Support and Troubleshooting
Open a support ticket
Important
Questions? Just send us a Support Ticket! Email us at the following address: support@blastwave.com
Support updates
Host Agent
Date | Description and document link |
|---|---|
26th January 2023 | GPG key expiry on Ubuntu and Debian Host Agent installations |
Connectivity requirements
auth.blastwave.io TCP port 8443 outbound.
Outbound UDP ports to all destinations.
If you use DNS over HTTPS, ensure it is configured in your OS and not in your browser to allow the BlastShield Client to use its associated DNS server.
Ensure that the timezone is correctly set on your computer for your location and that the clock is set accurately.
Outbound UDP ports to all destinations.
Outbound UDP ports to all destinations.
Commonly asked troubleshooting questions
If you encounter difficulties when using BlastShield™, please check out the following common issues and resolutions.
How do I register to join a BlastShield™ network?
If you have received a registration URL then use this method to register: Step 2 - Register with your BlastShield™ Network
If you have not received a registration URL, then contact us here: https://www.blastwave.com/contact
The authentication process on the Desktop Client does not start or display the QR code.
This error can indicate that your firewall is blocking outbound traffic. Please check the following ourbound ports are allowed:
Desktop Client Connectivity Requirements
The Desktop Client has the following connectivity requirements.
auth.blastwave.io TCP port 8443 outbound.
All outbound UDP ports to all destinations.
If you use DNS over HTTPS, ensure it is configured in your OS and not in your browser to allow the BlastShield Client to use its associated DNS server.
Ensure that the timezone is correctly set on your computer for your location and that the clock is set accurately.
If you have verified that the outbound traffic is allowed on your network, please check on your computer that your host AV or endpoint security software is not blocking the BlastShield™ Client from running.
The authentication step using the Mobile Authenticator app is not working.
This can often be related to your mobile device. Please check the following.
You must have a mobile device with biometric support (fingerprint or face-id) for authentication.
If you have changed your mobile device, then you will require an authentication reset. Your system Administrator must login to the BlastShield™ Orchestrator and peform an authentication reset on the user. You can learn how to reset user authentication here.
You can connect to the Orchestrator, but not to any of your Agents or Endpoints.
The BlastShield™ solution is zero-trust, so you will require a policy to allow access to the Agents on your protected servers.
Your Desktop Client connects to the BlastShield Network but you cannot connect to the Orchestrator.
Check the following on the host running the BlastShield™ Desktop Client.
Ensure that the timezone is correctly set on your computer for your location.
Verify that the system clock is accurate. An incorrect setting may cause connection errors in the Client.
Where are the log files stored on the BlastShield Desktop Client?
Log files may be viewed in the Desktop Client GUI by clicking on the 'Logs' button at the bottom left off the Connection Status window.
Alternatively, you can locate the log file in the OS as follows:
OS type | Client logs |
|---|---|
Windows |
|
macOS |
|
Linux |
|
How do I upgrade the Host Agent?
The Host Agent may be upgraded directly from the Orchestrator, which you can learn about here. This is the recommended method.
For Host Agents which are on Release 1.2 or lower, the Agent is upgraded by installing the latest version of the Agent software onto the server and you can learn how to do this here.
How is the Gateway upgraded?
The Gateway is upgraded from the Orchestrator. You can read the Gateway upgrade process here.
What are the BlastShield™ Gateway hardware requirements?
The Gateway requires an x86 based hardware platform with the following minimum specifications:
x86 Gateway hardware requirements
Parameter | Value |
|---|---|
CPU | Minimum Intel Atom with AES-NI support or Intel Celeron with AES-NI support. Note that more powerful CPUs with AES-NI support such as Core i3 or Xeon are also supported. |
RAM | Minimum 4GB |
HDD/SSD | Minimum 8GB |
NICs | Two NICs required. Most NICs made by Intel, Broadcom and Mellanox are supported. |
What is the 'Send Default Gateway' option in the Endpoint configuration for?
If the 'Send Default Gateway' checkbox is ticked, then a default gateway address will be sent in the. DHCP offer from the BlastShield Gateway to its protected Endpoints.
The BlastShield Gateway will use 172.16.255.254 as the default gateway (if the standard prefix is being used).
The default gateway configuration can be enabled for Endpoint devices which require a default gateway IP address in their IP configuration and for configuring the Enhanced Gateway Endpoint connectivity feature.
Why does an Apple Mac Endpoint not respond to DNS based queries?
Apple have implemented the DHCP functionality on the Mac such that if a default gateway is not sent in the DHCP offer then it discards the sent DNS entry, but it does accept the IP address.
The BlastShield Gateway allocates the protected IP address to the Mac endpoint by a DHCP offer but it does not include a default gateway address in the offer.
To learn how to work around this, watch the following video or read the steps below.
Go to the Orchestrator, and click on the Endpoints menu on the left.
Find the endpoint configuration for the Mac endpoint in question and click on it.
In the Endpoint Settings tab, check the "Send DHCP default gateway" option for the Mac endpoint.
This will ensure that a default gateway address is sent in the DHCP offer to the Mac computer and will ensure the Mac does not discard the offered DNS name.
Click "Save Changes".
Why doesn't the Anydesk client connect to an endpoint over the BlastShield network?
Anydesk is a remote connectivity app which connects a remote user to a host computer and routes the connection via Anydesk’s SaaS cloud. Since the SaaS cloud is outside of the BlastShield Network, then BlastShield™ will not send packets to it. Clients such as Microsoft Remote Desktop will work as an alternative, since they use a peer-to-peer connectivity.