BWC Cybersecurity Overlord ✭✭✭
Reactions
Comments
-
@mimiz look at the X18 subnet as some form of transfer network, I would create a seperate zone for that and rate it as public. Create the the needed network routes for each side (-A routes networks via X18 IP address of -B and vice versa) and make sure it's used prior to your VPN. Allow the traffic from LAN to…
-
@mimiz you cannot have the same subnet on both sides because you expect Layer 2 to work over Layer 3, this might work with EoIP which is not the case here. A local ping will (should) work if enabled on the X18 interface, but will not work for the remote side because the packet is not routed and the ARP lookup will fail,…
-
@solar_small you should run a Packet Monitor on the Firewall for IP, UDP, Port 67,68 and check if the DHCP Discover reaches the Firewall on the correct interface. If you can't see the Discover on the Firewall it might get caught on the way, because you checked already that the Phone is generating the Discover properly.…
-
Hi @Rave_Romero12 no, I meant in the VPN definition. Is any of the Public IPs defined either for Local or Remote Network? Did you fired up a Packet-Monitor to watch what happens to the packets? --Michael@BWC
-
@Rave_Romero12 if the ping only fails when the Tunnel is up, does the Tunnel Source/Destination Network include any of the involved Public IPs by any chance? --Michael@BWC
-
@Natco_WG this can only be accomplished with the Secure Mobile Access Appliances (SMA) not with the SSLVPN functionality baked into the Firewall. --Michael@BWC
-
You should check with support, maybe a manual update of the firmware on both units will work, but make sure with SNWL first. --Michael@BWC
-
Is X7 directly connected between the two units or is there a switch involved? The link for X7 might be up, but it's not properly communicating (wrong VLANs, etc) If nothing helps, you might need to get in touch with Support and first action will be a firmware update. --Michael@BWC
-
@sdeyoung if -5065 (I believe that was the same version I had trouble with updating) is on both machines, you should be good just rebooting the primary through the management UI. --Michael@BWC
-
@sdeyoung the state as Standby looks good to me. Anything in the logs? Firmware is close to the latest -5111 or -5119? Did you connected X0 and it's up as well? If I were in your shows I'd probably reboot the primary unit, I only faced a similar situation when I (or the firmware) messed up the Firmware update and I had…
-
@sdeyoung did you logged into the Primary Appliance, because you said it's available through its monitoring address? Maybe the log shows something helpful and it would be good to know what the Primary believes the HA state is. --Michael@BWC
-
@sdeyoung what is the exact information at /Device/High Availability/Status? It should look like this. If "Found Peer" for example says "No", you need to check the state of your primary and the HA-Link. --Michael@BWC
-
As an advocate for proper DNS implementations I strongly suggest to not use DNS Doctoring unless you're really familiar with all the aspects or working in a simpler environment. DNS Doctoring will probably break DNSSEC validation, will not work with DoH, DoQ, DoT or any other 3 letter acronym. @preston mentioned a valid…
-
@Simon_Weel I'am in no position to answer this binding, but I use the categories from the product pages, Entry -> SMB & Branches Mid -> Mid-Sized Enterprise High -> Large Enterprise Virtual -> Virtual (duh) --Michael@BWC
-
@Teleporter Loopback NAT Rules are still needed, if the original NAT Rule does not cover everything like in your Case (Ingres/Egress: Any, Orig Source: Any). But as always, NAT Rule is not enough, a respective Access Rule is needed as well, like LAN (or Any) -> DMZ with Destination X1 IP. In your case it sounds like…