Administer Your Firebox From a Remote Location

When you run the Quick Setup Wizard to configure a Firebox, the WatchGuard policy is created automatically. This policy allows you to connect to and administer the Firebox from any computer on the trusted or optional networks. To manage the Firebox from a remote location (any location external to the device), you must modify the WatchGuard policy to allow administrative connections from the IP address of your remote location.

The WatchGuard policy controls access to the Firebox on these TCP ports: 4105, 4117, 4118. When you allow connections in the WatchGuard policy, you allow connections to each of these ports.

Rather than modify the WatchGuard policy, you can use a VPN to connect to the Firebox. This greatly increases the security of the connection. If this is not possible, we recommend that you allow access from the external network to only certain authorized users and to the smallest number of computers possible. For example, your configuration is more secure if you allow connections from a single computer instead of from the alias Any-External.

To disable the ability to manage your Firebox from a specific remote location, remove the IP address or alias of the remote location from the WatchGuard policy. Make sure not to remove the Any-Trusted alias from the policy, because this allows computers on the trusted network to manage the Firebox.

To modify the WatchGuard policy, from Fireware Web UI:

  1. Select Firewall > Firewall Policies.
  2. Click the WatchGuard policy.
    Or, select the WatchGuard policy and from the Action drop-down list, select Edit Policy.
    The Firewall Policies/Edit page appears.

Screen shot of the WatchGuard Policy Configuration page

  1. In the From section, click Add.
    The Add Member dialog box appears.

Screen shot of the Add Member dialog box

  1. To add the IP address of the external computer that connects to the Firebox, from the Member type drop-down list, select Host IP, and click OK. Type the IP address.
  2. To give access to an authorized user, from the Member Type drop-down list, select Alias.
    For information about how to create an alias, see Create an Alias.

To modify the WatchGuard policy from Policy Manager:

  1. Double-click the WatchGuard policy.
    Or, right-click the WatchGuard policy and select Modify Policy.
    The Edit Policy Properties dialog box appears.

Screen shot of the Edit Policy Properties dialog box

  1. In the From section, click Add.
    The Add Address dialog box appears.

Screen shot of the Add Address dialog box

  1. To add the IP address of the external computer that connects to the Firebox, click Add Other.
    The Add Member dialog box appears.
  2. Make sure Host IP is the selected type, and type the IP address. Click OK.
  3. To give access to an authorized user, in the Add Address dialog box, click Add User.
    The Add Users or Groups dialog box appears.
    For information about how to create an alias, see Create an Alias.

See Also

Define a New User for Firebox Authentication

Use Users and Groups in Policies