Share tech news, updates, or what's on your mind.

Sign up to Post

I am currently experiencing an annoying VPN issue

I have a WatchGuard M300 cluster based in datacentre 2 which has an existing site to site VPN to datacentre 1

The same customer has a satellite office with a Watchguard xtm33 that has a site to site VPN to datacentre 1.  The satellite office is double NAT'ing, with an external IP in a 1 to 1 NAT direct through to a private IP range that is the external interface on this Watchguard.

datacentre 1 will be turned off soon so I need to connect the satellite office to datacentre 2, however when I set it up I get a timeout error on the Datacentre 2 side (it's like it cannot even see the external interface nevermind start negotiating) and the satellite side doesn't even attempt to start the VPN.  I have checked all of the settings, all traffic is definitely being passed through the satellite offices provider interface and other services are working.  As there is a VPN in place and working on both sides I cannot understand why the issues exists, but seems buggy.  The firmware on the satellite WatchGuard is old, its the only thing I can think to change.  Or its the 1 to 1 NAT, never had an issue before but its a question mark.
SMB Security Just Got a Layer Stronger
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

We have Watchguard m400. The firewall is blocking EXE download. I want to allow only help desk to be able to download EXE, drive etc. How can i do this ?

I inherited a Class B network years ago and am just now wanting to do a major overhaul.  Currently the LAN network is  It is currently just a flat network with servers and clients dispersed throughout.  I want to segment the network into the following categories: Servers (25ea now), Workstations (100ea now), Printers (30ea now), Utility devices (20ea now).  All of our wireless clients are connected on the outside of the firewall and are outside the scope of this question.  Our firewall is a WatchGuard device.

Should I rework the ip address scheme?  If so, can someone layout an example of what I should do?

I am putting together some phone equipment and servers in a datacenter cabinet.  The datacenter is providing us a redundant router connection using HSRP.  The cabinet has two Ethernet cables: primary, secondary.

We need external routable addresses for each of the two border controllers for the phone system.  They have a WAN port and a LAN port so they can have an external (outside the firewall) connection and also have a local IP address in the same subnet as the servers in the cabinet.

We are trying not to purchase another $2000 Cisco switch for the setup to accept the 2 Ethernet connections.

We have a WatchGuard M370 firewall device with several ports that can be configured in many ways.

We have two layer 2 switches available in the cabinet for use outside and/or inside the firewall. It is a layer 3 device.

I need help in the configuration of this system.

One suggestion was to take the two datacenter network cables and plug them into a standard Layer 2 switch then patch that switch into an external interface on the firewall.  After so many attempts I am trying to remember but I think the path to the internet was broken when BOTH router cables were plugged into that switch.  I am going back to the datacenter tomorrow to try more things but I wanted to get some input from you guys first.  I have the datacenter IP sheet where they provide me the configuration info but didn't want to post live addresses on this site.  Basically they gave me a \29 subnet and …
Hi All,

My company Scenario:

I have connected the branch office to main office using VPN.

Main office is running under domain environment and using a Watch guard as a firewall.
Branch office is running in a work group environment and using a Billion VPN Wi Fi router.

VPN has been set up between Watchguard Firewall (XTM26) and Billion Wifi Router (Bi Pac 8920nz)

VPN is working fine. I am able to take remote of all the computers located in to the branch office using "Microsoft Remote Desktop" from the main office.  


I am not able to ping any of the branch office computers. I can ping branch office wifi router and network printer only. What could be the reason?
Server is Windows 2012 R2. Clients are Windows 10.

VPN is a Watchguard SSL VPN. Users are connected on fast VDSL connections.

When Offline Files is enabled, users connecting via the VPN can no longer see any folders other than those already synchronised. File explorer shows the computer working in offline mode.

I have checked the network location, and this shows 'domain' as expected.

It appears that when connected to the VPN, Windows is perfectly happy to authenticate against the network, browse network shares it's never seen before, there are no speed issues, etc, but the minute offline files is enabled, Windows (file explorer only) thinks the computer is offline.

There is no GPO set to describe the slow speed threshold, so the default of 500kbps should be true. The connection is operating nearer 80Mbps.

I've set a GPO "Computer Configuration > Policies > Administrative Templates > Network > Offline Files > Configure slow-link mode" to disabled, which seems to have resolved the issue.

However, I'm more concerned that Windows believes the computer to be offline when it isn't, and I wonder if there's a firewall issue I should be aware of?

Any pointers?
I am trying to create a policy to enable/block specific traffic that my T30-W is handling. I haven't been able to find a good answer as to what each column in the Traffic Monitor means.

All external mails shows as "X-MS-Exchange-Organization-AuthAs: internal"

How to change to anonymous?

(We have a WatchGuard XCS as spam)

In WatchGuard XTM SMTP Proxy definitions, it implies you can set up a rule for "masquerading".  However, how do you set up the replacement string?   For instance, if I want to be redirected to, it is easy enough to match the string and replace it.  But, if I want everyone to be redirected to their same name, how do you set up the replacement string?  You can use a wildcard on the string match but what syntax do they use for the replacement string to attach the portion before   Seems that this should be a simple process for creating masquerading.

We've just found out our 2011 SBS Server has been sending out spam emails by their thousands.  I've checked that there is no open relay in Exchange 2010 (and there isn't) and turned off all PC's on the network but the spam emails keep coming so pretty sure they are coming from the server.  Have virus scanned the server and it seems clean.  I've found that all the spam emails are all coming from the same external IP address.

The network is protected by a Watchguard XTM25 firewall.  My question is can someone please talk a newcomer to Watchguards how to set up a way of blocking these emails coming in from that IP address on port 25?  

Many thanks

Will You Be GDPR Compliant by 5/28/2018?
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

I was recently tasked with setting up a VPN for a client of ours for accessing files from home. We are able to successfully login however when we try to map drives or access resources we are unable to. Mapping drives errors as is we are not in that domain. Trying to access the drives through Explorer returns the same. Can anyone assist with this please?
Hello all,
I will be migrating a Watchguard XTM505 to a Watchguard M370.  I understand the step by step portion of the policy manager.
My question is that before I import the configuration file from the policy manager to the new M370 do I need to activate the new M370 or do anything else to it?
Kelly W.
My user cannot connect with Watchguard client or Shrewsoft client.  Switching users to myself I find that I cannot connect with Watchguard client but I can with Shrewsoft.  This is a Windows 7 Pro PC.  My windows 7 PC can use either client.  Why cant this user use the VPN?
I am trying to configure my Watchguard firewall [XTM 515 - Fireware 11.9.4] to allow certain machines access to the update site of a software provider. Unfortunately this software vendor does not hold the updates on systems that can be referenced via  fixed ip addresses but rely on referencing their infrastructure via a DNS name.  I don't seem to be able to setup a route using packet filters or proxies. Does anybody know of a way of doing this?
I'm in the process of setting up SSO for users so we can control our internet access. We only want domain users to access internet and none domain users such (visitors) need to be blocked.

I have read a couple of articles but am still a little unsure which method to use, so here I am asking experts for guidance. I would also appreciate if someone can write step-by-step setup guide or an article that I can follow with some screen prints?

Please also point out any "gotcha"

This article says that "Event Log Monitor” has to be installed on all domain controllers, but later its talks about pushing out SSO client to machines which is also used for authentication, so am a bit confused if this is needed or not? Please clarify

and then this video also talks about "Exchange Monitor" for authentication.. do I need all of these options or will one suffice?

much appreciated!


Can anyone please tell me step by step how to stop a Watchguard XTM25 from blocking downloads of EXE files from a server hosted website (so need to add an exception as an IP address) .

Many thanks

I know very little about watchguards (or really most complex firewalls).  I have 2 watchguards in location A and location B.  looking at the policies on the main office's watchguard, I have 16 rules.  wonder which are needed?  

This is an XTM21 (old unit, right?)

it takes a few seconds to go from screen to screen / get the list of firewall policies, etc. 'retrieving data' on screen for 9 seconds... there's 16 policies in the list.  Is that a long time for pages to load?

a) do you just replace watchguards after x years because they are old?
b) do you reboot them on a schedule? How often? every week? month? year?

This watchguard is set up for:Exchange on the SBS server on the LAN, General surfing from inside the office, VPN to the other location and phones being able to connect to the exchange server from outside.

How many rules should those take?

Looking at the policies, I think this is what are set up. I inherited this network so may be unneeded / defaults that came with the box?
FTP OUTboundSMTP ( to Any external)
GeneralProxy (From HTTP-proxy to ANY  Trusted)
SMTPtoMailSrv (From ANY to 75.127.x.x->
HTTPtoMAILSrv (From ANY to 75.127.x.x->
POP3toMailsrv (From ANY to 75.127.x.x->
IMAPtoMailsrv (From ANY to 75.127.x.x->
HTTPStoMailsrv (From ANY to 75.127.x.x->
RDPtoMAILsrv (From ANY to 75.127.x.x->
Voicecom mail system (From ANY to 75.127.x.x->
Watchguard …
I have to enable TLS 1.0, 1.1 and 1.2 in Internet Explorer on my laptop before a VPN can connect? how can I change this settings so I don't have to enable these in IE?

Hate to admit how little I know about UTMs .

Have a watchguard UTM (X10e), that I am trying to make changes in a firewall policy for people to access a new camera system that requires different ports than the old camera system.

FIgured I'd just edit the existing policy that someone else set up - the new system will get the same IP as the old system.... I just need to change the ports.  the old system used different ports than the new one.

I go into the web UI (, log in as admin go to firewall / firewall policies.  On that screen, I highlight the camera policy and choose the edit button.

The policy loads but I don't see how I delete existing ports / add ports on the properties page... There's a watchguard  program I could (need??) to use?  There's no add / remove buttons on the properties page, like on the policy page.

Am I missing something?  

By the way, I keep saying I need to learn UTMs.... any thoughts on Watchguard vs other brands?   Best way to learn about how to use / manage them?
Managed Security Services Webinar - March 15
Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

I have an Exchange 2013 server behind a WatchGuard M200 Firewall. Both have appropriate SSL certificates installed, and the WatchGuard is configured as an SMTP proxy.

Everything works brilliantly, except, email from two domains is not received. Everyone else works absolutely fine. I am unclear why.

On the Exchange end, the logs for working emails end like this:

250 2.1.5 Recipient OK
354 Start mail input; end with <CRLF>.<CRLF>
,Proxy destination(s) obtained from OnProxyInboundMessage event
"250 2.6.0 <> [InternalId=85388244811933, Hostname=EXCHANGESERVER.DOMAIN.LOCAL] Queued mail for delivery"
221 2.0.0 Service closing transmission channel

Open in new window

However, for two domains, the conversation ends like this:

250 2.1.5 Recipient OK
354 Start mail input; end with <CRLF>.<CRLF>

Open in new window

It looks as though the sender has been given permission to go ahead with sending their message, and then not done so. However, the message is attempted a few dozen times, about ten minutes apart, before the sender gives up.

On the WatchGuard end, there is one difference between how senders show in logs.

For the working senders, I see lines for both 'ProxyMatch, ProxyAllow:’ and then ‘ProxySMTPReq’, however, for broken senders, I see just ProxyMatch, which is not followed up with ProxySMTPReq.

One of the broken senders is coming from Office 365, however, so are dozens of other senders, so I don't think the issue is there.

Any advice?
I've got a Watchguard 500 series at the main office and a 2 series at a home office.  I've needed to setup a VPN between the two devices to get an IP phone to function properly.  

With the current home office setup I have one interface set as 'external' and connect the cable modem directly here.  Then I have a 2nd interface as 'trusted' which connects to the users home router.  The phone and computer connect to the home router and the VPN works fine.

At the new home office location however the home equipment is a cable modem/router combo - so I have no dedicated WAN port - just 4 LAN ports.

Maybe I'm over thinking this but I'm stumped on how to configure this with the different home router/cable modem combo.

I've been using 'mixed' mode and am wondering if I need to be using 'drop in' mode - ?
Set up Watachguard BOVPN and seems to connect yet not traffic is being passed.  See attached
I have a watchguard M400 (Fireware XTM 11.10) Firewall/Router with about 14 Branch Office VPN'c coming into it. We have a new software these BOVPN's need to access. There are two application servers running the software. I would like to load balance the connections to these servers. Can someone point me in the correct direction?
Been battling this for 2 days.

Sat morning at 6:30 am was receiving email from filter service Fusemail to server. At 7 am noticed emails being deferred and building up in a queue on Fusemail Portal. Nothing changed in these 15 minutes. Fusemail's portal says "error reading banner" on public IP of server and the remote. OWA mx record.

I have done the following to troubleshoot,

Rebooted several times.
Recreated default receive connectors,
Looked thru the IIS system, no issues.
Exchange 2010 IS sending emails as normal.
Double checked the MX records for Fusemail, They are accurate,
Entered the ip addresses of Fusemail servers in the Watchguard T30 FIrewall box to send mail to port 25 (they were NOT there before  but emails were coming in)
Can go to and enter the public IP and port 25, and it is OPEN,

All emails were coming in before any changes made. They simply stopped and they are of no real help, just saying "your server is not allowing connections".

If I cannot find the answer here, they are getting migrated to Office 365 asap.. They, like other businesses cannot be down on email for days..

Any ideas?
Just a general question at this point...We have a network which is joined to another office using a branch office VPN with a Watchguard Firewall at one end and a Netgear VPN router at the other.  Do you know if it's possible to create a second permanent VPN connection from the Watchguard to a software PPTP VPN provided by Windows 2012 on a virtual hosted server?




Smart Security. Simply Done.

For over 20 years, WatchGuard has pioneered cutting-edge cyber security technology and delivered it as easy-to-deploy and easy-to-manage solutions. With industry-leading network security, secure Wi-Fi, and network intelligence products and services, WatchGuard enables more than 80,000 small and midsize enterprises from around the globe to protect their most important assets.