Configure a Firebox as a Managed Device

If your Firebox has a dynamic IP address, or if your WSM Management Server cannot connect to it for another reason, you can manually configure the Firebox as a managed device before you add it to the Management Server. You can then Add Managed Devices to the Management Server. You can also configure your Firebox to be managed by an instance of Dimension. For complete instructions, go to Add a Firebox to Dimension for Management.

If your Management Server is not behind a gateway Firebox, you must configure the firewall that is between the Management Server and the Internet to allow connections to the Management Server public IP address over TCP ports 4112 and 4113.

To connect to a managed Firebox, you must be able to reach the managed Firebox from your local computer on TCP ports 4105, 4117, and 4118.

For more information about the gateway Firebox, go to About the Gateway Firebox.

Edit the WatchGuard Policy

  1. Select Firewall > Firewall Policies.
    The Firewall policies page appears.
  2. Double-click the WatchGuard policy to open it.
    The Policy Configuration page for the WatchGuard policy appears.

Screen shot of the Policy Configuration page, WatchGuard policy

  1. In the Connections are drop-down list, make sure Allowed is selected.
  2. In the From section, click Add.
    The Add Member dialog box appears.
  3. In the Member Type drop-down list, select Host IP.
  4. In the Member type text box, type the IP address of the external interface of the gateway Firebox.
    If you do not have a gateway Firebox that protects the Management Server from the Internet, type the static IP address of your Management Server.
  5. Click OK to close the Add Member dialog box.
  6. Make sure the To section includes an entry of either Firebox or Any.
  7. Click Save.
  1. Open Policy Manager for the Firebox to enable as a managed device.
  2. Double-click the WatchGuard policy to open it.
    The Edit Policy Properties dialog box for the WatchGuard policy appears.

Screen shot of the Edit Policy Properties dialog box, WatchGuard policy

  1. In the WG-Firebox-Mgmt connections are drop-down list, make sure Allowed is selected.
  2. In the From section, click Add.
    The Add Member dialog box appears.
  3. Click Add Other.
    The Add Member dialog box appears.
  4. In the Choose Type drop-down list, select Host IP.
  5. In the Value text box, type the IP address of an external interface of the gateway Firebox.
    If you do not have a gateway Firebox that protects the Management Server from the Internet, type the static public IP address for outbound traffic from your Management Server. If the Management Server is behind a third-party gateway, type the public IP address for outbound traffic through that gateway. Tip!
  6. Click OK to close the Add Member dialog box.
  7. Click OK to close the Add Address dialog box.
  8. Make sure the To section includes an entry of either Firebox or Any.
  9. Save the Configuration File.

You can now add the device to your Management Server configuration as described in Add Managed Devices to the Management Server. When you add this device to the Management Server configuration, the Management Server automatically connects to the static IP address and configures the device as a managed device. 

Set Up the Managed Device

If your Firebox has a dynamic IP address, or if the Management Server cannot find the IP address of the Firebox for any reason, you can use this procedure to prepare your Firebox to be managed by the Management Server.

To manage your Firebox with WatchGuard Dimension, you must complete this procedure to specify your instance of Dimension to manage the Firebox, instead of the WSM Management Server, and then import the management settings file (.WGD file). For more information about the .WGD file, go to Add a Firebox to Dimension for Management.

Configure the Gateway Firebox

The Firebox that protects your Management Server (the gateway Firebox) automatically monitors all ports used by the Management Server and forwards any connection on these ports to the configured Management Server. When you use the WatchGuard Server Center Setup Wizard to set up the Management Server, the wizard adds a WG-Mgmt-Server policy to your configuration to handle these connections. If you did not use the setup wizard, or if you skipped the Gateway Firebox step in the wizard, you must manually add the WG-Mgmt-Server policy to the configuration of your gateway Firebox. Configure the policy to allow inbound traffic from the external interface to a static NAT action that translates the public IP address of the external interface to the IP address of the Management Server. This policy on the gateway Firebox allows inbound connections to the Management Server over TCP ports 4112 and 4113. For more information, go to About the Gateway Firebox.

If your Management Server is not behind a gateway Firebox, make sure to configure the firewall that is between the Management Server and the Internet to allow connections to the Management Server public IP address over TCP ports 4112 and 4113.

Get the Management Server CA Certificate

When you configure a Firebox as a managed device, you must include the contents of the Management Server CA certificate in the Managed Device settings. The Management Server CA certificate is available through CA Manager. If you use Fireware Web UI to configure the Managed Device settings, you can copy and paste the contents of the CA certificate from CA Manager when you configure the Firebox. If you use Policy Manager to configure the Managed Device settings, you must import the Management Server CA Certificate from the CA-Admin.pem file when you configure the Firebox. When you connect to the Management Server in WSM, the CA-Admin.pem file is saved to your computer in this directory: C:\Users\<your user name>\Documents\My WatchGuard\certs\<Management Server IP address>.

For more information about how to find the Management Server CA Certificate, go to Manage Certificates on the Management Server.

Configure Your Firebox for Management by a WSM Management Server

You can configure the Managed Device settings for your Firebox from Fireware Web UI or Policy Manager.

  1. Select System > Managed Device.

    The Managed Device page appears.

Screen shot of the Managed Device page

  1. Select the Enable Centralized Management check box.
  2. From the Manage Device With drop-down list, select Management Server.
  3. In the Managed Device Name text box, type the name you want to give the Firebox when you add it to the Management Server configuration.
    This name is case-sensitive and must match the name you use when you add the Firebox to the Management Server configuration. This can also be the IP address of the Firebox.
  4. In the Management Server IP Address(es) list, select the public IP address of the Management Server.
    Or, if the Management Server is behind a gateway Firebox, select the public IP address of the gateway Firebox for the Management Server.
  5. To add a Management Server IP address, type the IP address in the text box and click Add.
  6. In the Shared Secret and Confirm text boxes, type the shared secret.
    The shared secret you type here must match the shared secret you type when you add the Firebox to the Management Server configuration.
  7. Copy the text of your Management Server CA certificate and paste it in the Management Server CA Certificate text box.
  8. Click Save.
  1. Select Setup > Managed Device Settings.
    The Managed Device Settings dialog box appears with the Management Server tab selected.
  2. Select the Enable Centralized Management check box.
  3. From the Manage Device With drop-down list, select Management Server.

Screen shot of the Managed Device Settings dialog box

  1. In the Device Name text box, type the name to give the Firebox when you add it to the Management Server configuration.
    This name is case-sensitive and must match the name you use when you add the device to the Management Server configuration. This can also be the IP address of the Firebox.
  2. In the Shared Secret and Confirm text boxes, type the shared secret.
    The shared secret you type here must match the shared secret you type when you add the Firebox to the Management Server configuration.
  3. Adjacent to the Server IP Address(es) list, click Add and specify the public IP address of the Management Serve.
    Or, if the Management Server is behind a gateway Firebox, specify the public IP address of the gateway Firebox for the Management Server.
  4. Click Import and select the CA-Admin.pem file with the text of your Management Server CA Certificate.
  5. Click OK.

When you save the configuration to the Firebox, the Firebox is enabled as a managed device. The managed device tries to connect to the IP address of Dimension or the Management Server. Management connections are allowed from the Management Server to this managed device.

You can now add the Firebox to your Management Server configuration, as described in Add Managed Devices to the Management Server.

You can also use WSM to configure the management mode for your Firebox, as described in About Centralized Management Modes.

After you have configured your Firebox as a managed device, if your Firebox is in a remote location behind a third-party NAT gateway, you can configure a Management Tunnel to enable contact with the Firebox. For more information, go to Configure Management Tunnels.

Configure Your Firebox for Management by Dimension

Before you enable your Firebox to be managed by your instance of Dimension, you must download the .WGD file for your Firebox from your instance of Dimension. To configure your Firebox to be managed by Dimension, you import the .WGD file to your Firebox.

For instructions to generate and download the .WGD file for your Firebox, go to Add a Firebox to Dimension for Management.

  1. Select System > Managed Device.

    The Managed Device page appears.
  2. Select the Enable Centralized Management check box.
  3. From the Manage Device With drop-down list, select Dimension Command.

Screen shot of the Managed Device page

  1. Browse to locate the management settings file (.WGD file) you downloaded for this Firebox from Dimension. Click Import.
    The IP address for your instance of Dimension is automatically added to the Dimension Command Address(es) list.
  2. (Optional) To add another IP address for your instance of Dimension, in the Dimension Command Address(es) text box, type the public IP address of Dimension. Click Add.
    If Dimension is behind a gateway Firebox or other firewall NAT device, add the public IP address of the gateway Firebox or firewall device.
  3. (Optional) If you must import a new certificate for Dimension, browse to locate the certificate file. Click Import.
  4. Click Save.
  1. Select Setup > Managed Device Settings.
    The Managed Device Settings dialog box appears with the Management Server tab selected.
  2. To set up a Firebox as a managed device, select the Enable Centralized Management check box.
  3. From the Manage Device With drop-down list, select Dimension Command.
    The Managed Device settings for Dimension Command appear.

Screen shot of the Managed Device Settings dialog box

  1. To locate the management settings file (.WGD file) you downloaded for this Firebox from Dimension, click Import and browse to select the file.
    The IP address for your instance of Dimension is automatically added to the Dimension Command Address(es) list.
  2. (Optional) To add another IP address for your instance of Dimension:
    1. Click Add.
      The Dimension Server dialog box appears.
    2. In the Server text box, type the public IP address of Dimension.
      If Dimension is behind a gateway Firebox or other firewall NAT device, add the public IP address of the gateway Firebox or firewall device.
    3. Click OK.
  3. (Optional) If you must import a new certificate for Dimension, click Browse and locate the certificate file.
  4. Click OK.

Configure a Deployed Remote Device for a Management Tunnel over SSL

To enable a Management Tunnel over SSL for a remote Firebox that is already deployed to a remote location behind a third-party NAT device, you can connect directly to the remote device to manually configure the Managed Device Settings for the remote device. This option is useful when the remote Firebox cannot contact the Management Server through the Management Tunnel over SSL because the connection is blocked by the third-party NAT device.

Before you complete the steps in this procedure to configure your remote device for a Management Tunnel over SSL, you must add your device to the Management Server. For more information, go to Configure Management Tunnels.

  1. Select System > Managed Device Settings.
  2. Make sure the Enable Centralized Management check box is selected.
  3. Select the Management Tunnel tab.
  4. Select the Use an SSL tunnel for remote management check box.

Screen shot of the Management Tunnel page

  1. In the SSL Server text box, type the IP address of the OpenVPN server.
    This is the IP address of your Management Tunnel gateway Firebox hub device.
  2. In the SSL Tunnel ID text box, type the Device Name for the device, or another unique name for the Management Tunnel over SSL.
  3. In the SSL Tunnel Password text box, type the password to use for the Management Tunnel over SSL.
  4. Click Save.

You can also use Policy Manager or the WatchGuard Command Line Interface to configure the remote device for a Management Tunnel over SSL. For more information, see:

Related Topics

Set Device Management Properties

About the Device Management Page

About Centralized Management Modes

About the Gateway Firebox