Feature Key Renewal: Cluster

In this article I will show you how to perform feature key renewals on a WatchGuard Firewall cluster.
Once you have baught for example a new 3-year License you will get a link to the renewal.

Once renewed get the new feature key and imprt it into the cluster.

Importing the new feature key

Start the Policy Manager and go to:
FireCluster > Confugure ... > Members > highlight the Member > Edit > Feture Key > Import


Cisco Placeholder

Work in progress...

Gsuite Placeholder

Work in progress...

Windows Update Troubleshooting

This post describes how to troubleshoot Windows Updates.

Fist Steps

There are a few general things you should try before going into detail when troubleshooting windows updates.
First of all run the Microsoft Windows Update Troubleshooter Tool, it will most of the issues.

If that does not do the trick you should empty the local update cache.

  • Stop the Windows Update service
  • Rename or delete the directory %windir%/SoftwareDistribution
  • Rename or delete the directory %systemroot%\system32\catroot2
  • Start the Windows Update service

If after a reboot the client still wont pull any updates we have to take a deeper look.
First check the log:
If that file is not available or empty use the following power shell command to generate an error log.


If you paste error messages from here to google you will most likeley find something.
If this doesn't work try the WSUS Offline from Heise:

First use \wsusoffline\UpdateGenerator.exe to download the updates for the system you want to patch:

Then install the updates.

Other know issues:

####### WSUS ####### 

The client is failing to update from a WSUS.
(The log is showing the FQDN or the IP of a local server)

Possible origin:

1) There is some Issue with the WSUS
2) There is no WSUS any more, the GPO has not peen updated
3) There is no WSUS any more, the GPO has already been updated


1) I would have to write a book about this...
2) Edit / delete the GPO, run gpupdate /force on the client and reboot it
3) If 2 does not do it you will have to purge or erdit the registry keys by hand


####### /WSUS ####### 




SSL VPN Troubleshooting

This Post is a collection of WatchGuard SSL VPN Issues known to me and how to solve them.



  • SSL VPN session is closed directly after connecting
  • The session is visible in the System Manager for only 1-2 seconds
  • There is no error in the client log


  • You are using an SSL VPN Client Version that is older then the WatchGuard Firmware


  • Install a newer SSL VPN Client Version





Multi-WAN setup (Uplink Failover)

The Idea is to use multiple Internet Uplinks to avoid downtime.
If one of the Uplinks is down traffic will be sent over the other.

Setting up the Failover

You need to have multiple Interfaces configured as type External.

In the configuration of the interfaces you have to:

  • either define the external IP Address and the Gateway provided by your ISP
  • or use DHCP Client if you have a router with active DHCP hooked up to that port

After that we configure the failover at Network > Configuration > Multi-WAN.
Here we have to edit multiple settings:

  • Choose Failover as the Multi-WAN Configuration method
  • The Configure... button opens a window where you can choose Interfaces to use for this Configuration
  • The highest Interface in this order defines what is the primary uplink and what is backup
  • In the Linkmonitor at External interfaces you can define for every Interface:
    - Monitor By - Ping a specific target or open a TCP connection to it
    - Probe Interval - Reapeat this ever X seconds
    - Deactivate after Consecutive Failures - Flags the Uplink as FAILED if the check fails too often
    - Reactivate after Consecutive Successes - Flags the Uplink as AVAILABLE after enaugh positive tests

In the System Manager you can see what Uplinks are Available or Failed right now.

For Debugging you should check what targets are beeing checkt and try a manual ping or tracerouting via that Interface, before contacting the ISP.
Maybe your check is just bogus.



Traceroute from the firewall

Traceroute is a tool that is often used in network debugging.
It shows you over what hops your patckets are reaching a destination.


To use traceroute on a watchguard go to Tools > Diagnostic Tasks.

Here you can select the "task" Traceroute and provide the target address in the Address field.

Imprtant: If you have multiple Uplinks, you have to check Advanced Options and use the parameter -I <Interface> <Target>




This article describes how to configure SSL VPN on a WatchGuard firewall.
A basic setup needs to be in place.


Connect to the firewall using the WSM and select in the Policy Manager VPN > Mobile VPN > SSL.

Here you chooes Activate mobile VPN with ssl and enter your public it into the Primary field.
This is also the place where you can select if you want to force all traffic of the client through the tunnel.


In the Advanced tab we can provide a domain (if there is one) and a local DNS server.

Since the last patch users and passwords do not get configured using the Authentication tab, you can just view them there.
Now you have to choose Setup > Authentication > Authentication Servers...

Here you can choose if you want to add users to the Firebox-DB (internal database on the firewall) or if you want to use authentification with LDAP/AD, RADIUS or SecurID .
In this case we create a user on the firewall.

Usergroups make it easy to write Firewallrules.
We add the new user to the default group SSL-VPN-Users.

Now you can set up the software on the clients:



Fixing CIFS Issues with AD Integrated NAS

After you integrate a NAS into your domain you will get permission errors when trying to mount the SMB share using CIFS.



You have to use add the domain parameter from now on:

If the user is a domainuser:
mount -t cifs -o username=USERNAME,password=PASSWORD,domain=DOMAIN // /mnt/MOUNTPOINT

If the user is local on the nas:
mount -t cifs -o username=USERNAME,password=PASSWORD,domain=. // /mnt/MOUNTPOINT


Firewall basic configuration

This article describes a simple configuration of a WatchGuard firewall, in this case a M200, and is based on:

Recovery Mode

At first you should set the firewall into the recovery mode by pushing the Reset Button while starting the firewall.

Depending on the model there is either a screen showing that the dicive is booting into recovery mode or there is, like in this case, a red LED.

In recovery mode the firewall is loading a configuration that has the same characteristics on every model:

  • eth0: Is configured as an ‚External‘ interface and will try to obtain an ip address via DHCP
  • eth1: Has the IP address
  • eth1: Is providing IP addresses in the range from to
  • Has the user „status“ with the password „readonly“
  • Has the user „admin“ with the password „readwrite“

Base configuration

We connect to eth1 and connect to the firewall using the the WSM using "Connect to device" and the IP address

Now we start the Policy Manager and change first of all the passwords of the default users:

File > Manage Users and Roles

Afterwards give the Firewall a name and enter the license, the so-called "feature key". The key is a plain textfile you obtain from registering the serial number to your account on the WatchGuard.com portal and click on "get feature key".

Now you could plug the uplink into port 0 and the switch to port 1.

Since interface 0 is already configured as "External", interface 1 as "Trusted" with configured DHCP and there is already a firewall rule that allows the traffic from Trusted to External.

However I still want to show you to how you can setup another Network on interface 2.

Open the network configuration by going to Network > Configuration.

Doubleklick on eth2 and change the type of the Interface from Disabled to Trusted and change the Network if you want.
Afterwards change the DHCP settings and configure a DNS server in the DHCP options.