Mass update for IP Block lists
We have several WatchGuard's that we manage at different customer sites. As you can imagine, it is very cumbersome to log into individual watch guards to update blocked IPs.
Does anyone have any experience with managing multiple watch guards at different sites (no interconnectivity) what are our options?
0
Sign In to comment.
Comments
In WSM Server, you can have fully managed firewalls.
For them you can have Device Configuration Templates which may provide what you want.
Review this:
Create Device Configuration Templates
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/centralized_management/config_templates_create_apply_wsm.html
Note that you need appropriate WSM Server licenses to add firewalls to WSM Server
How much is a device license for the WSM?
You may have some licenses already.
On the Support site, under Licenses, click See All, then select this link:
WatchGuard® System Manager Software Licenses
A WSMMGR is a base license. The number following it is the number of firewalls that you can add with that license.
Additional licenses need to be WSMUPGRADE licenses.
https://www.watchguard.com/wgrd-products/watchguard-system-manager/wsm-licensing
This site has some pricing, and the SKUs:
https://www.guardsite.com/System-Manager.asp
Note that these are 1 time permanent licenses. No renewals needed ever.
For clarify, we have several xtm devices, let's say we have 50 devices ranging from T10s to M series. Some of these will have licenses and some wouldn't.
Could we, in theory, install a management server in our office or the cloud and then manage all the devices?
I noticed that some of the devices have 4-5 licenses for the WSM.. this could cover the smaller T10/T15 devices which don't come with a license.
would this be correct or does it work differently?
Hi @Ddemers
WSM Management Server licenses work like this:
You can have one base license, and as many upgrade licenses as you want. The number of licenses is encoded into the license key
WSMMGR-4-000000-12345678 -- is a base license that has 4 licenses with it. Only one of this type can be used. These often come with rackmount firewalls.
WSMUPGRADE-5-0000000-12345678 -- is an upgrade license with 5 licenses. You can use as many of these as you own.
The following licenses used together would give you 14 licenses:
WSMMGR-4-000000-12345678
WSMUPGRADE-5-0000000-12345678
WSMUPGRADE-5-0000000-87654321
You can find more information in our documentation here:
(Find Your Management Server License Key)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/management_server/mgmt_server_license_key_wsm.html
For pricing on upgrade keys, please contact your reseller, as they'll be able to give you the best price quote on upgrade licenses.
The part numbers for those upgrades are:
WG017256 - 5 Licenses
WG017257 - 25 Licenses
WG017258 - 50 Licenses
WG017259 - 100 Licenses
Thank you,
-James Carson
WatchGuard Customer Support
You can only have 1 WSMMGR license per instance of WSM Server.
You can have multiple WSMUPGRADE licenses.
So you could have a 4 unit WSMMGR license and a 50 unit WSMUPGRADE license, which would allow management of up to 54 firewalls.
If this looks like a promising solution, consider just using an existing WSMMGR-4 and any WSMUPGRADE licenses and give templates & fully managed firewalls a try.
Then if successful, you can purchase any needed WSMUPGRADE licenses
Just in case someone comes across this port. We were able to make changes to the IP list via SSH. We are looking to make a PowerShell script that can update all the devices.
From SSH you can merge/remove/replace the blocked sites list and it works well.