Remote Restart Firebox

Interesting problem:

M200 with Total Security

Device is running
Management connection stopped working in Dimension. Logging connection still showing that it's working ok.

During troubleshooting of the management connection, we thought to try the simple things first as our technicians have not reported making any changes to the device or dimension: Step 1: Restart the watchguard. We thought this would be simple enough....

1) Can't use dimension action button - because remote management is not working, the reboot option is not available.
2) Log into the box remotely and Front Panel won't load - therefore we can't get to the reboot button to restart it there.
3) It has current firmware, so loading new firmware to force the restart isn't possible.

Are there any other ways to restart a watchguard remotely? If not, probably should add that option to a second screen in the web management console. Otherwise it looks like an onsite visit to power cycle the device.

Comments

  • Point #2 sounds as though that was the web UI. Can you connect to it with FSM remotely? If so, FSM should be able to reboot it.

    Gregg Hill

  • Great ask, I have not tried to add the necessary rules to the watchguard to allow a remote FSM connection. Not sure if adding rules will work but I can check. Not really super crazy about adding those rules just to reboot the box, but it's a good suggestion.

  • Wesley, you can add a public FQDN or IP address to the From field of the "WatchGuard" policy to allow those connections only from specific locations.

    Gregg Hill

  • "Not really super crazy about adding those rules just to reboot the box, but it's a good suggestion." Depending upon the drive time, it may be worth it!

    I assume that there is no one at the remote site who can power it off and on again or you would have done that already, correct?

    Gregg Hill

  • "you can add a public FQDN or IP address to the From field of the "WatchGuard" policy to allow those connections only from specific locations."
    Or, authenticated user IDs....

  • @Bruce_Briggs said:
    "you can add a public FQDN or IP address to the From field of the "WatchGuard" policy to allow those connections only from specific locations."
    Or, authenticated user IDs....

    How would the users authenticate? Authenticated users would require that the WatchGuard Authentication policy be open to the world (defeating the purpose of restricting access), and the default is From Any-Trusted & Any-Optional. Adding an FQDN or IP to that policy's From field doesn't help long-term because it gets reset to the default of Any-Trusted & Any-Optional when firmware is updated.

    A workaround for that is to disable (not delete...it will get recreated!) the WatchGuard Authentication policy, then create a new one that uses the WG-Auth policy type, and in that policy, set the From field with an added FQDN or IP. But, that's double the work on of just allowing what I noted before.

    Gregg Hill

  • Hi Folks, thanks so much for the advice.

    My comment about being reluctant about adding the rule is that we don't know the full scope of the failure. What we know right now is that the box is working, the page is broken. Would changing the configuration break it further?

    I am usually lothe to engage an onsite person (the customer) to do the restarts because it means downtime during the day. As an MSP these things within our control need to be scheduled and we need to keep business hours downtime to a minimum for critical issues.

    I think the best solution is to schedule downtime and send the technician onsite. The customer is located in our city so it's not a stretch to do this. Thank you all for your suggestions. The point of the post was to find out if anyone knew any other methods to remote restart the box, so the restart could happen outside of business hours (zero downtime) and you've reminded me of FSM which is great.

    Not sure if Watchguard dev's look at the site, but it would be helpful to have a reboot button in the GUI that is on a static page - I do think the front panel page has a bug or perhaps a memory leak or something. Alternatively a page that can has an embedded terminal window with a limited number of commands to do this kind of thing. Another suggestion, which may be a bit of a stretch would be an option to schedule a restart/application of firmware in the GUI or FSM. This would mean those activities can happen in the evening without downtime. Having the ability to schedule a daily configuration backup and send that to a remote server would be nice too.

  • You can schedule remote reboots - a setting in the config. Global Settings
    Daily or a specific day of the week.

    You can do a reboot using the CLI

    not exactly what you were looking for - but more options.

  • Bruce, I do see that setting in there, thank you for pointing that out!

  • Yep.. My production Fireboxes reboot once per week.. I am not sure of the benefits these days, but there was a time when they had a slow memory leakage problem and this weekly boot was enough to keep the pain away.

    Adrian from Australia

  • @Bruce_Briggs said:
    You can schedule remote reboots - a setting in the config. Global Settings
    Daily or a specific day of the week.

    You can do a reboot using the CLI

    not exactly what you were looking for - but more options.

    If he has access to change the config, and no other method mentioned has worked, that is a BRILLIANT idea! Schedule a reboot for a few minutes after everyone is gone.

    Gregg Hill

Sign In to comment.