Change "Management Server's NAT Firebox" after "WSM Quick Setup Wizard" Completion

Okay, looks like my Google Fu failed me...

How can I make WSM understand a particular Firebox is the "Management Server's NAT Firebox"? This is a new installation (and I guess I could destroy the WSM installation and start over). But I completed the WSM Quick Setup Wizard prior to us having the Firebox installed.

So, is there a way to re-trigger the WSM Quick Setup Wizard? Or is there some other way I can denote to WSM that a device is the "Management Server's NAT Firebox"?

My root issue is I can not designate any of the devices as the Management Tunnel Server. Only "management client" is an option on all 2 of my devices. I believe this is because none of the devices is tagged as the server's NAT device.

Thanks in advance for the assistance!

-Andrew

Best Answer

  • Answer ✓

    Not exactly a solution, but this worked for me:

    While performing some tests and inspecting the logs, my mind began to wonder if I had configured the Distribution IP Addresses correctly PRIOR to adding the first firebox device.

    So I quickly removed the first device (this is the device that is the management server's NAT device, though WSM is not indicating it as such). Then re-added the device. BINGO! While WSM still does not indicate this device is the "Management Server's NAT Firebox", it performs as such nonetheless.

    I guess the lesson here is to make sure your Distribution IP Addresses are accurate BEFORE adding devices. In hindsight, it makes sense.

    Thank you to everyone that helps on these forums!

Answers

  • Add a predefined WG-Mgmt-Server Packet Filter policy From: Any-external or the external IP addrs/domain names of your remote firewalls To: SNAT to the private IP addr of your WSM Server.

  • Thank you Bruce for the response (and all the help you've offered everyone over the years)!

    Forgot to mention I had already added that policy. However, the SNAT was pointing to the FQDN of the WSM server. Upon seeing your response, I changed the SNAT to point to the IP of the WSM server. Unfortunately, it doesn't seem to have changed the issue.

  • Watchguard Server Center -> Management Server -> Certificate Revocation List -> Distribution IP Address - this should be the external interface IP addr of your firewall which is in front of the WSM Server & WSC.
    Does this help?

    You can turn on Logging on the WG-Mgmt-Server Packet Filter policy to see incoming packets allowed by it in Traffic Monitor.

  • Thank you again for the quick response!

    Yep, double-checked Distribution IP Addresses. They look good.

    I have just now turned on logging for the WG-Mgmt-Server packet filter policy. I'll perform some test actions and inspect the traffic logs. Good suggestion!

  • If you change your Distribution IP Addresses, in WSM Server, for the remote firewalls, you can Update Device, select both Update Client Settings check boxes.
    This will reset update the Management Server properties (IP address, host name, shared secret, and lease time) on the remote firewall

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/centralized_management/device_update_remove_wsm.html

Sign In to comment.