Update the Management Server with a New Gateway Address
When you use the WatchGuard Server Center Setup Wizard to set up your Management Server, you use the IP address of the gateway Firebox that protects the Management Server from the Internet. This same IP address is used as the Certificate Revocation List (CRL) Distribution IP address. If you want to change the IP address on your gateway Firebox, you must first change the CRL Distribution IP address on your Management Server, and update all managed devices with this information. If you do not do this, you cannot keep a connection to each of your managed devices.
If you have managed Branch Office VPN (BOVPN) tunnels configured on your Management Server, and the gateway Firebox is the endpoint in any of these tunnels, you must remove those VPN tunnels before you start this procedure. When you are done with this procedure, you must create the VPN tunnels again.
When you configure a managed Firebox, you give the managed device the IP address of the gateway Firebox. The managed device uses this IP address to find the Management Server. The WG-Mgmt-Server policy on the gateway Firebox sets up an SNAT policy to make sure that any connection from a managed Firebox to the Management Server is sent correctly through the external interface of the Firebox.
To change the IP address on your gateway Firebox, you must update your Management Server configuration, update each managed Firebox, and edit the SNAT configuration of the WG-Mgmt-Server policy.
From the Management Server computer:
- Right-click and select Open WatchGuard Server Center.
WatchGuard Server Center appears.
- In the Servers tree, select Management Server.
The Management Server page appears.
- Select the Certificates tab.
- In the Certificate Revocation List section, add a new IP address for your gateway Firebox and remove the existing IP address.
- Click Apply.
- On your management computer, open WatchGuard System Manager and connect to your Management Server.
- Select the Device Management tab.
- Right-click a managed device and select Update Device.
- Below Update Client Settings, make sure that the Reset Server Configuration and Expire Lease check boxes are selected.
Make sure the Issue/Reissue Firebox’s IPSec Certificate and CA’s Certificate check box is also selected.
- Repeat Steps 3–6 for each device managed by your Management Server.
- Start Policy Manager for the configuration file of the gateway Firebox.
- Select Network > Configuration and change the IP address of the external interface of the device to the new IP address.
- Double-click the WG-Mgmt-Server policy.
The Edit Policy Properties dialog box appears.
- In the To section, select the SNAT entry and click Remove.
- In the To section, click Add.
The Add Address dialog box appears.
- Click Add SNAT.
The SNAT dialog box appears.
- Click Add.
The Add SNAT dialog box appears.
- In the SNAT Name text box, type a unique name for this SNAT object.
- (Optional) In the Description text box, type a description to help you identify this SNAT object.
- Select an option: Static NAT or Server Load Balancing.
- Click Add.
The Add Static NAT/Server Load Balancing dialog box appears.
- From the External IP Address drop-down list, select the new IP address for your gateway Firebox.
- In the Internal IP Address text box, type the IP address of your Management Server.
- Click OK to close each dialog box and save your changes.
- Save the Configuration File.
When the Firebox restarts, connections between the Management Server and the managed Fireboxes start again. You can now re-create any BOVPN tunnels for which the gateway Firebox is a VPN endpoint.