Create rule in Firewall Watchguard XTM 515

I work for a little company. We are trying to configure a legacy Watchguard Firewall but we can't guess on how creating rules for external access to an internal server through an specified port. I did this in my router at home, to redirect to my webserver, and it worked like a charm, but I see it is not the same with this Firewall device.

Can someone help us on this?

We have an external (public) IP address (suppose IP
We have a Watchguard XTM 515 Firewall
The internal server has IP and uses an specific port (suppose port 57690)
We want all external (internet) incoming connections to our external IP port 57690 be allowed and re-directed to our internal IP port 57690.

José PerezAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
Hi, Oscar. The steps to do this would be:

1.  Open the Watchguard System Manager program and connect to the device using the status passphrase.
2.  Open the Policy Manager (Tools/Policy Manager).
3.  Click Setup/Actions/SNAT on the menu.
4.  Click the Add button.  Given the SNAT a friendly name and description.
5.  Click the Add button.  The External address will default to the public IP set up on the firewall.  Enter the internal IP address of your server ( and the port number (57690).
6.  Click OK until you exit the Add SNAT dialog box.

Now, in the main Policy Manager screen, click Edit/Add Policy on the menu:

1.  Click the New button.  Give the policy a friendly name and description.
2.  Click the Add button and specify your port number (57690).
3.  Click OK to save the new port specification. Then click the Add button in the Add Policy dialog.
4.  Give the policy a friendly name.
5.  in the From box, you want to change Any-Trusted to Any-External.  You do this by removing Any-Trusted, then click the Add button and select Any-External.   Now you should have Any-External in the From box
6.  In the To box, remove Any-External and click the Add button.
7.  Click Add SNAT. Select the SNAT redirection you set up above.
8.  Click OK until you exit the Add Policy dialog box.

You should now see your new policy in the main Policy Manager screen.  Click File/Save/To Firebox.  This should run you through TWO dialog boxes, one to save the configuration to a file and one to save the configuration to the Watchguard box itself.  BE SURE to do both, so that you have a backup file of the configuration also have updated the current configuration on the Firebox.

Post back with any questions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hypercat (Deb)Commented:
PS - the above instructions depend on your having a fairly new version of the Firebox management software installed.  If you have an older version, you may have some differences in the exact procedure, but the basics are the same.
José PerezAuthor Commented:
That procedure works ok for 1 port but we need to add more than one ports.
We added external IP but we cant add more than 1 port. Is it possible using the same procedure hypercat?
Hypercat (Deb)Commented:
If you have multiple TCP/IP ports that you need to redirect from the same external IP address to the same internal server, you can edit the policy template that you used to create the rule for that server. To edit the TCP/IP ports of your existing policy template:

1.  In the main Policy Manager screen, click Edit/Add Policy on the menu.
2.  In the Add Policy window, select the existing policy template on the list at the top, and click Edit.
3.  In the Edit Policy Template window, add the TCP/IP port(s) you want to redirect to the same server.
4.  Click OK to save the changes and then click Close at the bottom of the Add Policy Template window.

This will change the ports on the policy template and on any existing policies that use that template.

If you have multiple TCP/IP ports coming in through the same external IP address but being redirected to different servers, then you have to create multiple SNAT entries and then create a policy redirecting each port to the internal IP address of the server that should get that traffic. So, you'd create a new SNAT entry, create a new policy template and then add the policy with the SNAT entry for that server in the To box (i.e., the same procedure outlined in my first post).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.