Watchguard tcp dump options

About TCP Dump Argumentlogo-small

When you run the TCP dump task, you must specify the interface on which to run the task. You an also include expressions in the task arguments to filter for specific traffic.

To specify the interface, you include the -i argument and the interface name and number.

For example:

– i eth1 — Physical interface #1

-i ath1 — Wireless interface #1

-i br1 — Bridge interface #1

-i la1 — Link aggregation interface #1

To build an expression to filter the traffic from the interface you specify, you can use any of the standard TCP dump keywords and operators. Some of the common keywords and operators are:

host — Only include traffic to or from the specified host IP address.

net — Only show traffic to or from the IP addresses in the specified subnet. For example, for 10.0.1.0/24, type 10.0.1.

port — Only show traffic with either a source or destination of the specified port.

portrange — Only show traffic from the specified range of ports.

ip proto — Only show traffic from the specified protocol. For example, for ESP packets, type 50.

src or dst — Use with the keywords host or port to specify the source or destination.

tcp or udp — Use with the keywords port or portrange to specify the protocol.

and / or — Use to combine expressions.

For a complete list of the available keywords, see the PCAP-Filter manpage at http://www.tcpdump.org/manpages/pcap-filter.7.html.

Examples of TCP dump arguments:

-i eth1 host 10.0.1.25 and dst port 80
Show only traffic on interface eth1, to or from 10.0.1.25 with destination port 80.

-i eth0 tcp port 25
Show only traffic on interface eth0, to or from TCP port 25.

-i vlan1024
Show only traffic tagged with VLAN 1024.

-i eth0 udp port 500 or ip proto 50
Show all UDP port 500 or ESP packets for the eth0 interface.

-i eth2 src 10.0.1.100 and dst 10.0.2.25
Show all traffic from 10.0.1.100 to 10.0.2.25 on the eth2 interface.

Hits: 1472

Factory Reset M-series

To reset a Firebox M200 or M300 to factory-default settings:Openlogo-small

Hits: 593

Recommended Watchguard Firecluster IP addresses

logo-smallSelect IP Addresses for Cluster Interfaces

We recommend you make a table with the network addresses you plan to use for the cluster interfaces and interface for management IP address. To avoid conflict with routeable IP addresses, we recommend you allocate a dedicated private subnet to each cluster interface, or use link-local IP addresses that begin with 169.254. If you use link-local IP addresses, you might find it useful to define your cluster interface IP addresses like this:

169.254.<interface number>.<member number>/24 

The FireCluster setup wizard asks you to configure these settings individually for each cluster member. If you plan the interfaces and IP addresses in advance, it is easier to configure these interfaces with the wizard. For example, your table could look something like this:

Interface # and IP addresses for a FireCluster
Interface # IP address for Member 1 IP address for Member 2
Primary cluster interface 5 169.254.5.1/24 169.254.5.2/24
Backup cluster interface 6 169.254.6.1/24 169.254.6.2/24
Management interface 1 10.0.10.100/24 10.0.10.102/24

Hits: 142

Watchguard XTM HTTPS Deep Inspection with Active Directory

On the XTM:

Create FW CSR via Firebox Sytem Manager, use type Proxy Authority

On the Domain Controller:

– Upgrade DC Cert authority to issue sha-256 certs link

– Export root and intermediate certs type Base64

– Import FW CSR via http://DC-ip/certsrv, type subordinate ca

– Export FW Cert type Base64

On the XTM:

– First import root then intermediate certs type IPSEC, Web Server, Other

– Then import FW Cert type Proxy Authority

fsmcerts



Create https proxy policy in Policy Manager

Content Inspection: Enable deep inspection, do not Allow SSLv3, action inspect

Domain Names: None matched: Inspect

Test to find out if the firewall issues the right certs in your browser:

https-deep-inspection

 

 

 

 

 

 

 

 

 

 

 

 

 

Hits: 103