The WatchGuard Authentication (WG-Auth) policy is automatically added to your Firebox configuration when you add the first policy that has a user or group name in the From list on the Policy tab of the policy definition. The WG-Auth policy controls access to port 4100 on your Firebox. Your users send authentication requests to the device through this port. For example, to authenticate to a Firebox with an IP address of 10.10.10.10, in the web browser address bar, your users type https://10.10.10.10:4100.
If you want to send an authentication request through a gateway Firebox to a different device, you might have to add the WG-Auth policy manually. If authentication traffic is denied on the gateway Firebox, you must add the WG-Auth policy and modify the policy to allow traffic to the IP address of the destination device.
For more information on when to modify the WatchGuard Authentication policy, see Use Authentication to Restrict Incoming Connections.