About the WatchGuard Connection Manager

Applies To: FireCloud Internet Access, FireCloud Total Access

For FireCloud to protect your users, they must have the WatchGuard Connection Manager installed on their device and use it to connect to FireCloud. When a user is connected to FireCloud, Internet traffic from their device routes through the nearest WatchGuard point of presence (PoP) where FireCloud performs scanning services such as Intrusion Prevention Service.

If you have FireCloud Total Access, the Connection Manager also connects you to remote private resources on your corporate network.

FireCloud uses the WatchGuard Agent to deploy and install the WatchGuard Connection Manager. The WatchGuard Agent handles communication between managed computers and the WatchGuard server. The agent is installed on each endpoint or computer, and is used to deploy WatchGuard software, such as the WatchGuard Connection Manager and Endpoint Security software. It has low CPU, memory, and bandwidth usage and uses less than 2 MB of data each day. To learn more about the WatchGuard Agent, go to About the WatchGuard Agent.

When you download the installer from FireCloud, you are downloading the WatchGuard Agent. When you install the WatchGuard Agent, it communicates with WatchGuard Cloud and installs all the software that your account and computer are currently licensed for based on the deployment behavior configured in WatchGuard Cloud. By default, when there is only one product installed by the WatchGuard Agent, the deployment behavior is set to Install. If your account has more than one product that use the WatchGuard Agent to install software, you might need to configure a deployment centrally on the Agent Deployment page. For more information, go to Configure WatchGuard Agent Deployment in WatchGuard Cloud.

When WatchGuard releases a new version of the WatchGuard Connection Manager, the WatchGuard Agent automatically downloads and installs the new version so that your users are always up to date.

If your FireCloud license or trial expires and your account is not licensed for FireCloud, the WatchGuard Agent automatically uninstalls the WatchGuard Connection Manager on all your end-user devices. When your account has an active FireCloud license again, the WatchGuard Agent automatically downloads and installs the WatchGuard Connection Manager again.

Each WatchGuard Cloud account has a unique version of the WatchGuard Agent installed. Only FireCloud users from the same WatchGuard Cloud account can use the installer from that account. If you are a Service Provider, do not use the same installer to deploy FireCloud for multiple managed accounts.

Caution: You cannot install the WatchGuard Connection Manager on computers that have Panda endpoint security products installed. The WatchGuard Connection Manager is only compatible with WatchGuard Endpoint Security products.

Network Access Requirements

Connections to these host names are required for the WatchGuard Agent to connect to WatchGuard Cloud through your firewall.

Host Names	Ports
.pandasecurity.com .pandasoftware.com *.windows.net	TCP 443 TCP 80

How the Connection Manager Works

While you are connected to FireCloud, FireCloud protects you from threats so that you can safely use your computer and browse the Internet. After you connect to FireCloud for the first time, the agent keeps your session open and you remain connected even if you restart your computer. For more detailed information, go to Connection Manager Authentication Sessions.

When you are connected to FireCloud, you can continue to connect to local resources on your network, such as printers. With FireCloud Total Access, you can also connect to remote resources on the corporate network.

If you have to connect to a VPN, you must first manually disconnect from FireCloud. After you disconnect from FireCloud, you must manually log in and connect again to remain protected.

If you cannot connect to FireCloud, or if you manually disconnect from FireCloud, you can still connect to the Internet but FireCloud will not protect you.

If the WatchGuard Connection Manager cannot authenticate or connect to FireCloud for more than one hour, you are prompted to log in again.

If you go to your office and connect to the corporate network when your computer is already connected to FireCloud, your firewall configuration might affect how your traffic is handled. FireCloud uses UDP port 4500 to communicate with WatchGuard points of presence (PoP).

If port 4500 is open when connected to your corporate network, the Connection Manager continues to pass traffic through FireCloud.
If port 4500 is blocked when connected to your corporate network, the client connection to FireCloud fails to open and the client passes traffic as it normally does when connected to the corporate network. However, the WatchGuard Connection Manager continually attempts to connect to the FireCloud PoP while behind the firewall.

After you disconnect from the corporate network, you might need to manually connect to FireCloud again.

To see the status of your connection to FireCloud, point to the Connection Manager icon in the system tray.. The icon color indicates the connection status:

Status	Definition
	Connected to point of presence and routing Internet traffic through FireCloud.
	Connected to point of presence but cannot connect to the Internet.
	Not connected.

Connection Manager Connection Flow

This section explains the connection flow when a FireCloud user a remote private resource.

User connects to FireCloud and authenticates.
Connection Manager establishes a WireGuard tunnel to the nearest WatchGuard point of presence (PoP).
FireCloud runs scanning services, such as Intrusion Prevention Service.
FireCloud passes the connection out to the Internet.
When a user must pass traffic or connect to a private resource:
1. FireCloud routes the connection from the PoP through a WireGuard tunnel that connects the PoP and the FireCloud Gateway on your network.
2. FireCloud routes the connection from the FireCloud Gateway to the appropriate resource on your network.

Connection Manager Authentication Sessions

When you authenticate with the Connection Manager and connect to FireCloud, the Connection Manager establishes 2 sessions.

The first session is established with the Identity Provider (IdP), for example Authpoint.
The second session is established with FireCloud, allowing connection to a FireCloud POP.

The Connection Manager caches the IdP session, and this session remains valid until the Connection Manager application is stopped or restarted, the system is rebooted, or the session is invalidated by the identity provider (for example the session reaches the IdP's timeout).

The FireCloud session remains valid until you select Disconnect from the Connection Manager menu.

The FireCloud access rule that applies to your user group determines if you can manually disconnect from FireCloud

The scenarios below describe how the Connection Manager uses each session and what the expected behavior is.

Download and Install the WatchGuard Agent and Connection Manager

You download the WatchGuard Agent from the FireCloud UI in WatchGuard Cloud. You can also get a link to the installer for your account and distribute this link to your users so they can download and install the Connection Manager themselves.

For detailed steps to download and install the WatchGuard Agent and WatchGuard Connection Manager for Windows and macOS, go to Install the WatchGuard Agent and Connection Manager on Windows and Mac Computers.