Configure Management Tunnels

Before You Begin

The subsequent sections include details about the process to enable management through a Management Tunnel for Fireboxes that are behind a NAT gateway device. Make sure to carefully follow the instructions in each section to correctly set up a Management Tunnel.

To use Management Tunnels for connections to your remote devices, you must:

  1. Configure your gateway Firebox as the hub device for the Management Tunnel before you enable Management Tunnels on your remote devices.
  2. Set up each remote device and add it to your Management Server as a managed device.
  3. Make sure the private IP address of the Management Server is included in the Distribution IP Address list and the Managed Device Settings dialog box, as described in the Management Tunnel over SSL Resources section in the About Management Tunnels topic.
  4. Configure the remote devices to enable a Management Tunnel from each remote (spoke) device to the hub device.

Before you begin the procedures to set up a Management Tunnel, make sure you have read the entire About Management Tunnels topic.

Configure the Management Tunnel Gateway Firebox

When you set up a Management Tunnel, your gateway Firebox must be configured before you configure the remote devices. The external IP address of the gateway Firebox must not be a dynamic address. You can choose to use IPSec, SSL, or a combination of the two, to secure the Management Tunnels to your gateway Firebox. The configuration options are different for each security option.

To configure Management Tunnel settings on your gateway Firebox:

  1. In WSM, connect to your Management Server.
  2. Expand the Devices tree and select the device that is your gateway Firebox.
    The Device page appears.
  3. In the Device Information section, click Configure.
    The Device Properties dialog box appears with the Connection Settings tab selected.

Screen shot of the Device Properties dialog box for a management tunnel hub XTM device

  1. Make sure that the Device has dynamic external IP address (DHCP, PPPoE) check box is not selected.
  2. From the Management Tunnel drop-down list, select Server.
    The Management Tunnel Settings tab appears.

Screen shot of the Management Tunnel Settings tab

  1. From the Tunnel Type drop-down list, select a tunnel security option:
    • IPSec Only
    • SSL Only
    • IPSec or SSL
  2. Configure the settings for the Tunnel Type you selected:
  1. To enable log messages to be sent for traffic through this Management Tunnel, select the Enable logging for this tunnel check box.

screen shot of the completed Management Tunnel Settings tab

Example of completed Management Tunnel settings for an SSL Only tunnel.

  1. Click OK to save your changes.

When the lease on the gateway Firebox expires, the Firebox contacts the Management Server to get the new configuration details. The Firebox is then available as the Management Tunnel gateway (the hub device) on the management network side of the Management Tunnel. For a Management Tunnel with IPSec, if you disable the Management Tunnel on the hub device, the Management Server automatically runs an expire lease task for the hub device.

Deploy Remote Devices

The deployment process for your remote Fireboxes includes two steps:

  1. Initial setup of the remote device.
  2. Add the remote device to management.

Step 1 — Set Up the Remote Device

Before you deploy your remote devices behind the third-party Firewall NAT gateway, each device must be configured correctly.

  1. Start the Quick Setup Wizard for a device with factory-default settings.
  2. Complete the Quick Setup Wizard:
    • Make note of the name and the passphrases you assign to the device.
    • Set the external interface to DHCP or PPPoE.
    • Configure the Management Server settings:
      • Specify the private IP address of the Management Server as it appears in the Management Server settings.
        Make sure that the private IP address of the Management Server is the first IP address included in the Management Server settings, in the Distribution IP Address list.
        For more information, see Configure the Certificate Authority on the Management Server.
      • Make note of the shared secret

    By default, when the remote device is updated by the Management Server, the IP address that appears in the Distribution IP Address list is added to the device settings. If the private IP address of the Management Server is not the first IP address included in the list, the private IP address of the Management Server that you specify in the wizard is removed from the device settings, and when the tunnel is built, the device cannot communicate with the Management Server. To avoid this, you must make sure to include the private IP address of the Management Server in the in Distribution IP Address list. For more information, see the Management Tunnel over SSL Resources section in About Management Tunnels.

For more information about the steps to complete the Quick Setup Wizard, see About Firebox Setup Wizards.

Step 2 — Add the Remote Device to Management

After you configure your remote device, you add the device to the Management Server so that it can be managed after it is installed at the remote location.

  1. In WSM, connect to your Management Server.
  2. Right-click the Devices folder and select Insert Device.
    The Add Device Wizard appears.
  3. Click Next to start the wizard.
    The Enter the device's IP address and passphrase page appears.
  4. Select I don't know the device's current dynamically allocated IP address (DHCP/PPPoE). Click Next.
    The Enter a name for the device page appears.
  5. Type the device name and shared secret you specified for the device in Step 1. Click Next.
    The Enter the device's status and configuration passphrases page appears.
  6. Type the status and configuration passphrases you specified for the remote device in Step 1. Click Next.
    The Select the tunnel authentication method page appears.
  7. Select Auto-generated shared key. Click Next.
  8. Complete the wizard.

After the wizard completes, your remote device can be deployed. When you connect the device to power and the Internet, it contacts the Management Server for the final device configuration file, and any pending updates are applied to the device.

We recommend that before you send the device to the remote location, you complete the steps to set up a Management Tunnel for the device. When Management Tunnels are enabled on the device before it is deployed, all management options are available as soon as the device is deployed.

If you do not configure the Management Tunnel settings for the device before you install the device in a remote location, the management options are limited. Direct connections to the device are not permitted, but these functions are available:

  • Logging and Reporting
  • Heartbeat monitoring
  • Drag and Drop VPN
  • Policy Manager configuration (Fully Managed Mode only)
  • Device Configuration Template updates (Fully Managed Mode only)

Configure a Management Tunnel Remote Device

After you enable the gateway Firebox as the Management Tunnel gateway (hub) device, you use the information from the gateway Firebox to configure each remote Firebox (spoke device). The configuration settings for each remote device are different for a Management Tunnel over IPSec and a Management Tunnel over SSL.

For a Management Tunnel over IPSec:

  • The management IP address:
    • Must be a virtual IP address
    • Must be unique among the Fireboxes managed by the same Management Server
    • Must be on a different network from the VPN resource you specified when you enabled the Management Tunnel gateway on your gateway Firebox
    • Is used as the 1-to-1 NAT IP address (external IP address) for the Management Tunnel, and is used to create the tunnel on the remote device side
    • Is a single IP address, not a network address a subnet mask
  • Traffic from the management network to the management IP address must be routed through the gateway Firebox
  • Before the remote device can be used in a Management Tunnel over IPSec, you must configure the Connection Settings for each remote device and select the Device has dynamic external IP address option

For a Management Tunnel over SSL:

  • The management IP address pool must be on a different network from the VPN resource you specified when you enabled the Management Tunnel gateway on your gateway Firebox.
  • Traffic from the management network management IP address pool must be routed through the gateway Firebox.
  • The Managed Device Settings for the remote device must specify the private (internal) IP address of the Management Server for the Management Server IP address, not the external IP address of the gateway Firebox. If more than one Management Server IP address is included in the Managed Device Settings, the device always tries to connect to the first IP address in the list.
    For more information, see Configure a Firebox as a Managed Device.

Included in the configuration settings for a Management Tunnel over SSL are the SSL tunnel ID and password. You specify the values for these settings when you configure the remote device. The Management Server then updates the gateway Firebox configuration with the SSL tunnel ID and password.

To enable a Management Tunnel for a remote device:

  1. In WSM, connect to your Management Server.
  2. Expand the Devices tree and select one of your remote devices.
    The Device page appears.
  3. In the Device Information section, click Configure.
    The Device Properties dialog box appears with the Connection Settings tab selected.
  4. Make sure the Device has dynamic external IP address (DHCP, PPPoE) check box is selected.

  1. Select the Management Tunnel Settings tab.

Screen shot of the Device Properties dialog box, Management Tunnel Settings tab

  1. Select the Use Management Tunnel for this device check box.
  2. From the Hub Device drop-down list, select the display name of your gateway Firebox that you configured as the Management Tunnel hub device in the previous section.
  3. From the Tunnel Type drop-down list, select the same tunnel type that you specified on the Management Tunnel hub device for this Management Tunnel:
    • IPSec
    • SSL

    Only the tunnel type options that you specified for the Management Tunnel on the hub device appear in the Tunnel Type list.

  4. Configure the settings for the Tunnel Type you selected:
  5. Click OK.
    The device properties are updated.

Expire the Lease

If you complete the settings for the remote device before you deploy the device to the remote location, the Management Tunnel is created as soon as the device is powered on and connected to the Internet. If you do not complete the remote device settings until after the device has been deployed, the new settings take effect on the remote device when the lease on the device expires and it checks in with the Management Server for updated information. This can take up to an hour. After the initial configuration is complete, any time the remote device contacts the Management Server to request a configuration update, the Management Server modifies the remote device configuration file to add or update details for the Management Tunnel.

The tunnel routes for a Management Tunnel over IPSec are configured to use these IP addresses:

  • Local — 1-to-1 NAT from the trusted interface IP address to the management IP address
  • Remote — Hub device VPN resource

If you make a change to the trusted or optional IP addresses on a remote device, and that IP address is used by a Management Tunnel over IPSec, the Management Tunnel goes down and must be rebuilt. If the device is in Fully Managed Mode, the device configuration is automatically updated on the remote device the next time it contacts the Management Server for the most recent information. We recommend that you configure all your remote devices that are used in a Management Tunnel over IPSec in Fully Managed Mode.

For a Management Tunnel over SSL, the IP addresses are chosen from the IP address pool and can change each time the tunnel is built.

If the device is in Basic Managed Mode, you must force the remote device to contact the Management Server for the update before the Management Tunnel can be rebuilt. After the configuration details are changed, but before the Management Tunnel is updated, the device management options are limited, as described in a previous section.

To force a remote device in Basic Managed Mode to contact the Management Server:

  1. In WSM, on the Device page for your remote device, click Configure.
    The Device Properties dialog box appears.
  2. Do not make any changes to the configuration settings. Click OK.
  3. On the Device page for the remote device, click Expire Lease to prompt the device to contact the Management Server for updated information.

When the remote device contacts the Management Server, it gets the updated Management Tunnel information and the management tunnel is rebuilt.

Configure a Deployed Remote Device for a Management Tunnel over SSL

If your remote Firebox is already deployed to a remote location behind a third-party NAT device, and you want to enable a Management Tunnel over SSL for the remote device, you can connect directly to the remote device to manually configure the Managed Device Settings for the remote device. This option is useful when the remote device cannot contact the Management Server through the Management Tunnel over SSL because the connection is blocked by the third-party NAT device.

Before you complete the steps in this procedure to configure your remote device for a Management Tunnel over SSL, you must complete the steps in the section Step 2 — Add the Remote Device to Management to add your device to the Management Server.

To configure the remote Firebox for a Management Tunnel over SSL:

  1. Start Policy Manager for the remote device.
  2. Select Setup > Managed Device Settings.
  3. Make sure the Centralized Management check box is selected.
  4. Select the Management Tunnel tab.
  5. Select the Use an SSL tunnel for remote management check box.

Screen shot of the Management Tunnel tab

  1. In the SSL Server text box, type the IP address of the OpenVPN server.
    This is the IP address of your Management Tunnel gateway Firebox (hub device).
  2. In the SSL Tunnel ID text box, type the Device Name of the remote device, or another unique name for the Management Tunnel over SSL.
  3. In the SSL Tunnel Password text box, type the password to use for the Management Tunnel over SSL.
  4. Click OK.
  5. Save the configuration to the remote device.

You can also use Fireware Web UI or the WatchGuard Command Line Interface to configure the remote device for a Management Tunnel over SSL. For more information, see the Fireware Web UI Help or the Command Line Interface Reference.

Verify the Status of the Management Tunnel

After the Management Tunnel is built between the Management Tunnel Gateway (hub) Firebox and the remote (spoke) Firebox, you can see the status of the Management Tunnel on the Firebox System Manager Front Panel tab for the hub or spoke device.

For more information about how to use the Front Panel tab, see Basic Device and Network Status (Front Panel).

When you connect to the Management Server in WSM and select one of the managed devices at either end of the Management Tunnel, the device page appears with the Management Tunnel Information section, which includes this information about the settings for the Management Tunnel:

  • Type — IPSec Only, SSL Only, or IPSec or SSL
  • Hub Device — The name of the hub device
  • Tunnel ID — The name of the Management Tunnel

For more information about the device page, see About the Device Management Page.

Review the Client Members List

In the device properties for the hub device (gateway Firebox), you can see a list of all the client devices (remote devices) configured for the Management Tunnels to the hub device. The Device Properties dialog box for the hub device includes devices that use both SSL and IPSec to build a Management Tunnel.

If Mobile VPN with SSL is activated for your hub device, and you have configured Management Tunnels over SSL for your hub device, you can also see the list of client devices that connect to the hub device with a Management Tunnel over SSL.

See All Client Members

To review the list of client members for Management Tunnels to the hub device (gateway Firebox):

  1. In WSM, on the Device page for your hub device, click Configure.
    The Device Properties dialog box appears.
  2. Select the Management Tunnel Settings tab.
    The Management Tunnel settings appear.

screen shot of the completed Management Tunnel Settings tab

  1. Click Client Members.
    The Client members dialog box appears.

Screen shot of the Client members dialog box

  1. Review the list of client devices.
  2. Click Close.

See Management Tunnel Over SSL Client Members

If your hub device is configured for a Management Tunnel over SSL, at the top of the Mobile VPN with SSL Configuration dialog box, a message that the Management Tunnel feature is enabled appears, with the Client Members button.

To review the list of client members for the Management Tunnel over SSL to the hub device (gateway Firebox):

  1. Click Client Members.
    The Client Members dialog box appears.

Screen shot of the Mobile VPN with SSL Configuration dialog box and Client Members dialog box for a hub device

  1. Review the list of client devices.
  2. Click OK.

Manage a Remote Device

After you have configured a Management Tunnel to your remote Firebox, you can use WSM on the management computer in your management network (where your Management Server and WSM client are installed), to connect to the remote device and make changes to the remote device configuration.

To make changes to the configuration of a remote device from a computer other than the management computer in your management network (such as from a remote location or from a computer on a different subnet), you must make an RDP connection to the management computer, or use another remote access tool (such as terminal services), to connect to the management computer. You can then use WSM on the management computer to manage your remote device.

See Also

About Management Tunnels

Add VPN Resources

Managed Branch Office VPN Tunnels (WSM)

Make Managed Tunnels Between Devices

Set Device Management Properties

About Centralized Management Modes

Give Us Feedback     Get Support     All Product Documentation     Technical Search