Allow HTTP to non-standard port

This is probably a super basic question but I have not managed to figure it out.

I need to allow users to access HTTP on port 9000 at a particular external IP address. Currently they seem blocked by the firewall. I've tried adding a custom http proxy with that port for all external addresses but something is not right as the firewall still blocks it.

Would anyone be able to provide a quick step-by-step of how to do this?

Many thanks in advance


  • Options

    1) use a Custom Packet Filter for TCP port 9000
    2) you need to set up a SNAT to allow incoming access to devices behind your firewall which have private IP addrs
    3) on the Custom Packet Filter policy - From: Any-external To: the SNAT that you set up

    Here is an example using WSM Policy Manager to do something similar. It does explain the steps needed.

    Use NAT for Public Access to Servers with Private IP Addresses on the Private Network
    https://www.watchguard.com/help/configuration-examples/nat_to_email_servers_configuration_example (en-US).pdf

  • Options

    Thanks for the reply! Just before I get heavily into the link, can you confirm you've understood my use case?

    I'm looking to allow users on internal network access external website on port 9000 in their web-browsers. I.e. they can navigate to http://somewhere.com:9000 without it being blocked.

    I'm not looking to allow incoming access to devices behind my firewall.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Rathga,

    By default the firewall will allow all outbound traffic, but if the default outgoing rule has been removed.

    In the WebUI:
    -Go to Firewall -> Firewall Policies.
    -Click Add Policy. (If you have multiple admins enabled, click the lock to allow changes first.)
    -Under select policy type, choose CUSTOM, then click ADD.
    -For name, name this something you'll remember, like Web9000. If you see an option, leave it on type: packet filter.
    -Under Protocols, click ADD. Choose Single Port, TCP, port 9000, then click OK.
    -Click SAVE.
    -You'll be taken back to the ADD Firewall policy page. In the Custom area, the policy type 'web9000' should now be in the drop down list. Select it, then click ADD POLICY.
    -By default, the rule will be from any-trusted to any-external. If this is OK, click SAVE, otherwise change it to match your network.

    In policy manager:
    -Go to edit -> add policy.
    -Click Manage Custom, then New.
    -In the new template window, name the template something like 'web9000', leave the option on packet filter, then click add.
    -Choose Single Port, TCP, port 9000, then click OK.
    -Click OK, then Close.
    -Now, when you expand custom, you should see your web9000 template. Highlight it and click add policy.
    -By default, the rule will be from any-trusted to any-external. If this is OK, click OK, then save the config to your firewall. Otherwise change it to match your network.

    -James Carson
    WatchGuard Customer Support

  • Options
    edited July 2020

    Please post a Traffic Monitor log entry showing the deny to this external web site.

    My post was for instructions for incoming access to an internal server, not for outgoing access.

Sign In to comment.