The ranting of an IT Professional » WatchGuard

Incompatibility on Site to site VPN tunnels between Watchguards and Cisco ASA’s

Jason Tramer — Mon, 30 Nov 2009 16:09:44 +0000

I have been working with a client with multiple sites and up until recently they have been using Watchguards at all sites. Recently we have been switching out some of the Watchguard for Cisco ASA’s but there have been a ton of site to site VPN issues. For example, a tunnel goes down, so you re-key it, it doesn’t come back up, but if you recreate then tunnel on the watchguard side with the exact same settings everything works fine. What is the point of having a Standard if companies aren’t following it. Yeesh.

Improvements in Watchguard 11 quick setup wizard

Jason Tramer — Fri, 11 Sep 2009 13:37:19 +0000

One thing that Watchguard did well in there new software version was to include the option to enable DHCP as part of the quick setup wizard. Here is why this is great. Previously you would start up your watchguard in safe mode and hook your computer to it. You would then get an IP address from it (10.0.0.2) which you could use to start your quick setup wizard. You would then configure the internal interface with the IP you would actually want and the reboot the watchguard. However previously DHCP was always off meaning you would then have to go and manually configure an IP address on your machine to match what you configured the internal interface as if you wanted to continue. Needless to say this was a pain in the butt.

Upgrading to Watchguard Fireware 11

Jason Tramer — Thu, 10 Sep 2009 18:52:36 +0000

In reviewing the release notes on the site and speakign to a watchguard rep the best upgrade path to the new fireware XTM version 11 is by first upgrading your existing firebox to version 10.2.9 and then upgrading to 11.

Upgrading directly from any version below 10.2.9 is not recommended and could cause the upgrade to cause the fireware image to become corrupted

Fireware 11 has been released!

Jason Tramer — Thu, 20 Aug 2009 13:33:18 +0000

So in the past I have criticized Watchguard a tad when they constantly give me the answer that my issue is a known bug and will be fixed in the next version …

Well the next version is here! Fireware 11 has been released to the general public. I will get trying it out in the coming days and reporting back here but a quick look in my IT crystal ball tells me that Watchguard will have indeed fixed all those little bugs which plagued my existence for so many months. Before Watchguard draws too much succor from my words I should also point out that my IT crystal ball tells me that I will be soon plagued with a ton of new bugs which won’t be fixed till version 12 comes out.

Watchguard MUVPN not working due to Mcafee firewall

Jason Tramer — Thu, 30 Apr 2009 20:45:07 +0000

I hate personal firewall products but none so much as I hate mcafee. I was testing a MUVPN and the tunnell just wouldn’t established. I turned that thing into swiss cheese, it shouldn’t have been blocking anything but the VPN tunnel STILL wouldn’t come up until I actually turned off the service. Gah it’s frustrating.

A review of the Cisco ASA 5505

Jason Tramer — Wed, 15 Apr 2009 18:28:59 +0000

I deal with a lot of small business’s and branch offices and up until now we generally have been promoting the Watchguard X10e for their firewall needs. However I have recently been very impressed with the Cisco ASA 5505 for this business space. Its got great functionality, robustness and the price point is far cheaper then I think most people might realize. For 10 user license pack CDW is retailing a unit a 414 dollars! For a Cisco partner such as my company we can usually do even better.

Watchguard Edge devices missing ping utility

Jason Tramer — Mon, 12 Jan 2009 20:27:03 +0000

The ability to ping from a firewall is a fantastic and some might say essential tool for troubleshooting network (in particular routing) issues. It is for this reason that pretty much every major commercial firewall product out there has this ability (even Sonicwalls). Yet for some reason the Watchguard Edge’s do not. Why this is I have no idea, I could speculate but it wouldn’t be very complimentary.

SSO agent update for Watchguards

Jason Tramer — Fri, 21 Nov 2008 20:52:45 +0000

So a couple days after I complain about Watchguard having a broken SSO agent they release an update! Perhaps they read my blog? In any case before all they had was an agent which gets installed on a server, now they have both an agent and client. The client runs in the background and facilitates the passing of credentials. I will implement this in the next few days and report on how it goes.

SSO agent known issue for Watchguard firewalls

Jason Tramer — Wed, 19 Nov 2008 16:52:39 +0000

After troubleshooting an issue with the SSO agent causing internet disconnections for users I have discovered from Watchguard tech support that this is a known issue. It will be fixed in the next update. There are no workarounds in place other than disabling the SSO agent.

Watchguard – Limitation when setting up High Availability

Jason Tramer — Mon, 20 Oct 2008 21:10:05 +0000

I don’t expect the various hardware and software out there to be perfect, really I don’t. However what I do expect is when there is a limitation or problem with a product that the vendor documents it somewhere. It is such a waste of my time to fight with an “issue” for hours on end only to find out that it is a known issue. For example with the Watchguard Core’s. When setting up High Availability mode you have to set HA to run on one of the first 4 ports. If you set it on any of the latter ports it won’t work properly. No reason for this, it just won’t work. While this can be a little annoying it really isn’t a huge deal IF you know about in advance. Given the fact that I couldn’t find documentation on this then hopefully this blog will save you the time that I lost.