About the WatchGuard Connection Manager

Applies To: FireCloud Internet Access, FireCloud Total Access

For FireCloud to protect your users, they must have the WatchGuard Connection Manager installed on their device and use it to connect to FireCloud. When a user is connected to FireCloud, Internet traffic from their device routes through the nearest WatchGuard point of presence (PoP) where FireCloud performs scanning services such as Intrusion Prevention Service.

If you have FireCloud Total Access, the Connection Manager also connects you to remote private resources on your corporate network.

FireCloud uses the WatchGuard Agent to deploy and install the WatchGuard Connection Manager. The WatchGuard Agent handles communication between managed computers and the WatchGuard server. The agent is installed on each endpoint or computer, and is used to deploy WatchGuard software, such as the WatchGuard Connection Manager and Endpoint Security software. It has low CPU, memory, and bandwidth usage and uses less than 2 MB of data each day. To learn more about the WatchGuard Agent, go to About the WatchGuard Agent.

When you download the installer from FireCloud, you are downloading the WatchGuard Agent. When you install the WatchGuard Agent, it communicates with WatchGuard Cloud and installs all the software that your account and computer are currently licensed for based on the deployment behavior configured in WatchGuard Cloud. By default, when there is only one product installed by the WatchGuard Agent, the deployment behavior is set to Install. If your account has more than one product that use the WatchGuard Agent to install software, you might need to configure a deployment centrally on the Agent Deployment page. For more information, go to Configure WatchGuard Agent Deployment in WatchGuard Cloud.

When WatchGuard releases a new version of the WatchGuard Connection Manager, the WatchGuard Agent automatically downloads and installs the new version so that your users are always up to date.

If your FireCloud license or trial expires and your account is not licensed for FireCloud, the WatchGuard Agent automatically uninstalls the WatchGuard Connection Manager on all your end-user devices. When your account has an active FireCloud license again, the WatchGuard Agent automatically downloads and installs the WatchGuard Connection Manager again.

Each WatchGuard Cloud account has a unique version of the WatchGuard Agent installed. Only FireCloud users from the same WatchGuard Cloud account can use the installer from that account. If you are a Service Provider, do not use the same installer to deploy FireCloud for multiple managed accounts.

Caution: You cannot install the WatchGuard Connection Manager on computers that have Panda endpoint security products installed. The WatchGuard Connection Manager is only compatible with WatchGuard Endpoint Security products.

Network Access Requirements

Connections to these host names are required for the WatchGuard Agent to connect to WatchGuard Cloud through your firewall.

Host Names Ports
*.pandasecurity.com
*.pandasoftware.com
*.windows.net		 TCP 443
TCP 80

How the Connection Manager Works

While you are connected to FireCloud, FireCloud protects you from threats so that you can safely use your computer and browse the Internet. After you connect to FireCloud for the first time, the agent keeps your session open and you remain connected even if you restart your computer. For more detailed information, go to Connection Manager Authentication Sessions.

When you are connected to FireCloud, you can continue to connect to local resources on your network, such as printers. With FireCloud Total Access, you can also connect to remote resources on the corporate network.

If you have to connect to a VPN, you must first manually disconnect from FireCloud. After you disconnect from FireCloud, you must manually log in and connect again to remain protected.

If you cannot connect to FireCloud, or if you manually disconnect from FireCloud, you can still connect to the Internet but FireCloud will not protect you.

If the WatchGuard Connection Manager cannot authenticate or connect to FireCloud for more than one hour, you are prompted to log in again.

If you go to your office and connect to the corporate network when your computer is already connected to FireCloud, your firewall configuration might affect how your traffic is handled. FireCloud uses UDP port 4500 to communicate with WatchGuard points of presence (PoP).

  • If port 4500 is open when connected to your corporate network, the Connection Manager continues to pass traffic through FireCloud.
  • If port 4500 is blocked when connected to your corporate network, the client connection to FireCloud fails to open and the client passes traffic as it normally does when connected to the corporate network. However, the WatchGuard Connection Manager continually attempts to connect to the FireCloud PoP while behind the firewall.

After you disconnect from the corporate network, you might need to manually connect to FireCloud again.

To see the status of your connection to FireCloud, point to the Connection Manager icon in the system tray.. The icon color indicates the connection status:

Status Definition
Connected to point of presence and routing Internet traffic through FireCloud.
Connected to point of presence but cannot connect to the Internet.
Not connected.

Connection Manager Connection Flow

This section explains the connection flow when a FireCloud user a remote private resource.

  1. User connects to FireCloud and authenticates.
  2. Connection Manager establishes a WireGuard tunnel to the nearest WatchGuard point of presence (PoP).
  3. FireCloud runs scanning services, such as Intrusion Prevention Service.
  4. FireCloud passes the connection out to the Internet.
  5. When a user must pass traffic or connect to a private resource:
    1. FireCloud routes the connection from the PoP through a WireGuard tunnel that connects the PoP and the FireCloud Gateway on your network.
    2. FireCloud routes the connection from the FireCloud Gateway to the appropriate resource on your network.

Connection Manager Authentication Sessions

When you authenticate with the Connection Manager and connect to FireCloud, the Connection Manager establishes 2 sessions.

  • The first session is established with the Identity Provider (IdP), for example Authpoint.
  • The second session is established with FireCloud, allowing connection to a FireCloud POP.

The Connection Manager caches the IdP session, and this session remains valid until the Connection Manager application is stopped or restarted, the system is rebooted, or the session is invalidated by the identity provider (for example the session reaches the IdP's timeout).

The FireCloud session remains valid until you select Disconnect from the Connection Manager menu.

The FireCloud access rule that applies to your user group determines if you can manually disconnect from FireCloud

The scenarios below describe how the Connection Manager uses each session and what the expected behavior is.

When you first connects to FireCloud with the Connection Manager, you are shown the identity provider login page. You must enter your user name and password to authenticate with the identity provider.

If the authentication is successful, the Connection Manager caches the new IdP session.

After the successful identity provider authentication, the Connection Manager establishes a new FireCloud session which allows the Connection Manager to connect to a FireCloud POP and begin to pass traffic.

When you manually disconnect from FireCloud, the Connection Manager logs out of FireCloud and the FireCloud session is invalidated. The Connection Manager retains the cached IdP session.

When you open the Connection Manager connect to FireCloud:

  • If the cached IdP session is valid and has not timed out, the Connection Manager uses the existing IdP session to establish a new FireCloud session. Because the established IdP session is reused, you are not prompted to log in.
  • If the cached IdP session is invalid (for example, if it has timed out), the Connection Manager requires you to log in with the identity provider to create a new IdP session. After the identity provider has authenticated you and the Connection Manager has created a new IdP session, the Connection Manager establishes a new FireCloud session.

When you reboot a computer, the Connection Manager starts automatically but does not retain the previous IdP session. The behavior of the Connection Manager after a reboot depends on whether you disconnected from FireCloud before the reboot.

If you manually disconnect from FireCloud before the reboot, the Connection Manager requires you to log in with the identity provider to create a new IdP session. After the identity provider has authenticated you and a new IdP session has been created, the Connection Manager establishes a new FireCloud session.

If you reboot while still connected to FireCloud, after the reboot the Connection Manager attempts to resume the previously established FireCloud session.

  • If this action succeeds, the Connection Manager connects to FireCloud (you are not required to log in), but there will no longer be a cached IdP session.
  • If this action does not succeed, the Connection Manager requires you to log in. After the identity provider has authenticated you and a new IdP session has been created, the Connection Manager establishes a new FireCloud session.

Download and Install the WatchGuard Agent and Connection Manager

You download the WatchGuard Agent from the FireCloud UI in WatchGuard Cloud. You can also get a link to the installer for your account and distribute this link to your users so they can download and install the Connection Manager themselves.

If you want to install FireCloud on a computer that already has the WatchGuard Agent installed for another product, such as Endpoint Security, you can configure a WatchGuard Agent deployment to install FireCloud. For more information, go to Configure WatchGuard Agent Deployment in WatchGuard Cloud.

The WatchGuard Agent for mac requires Rosetta. When you install the WatchGuard Agent and Rosetta is not installed, the installation fails and you are not prompted to authenticate and connect to FireCloud. In this scenario, you must manually go to Applications and run the ConnectionManagerInstaller. When you do this, you are prompted to install Rosetta. Install Rosetta and then manually run the WatchGuard Agent installer again.

To download the WatchGuard Agent (used to install the WatchGuard Connection Manager):

  1. Log in to WatchGuard Cloud and go to Configure > FireCloud.
  2. Select Endpoint Installation.
    The Endpoint Installation page opens.
  3. Click Add Endpoint.
  4. Select the operating system for the endpoint where you want to install the agent.
  5. If you have Endpoint Security, select the group you want to add the computer to.
    For endpoints with an Endpoint Security license, the security policies assigned to a computer depend on the group it belongs to. For information about groups for endpoints with an Endpoint Security license, go to Manage Computers and Devices in Groups in Endpoint Security.
    • To add the computer to a group created in the Endpoint Security management UI, select Add Computers to this Group. From the drop-down list, select a folder.
    • To add the computer to an Active Directory group, select Add Computers to their Active Directory Path. Select the network proxy to assign to the computers.
  6. (Optional) For the Windows installer, to specify an expiration date for the installer, click in the box and select a date from the calendar.
    After the expiration date, if users try to run the installer, a message informs them that the installer is expired, and they must download a new one or contact their administrator.
  7. Click Download Installer.
    The WatchGuard Agent installer download begins.
  8. If you want to send the installer to your users so they can download and install the agent themselves, click Copy Installer URL. You can send this link to your users.

To manually install the WatchGuard Agent and WatchGuard Connection Manager:

  1. Run the downloaded installer.
  2. Click Install. The installation of the WatchGuard Agent can take several minutes.
  3. When the installation is complete, click Finish.
  4. After the WatchGuard Agent is installed, the agent automatically downloads and installs the Connection Manager.
  5. On mac computers, you are prompted to enable the network extension for the Connection Manager. Open the system settings and go to General > Login Items and Extensions > Network Extensions and enable WatchGuardConnectionManager.

    In some cases, you might be prompted to enable additional network extensions when the Connection Manager upgrades to a new version.

  6. When the installation is finished, the Connection Manager opens and you are prompted to enter your credentials to connect to FireCloud. You use the credentials for the user account in your identity provider.

If the WatchGuard Agent fails to install the Connection Manager, the agent attempts the installation again after 4 hours. To try the installation again immediately, you can run the installer.

Connect to FireCloud with the WatchGuard Connection Manager

To connect to FireCloud, from WatchGuard Connection Manager:

  1. Open the WatchGuard Connection Manager.
  2. Click Connect.
  3. Enter your user name or email address, then click Next.
  4. Enter your password.
    A success message appears when you connect to FireCloud.

While you are connected to FireCloud, you are protected and can safely use your computer and browse the Internet. After you connect to FireCloud the first time, the agent keeps your session open and you remain connected even if you restart your computer.

On mac computers, you cannot connect or disconnect the Connection Manager from the VPN System Settings. To connect or disconnect to FireCloud, you must use the Connection Manager application.

Disconnect from FireCloud

In some cases, you might need to disconnect from FireCloud. For example, you might have to disconnect when you need to connect to a VPN.

To disconnect from FireCloud, in the system tray on your computer, right click the FireCloud icon, then select Disconnect. After you complete your task, you must manually connect to FireCloud again.

The FireCloud access rule that applies to your user group determines if you can manually disconnect from FireCloud

View Connection Manager Log Messages

To help troubleshoot FireCloud connections issues, you can use the Connection Manager log messages.

To view log messages:

  1. In the system tray on your computer, click the FireCloud icon.
  2. Select View Log Messages.
    You see your active log messages for the Connection Manager.

If necessary, you can save your log messages to a text file. You might do this when you work with WatchGuard Support to troubleshoot issues.

Related Topics

About the WatchGuard Connection Manager

WatchGuard Agent – Installation and Upgrade Error Messages

WatchGuard Agent MSI Install Issues with WatchGuard Endpoint Security