Management Interface Exposure Warnings

It is common to want to manage your Firebox remotely, and you can do this securely. However, you must not overexpose your Firebox management interfaces.

We recommend that you never add the Any-External alias, or other aliases that expose the Firebox management interfaces to the Internet, to either of the Firebox management policies (WatchGuard and WatchGuard Web UI), because that exposes the management interfaces to anyone on the Internet.

In Fireware 12.1.3 Update 8, Fireware 12.5.9 Update 2, or Fireware 12.7.2 Update 2 and higher, you see warning messages in Policy Manager and Fireware Web UI if any Firebox management policies have any combination of these policy settings:

Policy Template

  • Any
  • WG-Firebox-Mgmt
  • WG-Fireware-XTM-WebUI

From

  • ::/0
  • 0.0.0.0/0
  • Any alias
  • Any-External alias
  • Any other alias for an external interface

To

  • Firebox alias
  • Any alias

If your configuration contains policies that match these settings, you see a warning above the firewall policy list (Policy Manager and Fireware Web UI) and Front Panel (Fireware Web UI). The warning includes the names of the affected policies. Click the name of a policy to open the policy and update the policy settings.

Similarly, if you try to save a Firebox management policy that includes settings that expose the Firebox management interfaces to the Internet, you see a message and must confirm that you want to save the policy.

We strongly recommend that you configure any Firebox management policies to restrict management access to the Firebox to a very limited number of IP addresses. Alternatively, you can use VPN with multi-factor authentication to make sure that only authorized users can manage the Firebox.

To secure the Firebox management policies, follow the guidelines in the Firebox Remote Management Best Practices Knowledge Base article and Secure Firebox Management Access video tutorial.

For information about how to configure the firewall policies that allow management access to the Firebox, see Administer the Firebox from a Remote Location.

See Also

Firebox Remote Management Best Practices (Knowledge Base article)

Secure Firebox Management Access (video tutorial)

Use Authentication to Restrict Incoming Connections

Define a New User for Firebox Authentication

Use Users and Groups in Policies