About the WatchGuard Connection Manager

Applies To: FireCloud Internet Access

For FireCloud to protect your users, they must have the WatchGuard Connection Manager installed on their device and use it to connect to FireCloud. When a user is connected to FireCloud, Internet traffic from their device routes through the nearest WatchGuard point of presence (PoP).

FireCloud uses the WatchGuard Agent to deploy and install the WatchGuard Connection Manager. The WatchGuard Agent handles communication between managed computers and the WatchGuard server. The agent is installed on each endpoint or computer, and is used to deploy WatchGuard software, such as the WatchGuard Connection Manager and Endpoint Security software. It has low CPU, memory, and bandwidth usage and uses less than 2 MB of data each day. To learn more about the WatchGuard Agent, go to About the WatchGuard Agent.

When you download the installer from FireCloud, you are downloading the WatchGuard Agent. When you install the WatchGuard Agent, it communicates with WatchGuard Cloud and installs all the software that your account and computer are currently licensed for. When WatchGuard releases a new version of the WatchGuard Connection Manager, the WatchGuard Agent automatically downloads and installs the new version so that your users are always up to date.

If your FireCloud license or trial expires and your account is not licensed for FireCloud, the WatchGuard Agent automatically uninstalls the WatchGuard Connection Manager on all your end-user devices. When your account has an active FireCloud license again, the WatchGuard Agent automatically downloads and installs the WatchGuard Connection Manager again.

Each WatchGuard Cloud account has a unique version of the WatchGuard Agent installed. Only FireCloud users from the same WatchGuard Cloud account can use the installer from that account. If you are a Service Provider, do not use the same installer to deploy FireCloud for multiple managed accounts.

Caution: You cannot install the WatchGuard Connection Manager on computers that have Panda endpoint security products installed. The WatchGuard Connection Manager is only compatible with WatchGuard Endpoint Security products.

Network Access Requirements

Connections to these host names are required for the WatchGuard Agent to connect to WatchGuard Cloud through your firewall.

Host Names Ports
*.pandasecurity.com
*.pandasoftware.com
*.windows.net		 TCP 443
TCP 80

How the Connection Manager Works

While you are connected to FireCloud, FireCloud protects you from threats so that you can safely use your computer and browse the Internet. After you connect to FireCloud for the first time, the agent keeps your session open and you remain connected even if you restart your computer. For more detailed information, go to Connection Manager Authentication Sessions.

When you are connected to FireCloud, you can continue to connect to local resources on your network, such as printers.

If you have to connect to a VPN, you must first manually disconnect from FireCloud. After you disconnect from FireCloud, you must manually log in and connect again to remain protected.

If you cannot connect to FireCloud, or if you manually disconnect from FireCloud, you can still connect to the Internet but FireCloud will not protect you.

If the WatchGuard Connection Manager cannot authenticate or connect to FireCloud for more than one hour, you are prompted to log in again.

If you go to your office and connect to the corporate network when your computer is already connected to FireCloud, your firewall configuration might affect how your traffic is handled. FireCloud uses UDP port 4500 to communicate with WatchGuard points of presence (PoP).

  • If port 4500 is open when connected to your corporate network, the connection manager continues to pass traffic through FireCloud.
  • If port 4500 is blocked when connected to your corporate network, the client connection to FireCloud fails to open and the client passes traffic as it normally does when connected to the corporate network. However, the WatchGuard Connection Manager continually attempts to connect to the FireCloud PoP while behind the firewall.

After you disconnect from the corporate network, you might need to manually connect to FireCloud again.

To see the status of your connection to FireCloud, point to the connection manager icon in the system tray.. The icon color indicates the connection status:

Status Definition
Connected to point of presence and routing Internet traffic through FireCloud.
Connected to point of presence but cannot connect to the Internet.
Not connected.

Connection Manager Authentication Sessions

When you authenticate with the Connection Manager and connect to FireCloud, the Connection Manager establishes 2 sessions.

  • The first session is established with the Identity Provider (IdP), for example Authpoint.
  • The second session is established with FireCloud, allowing connection to a FireCloud POP.

The Connection Manager caches the IdP session, and this session remains valid until the Connection Manager application is stopped or restarted, the system is rebooted, or the session is invalidated by the identity provider (for example the session reaches the IdP's timeout).

The FireCloud session remains valid until you select Disconnect from the Connection Manager menu.

The scenarios below describe how the Connection Manager uses each session and what the expected behavior is.

When you first connects to FireCloud with the Connection Manager, you are shown the identity provider login page. You must enter your user name and password to authenticate with the identity provider.

If the authentication is successful, the Connection Manager caches the new IdP session.

After the successful identity provider authentication, the Connection Manager establishes a new FireCloud session which allows the Connection Manager to connect to a FireCloud POP and begin to pass traffic.

When you manually disconnect from FireCloud, the Connection Manager logs out of FireCloud and the FireCloud session is invalidated. The Connection Manager retains the cached IdP session.

When you open the Connection Manager connect to FireCloud:

  • If the cached IdP session is valid and has not timed out, the Connection Manager uses the existing IdP session to establish a new FireCloud session. Because the established IdP session is reused, you are not prompted to log in.
  • If the cached IdP session is invalid (for example, if it has timed out), the Connection Manager requires you to log in with the identity provider to create a new IdP session. After the identity provider has authenticated you and the Connection Manager has created a new IdP session, the Connection Manager establishes a new FireCloud session.

When you reboot a computer, the Connection Manager starts automatically but does not retain the previous IdP session. The behavior of the Connection Manager after a reboot depends on whether you disconnected from FireCloud before the reboot.

If you manually disconnect from FireCloud before the reboot, the Connection Manager requires you to log in with the identity provider to create a new IdP session. After the identity provider has authenticated you and a new IdP session has been created,, the Connection Manager establishes a new FireCloud session.

If you reboot while still connected to FireCloud, after the reboot the Connection Manager attempts to resume the previously established FireCloud session.

  • If this action succeeds, the Connection Manager connects to FireCloud (you are not required to log in), but there will no longer be a cached IdP session.
  • If this action does not succeed, the Connection Manager requires you to log in. After the identity provider has authenticated you and a new IdP session has been created, the Connection Manager establishes a new FireCloud session.

Download and Install the WatchGuard Agent and Connection Manager

You download the WatchGuard Agent from the FireCloud UI in WatchGuard Cloud. You can also get a link to the installer for your account and distribute this link to your users so they can download and install the connection manager themselves.

To download the WatchGuard Agent (used to install the WatchGuard Connection Manager):

  1. Log in to WatchGuard Cloud and go to Configure > FireCloud.
  2. Select Client Download.
    The Client Download page opens.
  3. Click Download Installer.
    The WatchGuard Agent installer download begins.
  4. If you want to send the installer to your users so they can download and install the agent themselves, click Copy Installer URL. You can send this link to your users.

You can use multiple methods to deploy the WatchGuard Agent. The simplest method is to run the installer manually.

You can also use a Windows command prompt to install the WatchGuard Agent, or you can use the command line option for deployment through an Active Directory Group Policy Object (GPO).

  1. Run the downloaded installer.
  2. Click Install. The installation of the WatchGuard Agent can take several minutes.
  3. When the installation is complete, click Finish.
  4. After the WatchGuard Agent is installed, the agent automatically downloads and installs the Connection Manager. When this is finished, the Connection Manager opens and you are prompted to enter your credentials to connect to FireCloud. You use the credentials for the user account in your identity provider.
  1. From the Windows Start menu, right-click Command Prompt, then select Run as Administrator.
    A Windows Command Prompt window opens.
  2. Change the directory to the location of the downloaded WatchGuard Agent .MSI file.
  3. To run the WatchGuard Agent installer, run the command msiexec -i WatchGuard_Agent.msi.

    To install the agent silently, with no user interaction required, append /q or /qn to the command. To prevent a computer restart when the installation completes, append /norestart to the command. For more information, go to the Microsoft Documentation for the msiexec Command.

You can use the commands described in the previous procedure to install the WatchGuard Agent remotely on multiple computers through an Active Directory Group Policy Object (GPO). You must use an installation method that supports command line parameters.

If you do not want to install the WatchGuard Agent on computers that already have the agent installed, you can configure your script to prevent the installation on those computers.

You can use one of these methods to configure a GPO to install from an .MSI file with command line parameters:

Option 1 — Create a System Startup GPO That Runs a Batch File

Configure a GPO for a startup script or logon script that runs a batch file that installs the WatchGuard Agent. The batch file contains only one line, which specifies the network path to the .MSI file. The other parameters are the same as described in the previous procedure for installation from a Windows command prompt.

msiexec -i "[path]\WatchGuard_Agent.msi"

Option 2 — Create a Software Installation GPO That Uses a Transform (MST) File

Use the Orca tool in the Windows Software Development Kit (SDK) to create a transform file (.MST) that contains the required command line parameters. To download the Windows SDK, go to the Windows SDK page from Microsoft.

To create the .MST file in Orca:

  1. Open Orca.
  2. Select File > Open and select the WatchGuard Agent .MSI file you downloaded.
  3. To start a new transform, select Transform > New Transform.
  4. To save the transform file, select File > Save Transformed As.
    The Save Transform As dialog box opens.
  5. Select the location to save the file .MST file to.
  6. In the File Name text box, type a name for the .MST file, then click Save.
    The .MST file saves to the location you specified.
  7. Copy the original .MSI file to the directory that contains the .MST file.
  8. To manually test the installation, type this command: 
    install: msiexec -i WatchGuard_Agent.msi -t TRANSFORMS=[WatchGuard Agent mst file name]

After you create the .MST file, create a Software Installation GPO that includes both the .MSI and .MST files.

To create the Software Installation GPO:

  1. Open the Group Policy Management Editor.
  2. Navigate to the software installation settings.
  3. Right-click and select New > Package.
  4. Specify the network path to the .MSI file.
  5. Select Advanced.
  6. Select the Modifications tab.
  7. Click Add.
  8. Specify the network path to the .MST file.
  9. Click OK.
  10. From the Windows Start menu, right-click Command Prompt and select Run as Administrator.
    A Windows Command Prompt window opens.
  11. Use the gpupdate command to refresh the group policy settings.
  12. To test the GPO, reboot a computer in the domain.

Connect to FireCloud with the WatchGuard Connection Manager

To connect to FireCloud, from WatchGuard Connection Manager:

  1. Open the WatchGuard Connection Manager.
  2. Click Connect.
  3. Enter your user name or email address, then click Next.
  4. Enter your password.
    A success message appears when you connect to FireCloud.

While you are connected to FireCloud, you are protected and can safely use your computer and browse the Internet. After you connect to FireCloud the first time, the agent keeps your session open and you remain connected even if you restart your computer.

Disconnect from FireCloud

In some cases, you might need to disconnect from FireCloud. For example, you might have to disconnect when you need to connect to a VPN.

To disconnect from FireCloud, in the system tray on your computer, right click the FireCloud icon, then select Disconnect. After you complete your task, you must manually connect to FireCloud again.

View Connection Manager Log Messages

To help troubleshoot FireCloud connections issues, you can use the connection manager log messages.

To view log messages:

  1. In the system tray on your computer, click the FireCloud icon.
  2. Select View Log Messages.
    You see your active log messages for the connection manager.

If necessary, you can save your log messages to a text file. You might do this when you work with WatchGuard Support to troubleshoot issues.

Related Topics

About the WatchGuard Connection Manager

WatchGuard Agent – Installation and Upgrade Error Messages

WatchGuard Agent MSI Install Issues with WatchGuard Endpoint Security