The Firebox configuration includes the WatchGuard Web UI policy. This policy controls which Firebox interfaces can connect to Fireware Web UI. By default, for physical Fireboxes, this policy only allows connections from Any-Trusted and Any-Optional networks.
For FireboxV, XTMv, and Firebox Cloud devices, the WatchGuard Web UI policy allows connections from Any-External by default so that you can complete the initial configuration. We strongly recommend that you remove Any-External from the WatchGuard Web UI policy after you complete your initial FireboxV, XTMv, or Firebox Cloud configuration.
If you want to allow access to Fireware Web UI from the external network, you could edit the WatchGuard Web UI policy to allow connections from the IP address of the external computer you want to connect to Fireware Web UI.
Do not allow connections to the Fireware Web UI management interface from the Any-External alias or other aliases that expose the Fireware Web UI to the Internet.
Rather than modify the WatchGuard Web UI policy, we strongly recommend that you use a VPN to connect to the Firebox. This greatly increases the security of the connection. If this is not possible, we recommend that you allow access from the external network to only certain authorized users and to the smallest number of computers possible. For example, your configuration is more secure if you allow connections from a single computer instead of from the alias Any-External. For more information, go to the Firebox Remote Management Best Practices Knowledge Base article and Secure Firebox Management Access video tutorial.
To disable the ability to connect to Fireware Web UI from a specific remote location, remove the IP address or alias of the remote location from the WatchGuard Web UI policy. Make sure not to remove the Any-Trusted alias from the policy, because this allows computers on the trusted network to manage the Firebox.
To modify the Fireware Web UI policy, from Fireware Web UI:
- Select Firewall > Firewall Policies.
- Double-click the WatchGuard Web UI policy to edit it.
- Select the Policy tab.
- In the From section, click Add.
- To add the IP address of the external computer that connects to the Firebox, from the Member type drop-down list, select Host IP, and click OK. Type the IP address.
- To give access to an authorized user, from the Member Type drop-down list, select Alias. For information about how to create an alias, go to Create an Alias.
- Click OK.
- Click Save.
Knowledge Base article: Firebox Remote Management Best Practices
Video tutorial: Secure Firebox Management Access
Administer Your Firebox From a Remote Location
Use Authentication to Restrict Incoming Connections
Define Firebox Global Settings