Connect to the Local Fireware Web UI from a Remote Location

Applies To: Cloud-managed Fireboxes

This document applies to Fireboxes you manage in WatchGuard Cloud. For information that applies to Fireboxes managed in Fireware Web UI or WatchGuard System Manager, go to: Connect to Fireware Web UI from an External Network.

Overview

WatchGuard Cloud enables you to manage a cloud-managed Firebox configuration from any remote location. You cannot manage the Firebox configuration from the local Fireware Web UI on a cloud-managed Firebox. You can use local Fireware Web UI to troubleshoot the connection to WatchGuard Cloud, download a diagnostic log file, and to upgrade Fireware.

The default WatchGuard Web UI system policy allows connections to Fireware Web UI on TCP port 8080 from internal networks that have the Web UI Access option enabled in the network settings. By default, the WatchGuard Web UI system policy does not allow connections to Fireware Web UI from external networks. Because this is a system policy, you cannot edit it.

We recommend that you do not enable Web UI Access on an external network because this adds the network to the Source list of the WatchGuard Web UI system policy and allows connections to Fireware Web UI from any IP address on the network. To connect to Fireware Web UI from a remote location, we recommend that you add a new policy to allow administrative connections from your specific location.

We strongly recommend that you use a VPN to connect to the Fireware Web UI from a remote location. This greatly increases the security of the connection. If this is not possible, we recommend that you allow access from the external network to only specific authorized users and to the smallest number of computers possible. For example, your Firebox is more secure if you allow connections from a single IP address instead of from the alias Any-External.

Add a Policy to Allow Connections from a Remote IP Address

To add a policy that allows connections from a remote IP address to Fireware Web UI:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. Click the Firewall Policies widget.
    The Firewall Policies page opens.

    Screenshot of the Firewall Policies page in WatchGuard Cloud.

  5. On the Firewall Policies page, click Add Firewall Policy.
    The Add Firewall Policy page opens.

    Screen shot of the Add Firewall Policy page, policy types selection

  6. Select Inbound.
  7. Click Next.
    Settings for the selected policy type open.
  8. In the Name text box, type a name for this policy.
  9. From the Action drop-down list, select Allow.
  10. Click Add Traffic Types.
  11. Select the check box next to the WG-Fireware-WebUI traffic type.
  12. Click Add.
  13. To add the IP address of an external computer as the source of the traffic:
    1. Click Add Source.
      The Add Source Address dialog box opens.
    2. From the Type drop-down list, select Host IPv4 or Host IPv6, then type the IP address.
    3. Click Add.
  14. To add the Firebox as the destination of the traffic:
    1. Click Add Destination.
      The Add Destination Address dialog box opens.
    2. From the Type drop-down list, select Built-in Aliases.
    3. From the Built-in Aliases list, select Firebox.
    4. Click Add.

    Screenshot of the inbound policy page in WatchGuard Cloud

  15. Click Save.

Related Topics

Knowledge base article: Firebox Remote Management Best Practices

About Fireware Web UI for a Cloud-Managed Firebox

Firewall Policy Types on Cloud-Managed Fireboxes

Configure Firewall Policies in WatchGuard Cloud