Is WG-Mgmt-Server actually needed for firewall on same network as WSM?
So I had noticed various IP addresses connecting through the WG-Mgmt-Server policy on port 4112/4113. Trying to determine if I even need this policy enabled. That Any-External as the FROM address seems over-broad.
I did open a support ticket w/Support, but they only sent me a KB article(https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/management_server/mgmt_server_about_gateway_wsm.html) that did not really explain IF this is really needed and if so, what IP addresses would I swap out the Any-External.
This is a single, T40 firewall (12.11.4.B) . No external VPN connections elsewhere (although mobile VPN w/SSL is running, but would not be affected by this policy so I am told.).
WSM is on the local network tied to Eth1 network.
I also read Bruce' discussion about this, which seem to infer that it may not be needed (at least Any-External) from this article: https://community.watchguard.com/watchguard-community/discussion/comment/7124#Comment_7124?utm_source=community-search&utm_medium=organic-search&utm_term=WG-Mgmt-Server
So, Do I need this policy and if so, does it have to have the Any-External (or are there IP addressed I could lock it down to)?
Thanks,
James
Comments
If you had remote Fireboxes and they had static IP addrs or DynDNS names you could use those instead of Any-external.
As always, thanks Bruce for the clarification.
I also suggested to tech support that this should be clarified in the documents and best practices should be if you can determine external IP's that would legitimately attempt to connect, remove "any-external" and put in those IP addresses. I was having all kinds of IP addresses attempting to connect on that TCP port.