Add Pre-Configured Devices To Management Server Software?

Hello, I am currently running an M270 in my main office and I am trying to get a T20 set up for remote users where I can administer both devices (and hopefully more in the future) with the Watchguard Management Server (WMS) software.

From what I am reading online, I need to run the Quick Setup program before I can use WSM. Unfortunately, it looks like the devices need to be factory reset so that they can be discovered by the software. This doesn't work for me since the M270 is in the main office and I can't easily factory reset it.

Is there another way to add the pre-configured M270 to WSM without having to reset it?

Side note, has anyone used a T20 in a Double-NAT position? The odds are that the T20 will be behind another firewall. Just want to make sure that this will even work.



  • Options

    How is your M270 being managed now?

    You should not need to reset it to factory default be managed by WSM Server.
    You can change the MGT setting on the firewall config or via WSM Server.
    I have done this many times.

    While double NAT is not preferred, it should work.

  • Options

    Only management is via GUI. Is the Management Server a sub-menu of System Manager?

  • Options
    edited April 2021

    Start WSM, select File -> Connect to Server
    (there is also a Connect to Server icon)
    Watchguard Server Center needs to be configured first the enable the WSM Server.

    You will need a WSM Server license or license bundle for each firewall that you want to manage. A M270 comes with a 4 unit license - which means that you are good for up to 4 firewalls in WSM Server prior to needing to add additional WSM Server licenses.

    You can also manage a firewall via WSM -> File -> Connect to Device,
    (there is also a Connect to Device icon)
    where no WSM Server licenses are needed.

  • Options

    So, I am trying to go through the "WatchGuard Server Center Setup Wizard" where is says "Management Server - Identify the gateway Firebox" and I get to where it asks me to put in the IP of the Firebox.

    The Server is behind the firebox so I am using the internal IP. I put in the status password as well as the configuration password and I always get "A connection could not be established to x.x.x.x. Invalid login ID/password."

    I have verified and reset the status account password on the M270. Still I can't get past this screen. Thoughts?

  • Options

    The gateway Firebox question is only IF you have or plan to have firewalls out on the Internet that need to go through your internal firewall to access the WSM Server.
    You can skip this step initially, and deal with it later.

    See the Management Server Settings, here:

  • Options

    Still having issues with this. I bypassed the step but the issue is that I don't have a license key to add into the software so I am not sure that I can do much.

    Going back to the part where I cannot connect, is that because I am already behind the firewall? Would this work is the software was installed externally like on AWS?

  • Options

    As I said before, a M270 comes with a 4 unit WSM Server license .
    You should be able to find it on the support site in the your products section.

    And as I said before, even without a WSM Server license, you can select Connect to Device and access your firewall. For a local firewall you can use the trusted IP addr or the external IP addr.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    If you don't have a license for management server, you're not going to be able to configure this. You can check under My Devices in the WatchGuard.com portal, and look for the "WatchGuard System Manager Licenses" link to see if you have any that came with your firewall(s).

    -James Carson
    WatchGuard Customer Support

  • Options

    Ahh, I do have them in there! I guess that gets me one step closer.

    Unfortunately I haven't had formal Watchguard training and I am trying to get it to where I can centrally manage Fireboxes for at home users. This process to even get something useable has been hard. Makes me wish I had an once of the knowledge that Bruce does with these things.

  • Options

    I have no formal WG training either - just many years of using the WG products...

  • Options
    edited April 2021

    Things are looking better now!

    I can see the main M270 in the System Manager. However, I now want to set up the T20 that will be behind another firewall for home use.

    Is there a set of ports that I will need to forward to the T20 so that the System Manager can get to it?

  • Options

    You need to add a policy to your M270 to allow the T20 or other remote firewalls to contact your WSM Server.
    Add a WG-Mgmt-Server Packet Filter, From: Any-external (or preferably the public IP addrs of the remote firewalls) To: SNAT (Any-extenral to the WSM Server private IP addr)

    I always needed to set up my remote firewalls for Management.

    In WSM Policy Manager -> Setup -> Managed Device Settings -> select Management Server, then specify the public IP addr of your M270 for the Server IP addr.

    Review this:
    Configure a Firebox as a Managed Device

    WSM Server connects to firewalls using TCP 4117 which is allowed by the default Watchguard policy, which is also WG-Firebox-Mgmt

  • Options
    edited May 2021

    I was finally able to spend some more time on this and I seem to always get an error on my main M270 when I am trying to set up the VPN Tunnel between it and the T20. No issues on the T20, but the error that I see says "Failed: Access denied by Firebox - invali..." and I can't see the rest of the error.

    Any idea how I can see the rest of the error? I can't expand the window any to read the rest. https://ibb.co/FmqPc1X

  • Options

    You can look at Traffic Monitor on the T20, which may give you a clue.

    Personally I prefer creating manual BOVPN tunnels than using WSM Server to create them.
    There can be a number of annoying things that one needs to do to get a managed tunnel set up as desired, whereas to me it is straight forward to create a manual one.

    Exacctly what are you selecting/doing when trying to create this managed BOVPN?

  • Options

    Well the error is on the M270 side, not the T20 side?

    The main thing is that I have all kinds of issues with my existing BOVPN's. I have a mix of Cisco RV180s and DLink DSR-250s and they will drop the connection randomly. Sometimes all but 1 of the BOVPNs will re-connect and I will have to reboot the M270 to get the tunnel to re-establish.

  • Options
    edited May 2021

    Exactly what are you selecting/doing when trying to create this managed BOVPN?

  • Options

    I am dragging the M270 onto the T20 in WSM and then just using the default settings. I am checking all the boxes when it creates the tunnel including expire leases.

  • Options

    Instead of drag & drop, try using the Add VPN Wizard.
    Select Managed VPNs , right click, Create new VPN

    If you still have issues consider opening support incident

Sign In to comment.