Mass update for IP Block lists

We have several WatchGuard's that we manage at different customer sites. As you can imagine, it is very cumbersome to log into individual watch guards to update blocked IPs.

Does anyone have any experience with managing multiple watch guards at different sites (no interconnectivity) what are our options?

Comments

  • In WSM Server, you can have fully managed firewalls.
    For them you can have Device Configuration Templates which may provide what you want.

    Review this:
    Create Device Configuration Templates
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/centralized_management/config_templates_create_apply_wsm.html

    Note that you need appropriate WSM Server licenses to add firewalls to WSM Server

  • How much is a device license for the WSM?

  • You may have some licenses already.
    On the Support site, under Licenses, click See All, then select this link:
    WatchGuard® System Manager Software Licenses

    A WSMMGR is a base license. The number following it is the number of firewalls that you can add with that license.
    Additional licenses need to be WSMUPGRADE licenses.
    https://www.watchguard.com/wgrd-products/watchguard-system-manager/wsm-licensing

    This site has some pricing, and the SKUs:
    https://www.guardsite.com/System-Manager.asp

    Note that these are 1 time permanent licenses. No renewals needed ever.

  • For clarify, we have several xtm devices, let's say we have 50 devices ranging from T10s to M series. Some of these will have licenses and some wouldn't.

    Could we, in theory, install a management server in our office or the cloud and then manage all the devices?

    I noticed that some of the devices have 4-5 licenses for the WSM.. this could cover the smaller T10/T15 devices which don't come with a license.

    would this be correct or does it work differently?

  • James_CarsonJames_Carson WatchGuard Representative

    Hi @Ddemers

    WSM Management Server licenses work like this:
    You can have one base license, and as many upgrade licenses as you want. The number of licenses is encoded into the license key

    WSMMGR-4-000000-12345678 -- is a base license that has 4 licenses with it. Only one of this type can be used. These often come with rackmount firewalls.

    WSMUPGRADE-5-0000000-12345678 -- is an upgrade license with 5 licenses. You can use as many of these as you own.

    The following licenses used together would give you 14 licenses:
    WSMMGR-4-000000-12345678
    WSMUPGRADE-5-0000000-12345678
    WSMUPGRADE-5-0000000-87654321

    You can find more information in our documentation here:
    (Find Your Management Server License Key)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/management_server/mgmt_server_license_key_wsm.html

    For pricing on upgrade keys, please contact your reseller, as they'll be able to give you the best price quote on upgrade licenses.

    The part numbers for those upgrades are:
    WG017256 - 5 Licenses
    WG017257 - 25 Licenses
    WG017258 - 50 Licenses
    WG017259 - 100 Licenses

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • You can only have 1 WSMMGR license per instance of WSM Server.
    You can have multiple WSMUPGRADE licenses.

    So you could have a 4 unit WSMMGR license and a 50 unit WSMUPGRADE license, which would allow management of up to 54 firewalls.

  • If this looks like a promising solution, consider just using an existing WSMMGR-4 and any WSMUPGRADE licenses and give templates & fully managed firewalls a try.
    Then if successful, you can purchase any needed WSMUPGRADE licenses

  • Just in case someone comes across this port. We were able to make changes to the IP list via SSH. We are looking to make a PowerShell script that can update all the devices.

    From SSH you can merge/remove/replace the blocked sites list and it works well.

Sign In to comment.