPN Connection (MPLS Network with Hosted Firewall) to eth2 on our watchguard but cant get it to work properly (see attached picture)

For some reason i cannot ping any Sydney LAN IP Addresses (on network) from QLD Office to Sydney Office.

What do i need to enable / configure on the wathguard so i can ping internal lan addresses from qld office ?

QLD Office LAN is on network.
Sydney office LAN is on network

From QLD office I can ping,,, OK, but if I try to ping the Watchguard LAN IP Address or another device in the same Sydney network from QLD Office it times out. Any ideas ???

Sydney Office Watchguard Configuration is as follows:

I have 3 interfaces setup on my Watchguard x750e firewall with following parameters:

Eth0: IP: (External) - This is connected to a ISP Managed Cisco 1900 Series Router. This is a routed subnet services TPG NBN Conneciton.

Eth1: IP: (Trusted)

Eth2: IP: (External) - This is connected to a TPG NTU and is a IPVPN Connection. This also requires RIPv2 and has dynamic routing setup.
Dynamic Routing Configuration:
1. Enabled Dynamic Routing is enabled.
2. Enable RIP is enabled
Rip Configuration :
router rip
network …

I have a server running filezilla server and is configured with ftp over tls.

I know this server is fine because I can connect and upload files fine from a number of locations.   However I have an issue in one particular location behind a watchguard firewall.

The connection establishes successfully and sometimes it can upload a file or part of a file before it fails when configured to ftp over tls.
If I change to ftp it works fine.

I have read that this can sometimes be an mtu issue but don't know how or where to change this.   Please can anyone shed light on this.  

Attached is the filezilla server log and errors it sees.
I am trying to pass multicast traffic between 2 VLANs that are connected by a Watchguard firewall.  No matter what I do, I cannot see and multicast traffic on the "traffic monitor;" on the Watchguard.  I am using a Cisco 2960 with IGMP turned on.  I can stream to everyone in the same VLAN , just not to second VLAN (via watchguard).   Any ideas?
Trying to allow access to the game For Honor.

Watch guard is blocking the games I have checked traffic monitor.

2017-02-20 15:43:41 Deny 11085/udp 51031 11085 1-Trusted 0-External Denied 36 126 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2017-02-20 15:44:05 Deny 11080/udp 53387 11080 1-Trusted 0-External Denied 32 126 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"

I have allowed UDP ports 11080-11085 still blocks also put host address in exception list to no avail.

Any ideas?
I'm having an issue creating a WPAD file for IE11. It seems there is a lot on the web with lots of WPAD examples, but their all outdated as the IsInNet commands just don't work anymore.

I want the WPAD file to be able to go direct on certain URLS or domains and through the proxy for everything else. Now I've got something working but when users are on the VPN and try to access one of our websites it tries to resolve it via it's internal IP address as oppose to it's public address.

Also, for whatever reason all traffic seems to be going through the proxy, even though the firewall is configured not force all traffic through the tunnel.

Sorry if this is a bit complex, would appreciate any assistance, as I'm sure there must be someone out there that has created a WPAD file to properly work on IE11.  

Here is my WPAD example;

function FindProxyForURL(url, host)
if (
shExpMatch(host, "*")||
shExpMatch(host, "*")||
shExpMatch(host, "*")||
dnsDomainIs(host, "")||
dnsDomainIs(host, "")||
dnsDomainIs(host, "")||
dnsDomainIs(host, "")||
dnsDomainIs(host, "")||
dnsDomainIs(host, "")||
dnsDomainIs(host, "")
return "DIRECT";
else { return "PROXY proxyaddress:8080; DIRECT";}



Smart Security. Simply Done.

For over 20 years, WatchGuard has pioneered cutting-edge cyber security technology and delivered it as easy-to-deploy and easy-to-manage solutions. With industry-leading network security, secure Wi-Fi, and network intelligence products and services, WatchGuard enables more than 80,000 small and midsize enterprises from around the globe to protect their most important assets.