Watchguard Web-UI from remote

reredok
reredok
in Firebox - Management Software

Hello Watchguard Forum,

I'm relatively new to the watchguard world and have a T35-W to test/configure.

Unfortunately I stumble at a very simple task, namely to make the Watchguard Web-UI, the port 8080, 4100, accessible from the outside.

The knowledge base "Use Fireware Web UI for remote administration without a VPN" describes how to add Any-External to the WatchGuard Web UI policy. According to the article the Watchguard would then be accessible via https://public-WAN-ipv4-Adress:8080 or https://public-WAN-ipv4-Adress:4100 respectively. In the Watchguard logs I don't see any incoming packets and no DENYs.

I know that the security depends on the complex password of the Firebox user.

The T35W is connected to a Fritzbox router where the T35W has exposed host role, i.e. all port releases.

A nmap analysis of the public IP address of the router from outside shows no open ports.

Where are my configuration errors?

Thank you very much. reredok

Comments

  • reredok
    reredok

    ok as so often in IT life: a reboot Fritzbox and Watchguard has solved the problem.

  • james.carson
    james.carson

    Hi @reredok

    Thanks for writing

    Rule changes will only take effect for new connections, so in the future, closing and re-opening your browser is a good step to take to make sure that connection is a new one.

    I would suggest specifying specific external IPs or Subnets that you might want to connect from vice using any-external. You're welcome to use Any-external if that works best for you, but do make sure you have strong passwords as anyone can then get to that page.

    Thank you,

  • greggmh123
    greggmh123

    When you upgrade firmware, the Any-External entries that you added may be removed automatically. The default is NOT to have those ports open to the whole world, and I have had firmware updates change my rules and then I got blocked. Fortunately, I had SSLVPN access to those Fireboxes, so I went back and added a rule above the default one, and allow it from the DynDNS IP of my laptop only.

    Gregg Hill

  • reredok
    reredok

    Thank you very much for your feedback and suggestions.

    Since I am, as already mentioned, very new in the Watchguard world, I will surely encounter some configuration problems and I will need some advice and I am surprised that you reacted "so fast" to my forum entry.

    Well at least I already got the access point to run... very nice...

Categories