About the Gateway Firebox
The gateway Firebox is the Firebox that helps protect your Management Server from the Internet. When you run the WatchGuard Server Center Setup Wizard to set up your Management Server, you choose whether to use a gateway Firebox. We recommend that you always use a gateway Firebox.
When you add an IP address for your gateway Firebox, the wizard does three things:
- Uses the IP address that you specify to connect to the gateway Firebox to update the configuration.
The wizard automatically adds the Management Server policy (WG-Mgmt-Server) to the configuration file of the gateway Firebox. This policy allows inbound connections on TCP ports 4112 and 4113 from Any-External. The policy destination is a static NAT action that translates the external interface IP address of the gateway Firebox to the private IP address of the Management Server.
If you do not specify an IP address for the gateway Firebox in the wizard, you must configure the firewall that is between the Management Server and the Internet to allow inbound connections to the Management Server on TCP ports 4112 and 4113.
- If you have an earlier version of WatchGuard System Manager, and have a Firebox configured as a DVCP server, the wizard gets the DVCP server information from the gateway Firebox and applies these settings to your Management Server.
- The wizard sets the IP address for the Certificate Revocation List (CRL).
After the Management Server is set up, the devices you add as managed clients use this IP address to connect to the Management Server. This IP address must be the public IP address your Management Server shows to the Internet.
If you do not specify an IP address, the wizard uses the current IP address on the computer where your Management Server is installed for the CRL IP address. If this is not the IP address your computer shows to the Internet because it is behind a device that does NAT (Network Address Translation), you must change the CRL to use the public IP address of your Management Server. If you use a gateway Firebox that does NAT, make sure that it is the same version as your Management Server. For example, if your Management Server is v11.5.x, your gateway Firebox with NAT must be v11.5.x or higher.
For more information, see Update the Management Server with a New Gateway Firebox Address.