BWC Cybersecurity Overlord ✭✭✭
Reactions
Comments
-
@XChangingIT sorry for the confusion, I was always under the assumption that there is an switch attached, my bad. The switch had to be configured tagged for the Port with X2 attached to it and untagged where the AP is connected to. There is no requirement to use a tagged VLAN for the AP provisioning, it's just the way I…
-
@MattHooper if you're non authenticated devices getting static IPs would be probably the best approach. Not sure if this possible, but it's not a requirement. The Access Rule for your authenticated users looks good to me, for the non authenticated devices I would use the mentioned Address Objects and put them in a Group…
-
@MattHooper you could create Address Objects of type MAC for the devices with no authenticated users (if we're talking SSO or Web Authentcation?). Then just create a new CFS rule for this group of Address Objects with the needed CFS Policy and have this Rule above your CFS Rule requiering Authentication. If you're using…
-
@Jhamaker did you checked with Packet Monitor what is getting dropped when trying to do Wifi Calls? Did you allowed the needed traffic from your WLAN Zone to WAN? This is a recent thread which might give you some insights: At the end of the day you need to open up UDP 500 and 4500 to the ePDG for the mobile carriers in…
-
@XChangingIT how does the configuration of the port at your network switch looks like where the X2 interface is connected to? If you need to assign a Zone/Subnet to the untagged portion of the Interface I assume the switch isn't configured correctly or your APs end up in that zone, which might be something you don't want.…
-
@XChangingIT if you need to create tagged VLAN Interfaces it's described over here: If you leave the physical Interface Unassigned (not selecting any Zone) there will be no additional network (untagged VLAN). --Michael@BWC
-
@MartinMP I updated a TZ 670 a minute ago and I did not experienced the "Device registration needed". I updated with the current configuration, no factory reset. Was it fixed by a reboot or did you had to reenable (register) the trust with the backend? --Michael@BWC
-
@Simon_Weel DNS on the Firewall is just a resolver (proxy) not an authoritative DNS, therefore it cannot be used as a slave. --Michael@BWC
-
@lowrider no, it's really First match only. Please check the Admin Guide, on Page 97 there is a detailed description how CFS works. About the group membership, is it possible that one of the groups the user is a member of, is a member of block porn group by itself? This would mean that nested groups are possible. Or did…
-
@lowrider yes, First-Match means exactly that, combining Policies is not possible. Are you sure that the block is caused by the block policy for block porn? It might get triggered by the Default Policy if left enabled. --Michael@BWC
-
@lowrider CFS Policy is First-Match, you always have to build a complete Policy. If you block something in 1) it will not be allowed in 2) if a match already happened. I'am not sure about nested groups, IMHO it's not supported, you have to check at Monitor -> User Sessions -> Active Users and hover over the bubble to see…
-
@IT_Will_be_Fun great that you figured that out, the devil is always in the details. Happy NTPing :) --Michael@BWC
-
7.1.1-7051 got released and seems to address a lot of the reported issues. --Michael@BWC
-
7.1.1-7051 got released and seems to address a lot of the reported issues. --Michael@BWC
-
7.1.1-7051 got released and seems to address a lot of the reported issues. --Michael@BWC