Change the IP Address of a Management Server
Your managed Fireboxes must always be able to contact your Management Server. If you change the IP address on your Management Server computer, or change the IP address on the external interface of the gateway Firebox, your managed devices cannot contact the Management Server.
When you change the IP address of your Management Server, you must also change the IP address for:
- The Management Server in the gateway Firebox configuration.
- If you change the IP address of your gateway Firebox, you must also update the Management Server and your managed devices with the new address. For instructions to complete this process, go to Update the Management Server with a New Gateway Firebox Address.
- The IP address specified on your managed devices for the Management Server:
- From Fireware Web UI, select System > Managed Device, or from WatchGuard System Manager, select Setup > Managed Device Settings.
- Add the new IP address of the Management Server to your list of Management Server addresses. If your Management Server is behind a gateway Firebox, and you change the IP address of your gateway Firebox, you must also update your managed devices with the new address.
- For more information, go to Configure a Firebox as a Managed Device.
- The IP addresses for the Certificate Revocation List (CRL) and Distribution list.
The CRL Distribution IP address is the IP address that the Management Server gives to the Fireboxes it manages. The managed client devices then connect to the Management Server at this IP address. The CRL Distribution IP address must be the same as the external IP address that managed clients use to connect to the Management Server.
If the Management Server has a private IP address, the CRL Distribution IP address is the IP address on the external interface of the gateway Firebox. If the Management Server has a public IP address, and is not behind a gateway Firebox, the CRL Distribution IP address is the public, external IP address of the Management Server.
For more information, go to Configure the Certificate Authority on the Management Server.
If Your Management Server Has a Private IP Address
When you add a Firebox to your Management Server as a managed device, the WG-Mgmt-Server policy is automatically added to the configuration of the Firebox. This policy includes the IP address of the Management Server. The managed Firebox can then connect to the Management Server at this IP address.
If your Management Server has a private IP address, and it is behind a gateway Firebox, the gateway Firebox also includes the WG-Mgmt-Server policy. This policy includes a WG-Mgmt-Server SNAT action to make sure that any connection from a managed Firebox to the Management Server is sent correctly through the external interface of the gateway Firebox. When you change the IP address of your Management Server, to make sure your managed devices can to connect to you Management Server, you must edit the WG-Mgmt-Server SNAT action configuration from the WG-Mgmt-Server policy on the gateway Firebox to include the new IP address of the Management Server.
The WG-Mgmt-Server policy must include an SNAT action with the name WG-Mgmt-Server. If you manually add the WG-Mgmt-Server policy to your gateway Firebox configuration, you must also manually create the WG-Mgmt-Server SNAT action and add it to the To list in the WG-Mgmt-Server policy.
If your Management Server is behind a third-party NAT device, you must change the configuration of the third-party NAT device to allow communication through the NAT device to the Management Server at the new IP address. For instructions to change the configuration of your third-party NAT device, see the documentation for your NAT device.
To change the private IP address of your Management Server:
- From Policy Manager, open the configuration for the gateway Firebox that protects your Management Server from the Internet.
- Double-click the WG-Mgmt-Server policy.
The Edit Policy dialog box appears.
- In the To section of the WG-Mgmt-Server policy, select WG-Mgmt-Server (Static NAT) and click Edit.
The Edit SNAT dialog box appears. - From the SNAT Members list, select the static NAT member and click Edit.
The Edit Static NAT dialog box appears. - From the External/Optional IP Address drop-down list, make sure the IP address for your gateway Firebox is selected.
- In the Internal IP Address text box, type the new IP address of your Management Server.
- Click OK to close each of the dialog boxes.
- Save the Configuration File.
If Your Management Server Has a Public IP Address
If your Management Server has a public IP address, it is not behind a gateway Firebox. To change the IP address of the Management Server, you update the Certificate Revocation List (CRL) distribution IP address in the Management Server settings with the new IP address for the server. You can then update your managed devices to get the new IP address, as described in the next section.
You can only update the CRL distribution IP address for your Management Server if it is configured with a public IP address.
From the Management Server computer:
- Right-click and select Open WatchGuard Server Center.
The Connect to WatchGuard Server Center dialog box appears. - Type the Administrator passphrase and click Login.
The WatchGuard Server Center appears. - In the Servers tree, select Management Server.
- Select the Certificates tab.
- If there is an IP address in the Certificate Revocation List section, select the address from the Distribution IP Address list and click Remove.
- Click Add to add a new address.
The CRL IP Address dialog box appears. - In the IP Address text box, type the new IP address of the Management Server.
- Click OK.
The IP address appears in the Distribution IP Address list. - Click Apply.
A dialog box appears to confirm you want to update the Management Server with your changes. - Click OK.
A Comments dialog box appears. - (Optional) Add comments for the audit logs.
- Click OK.
The Management Server is updated with the changes.
Update Managed Devices
After you change the address of your Management Server to a new public IP address, you must update all of your managed client devices to finish the IP address change.
- In WatchGuard System Manager, connect to your Management Server.
- Select the Device Management tab.
- Right-click a managed device and select Update Device.
The Update Device dialog box appears. - Select the check boxes for these options:
- Reset Server Configuration
- Expire Lease
- Click OK.
- Repeat Steps 3–5 for each device managed by the Management Server.
Configure Settings for the Management Server
Update the Management Server with a New Gateway Firebox Address