Create rule in Firewall Watchguard XTM 515

I work for a little company. We are trying to configure a legacy Watchguard Firewall but we can't guess on how creating rules for external access to an internal server through an specified port. I did this in my router at home, to redirect to my webserver, and it worked like a charm, but I see it is not the same with this Firewall device.

Can someone help us on this?

We have an external (public) IP address (suppose IP
We have a Watchguard XTM 515 Firewall
The internal server has IP and uses an specific port (suppose port 57690)
We want all external (internet) incoming connections to our external IP port 57690 be allowed and re-directed to our internal IP port 57690.

José PerezAsked:
Who is Participating?
Hypercat (Deb)Commented:
Hi, Oscar. The steps to do this would be:

1.  Open the Watchguard System Manager program and connect to the device using the status passphrase.
2.  Open the Policy Manager (Tools/Policy Manager).
3.  Click Setup/Actions/SNAT on the menu.
4.  Click the Add button.  Given the SNAT a friendly name and description.
5.  Click the Add button.  The External address will default to the public IP set up on the firewall.  Enter the internal IP address of your server ( and the port number (57690).
6.  Click OK until you exit the Add SNAT dialog box.

Now, in the main Policy Manager screen, click Edit/Add Policy on the menu:

1.  Click the New button.  Give the policy a friendly name and description.
2.  Click the Add button and specify your port number (57690).
3.  Click OK to save the new port specification. Then click the Add button in the Add Policy dialog.
4.  Give the policy a friendly name.
5.  in the From box, you want to change Any-Trusted to Any-External.  You do this by removing Any-Trusted, then click the Add button and select Any-External.   Now you should have Any-External in the From box
6.  In the To box, remove Any-External and click the Add button.
7.  Click Add SNAT. Select the SNAT redirection you set up above.
8.  Click OK until you exit the Add Policy dialog box.

You should now see your new policy in the main Policy Manager screen.  Click File/Save/To Firebox.  This should run you through TWO dialog boxes, one to save the configuration to a file and one to save the configuration to the Watchguard box itself.  BE SURE to do both, so that you have a backup file of the configuration also have updated the current configuration on the Firebox.

Post back with any questions.
Hypercat (Deb)Commented:
PS - the above instructions depend on your having a fairly new version of the Firebox management software installed.  If you have an older version, you may have some differences in the exact procedure, but the basics are the same.
José PerezAuthor Commented:
That procedure works ok for 1 port but we need to add more than one ports.
We added external IP but we cant add more than 1 port. Is it possible using the same procedure hypercat?
Hypercat (Deb)Commented:
If you have multiple TCP/IP ports that you need to redirect from the same external IP address to the same internal server, you can edit the policy template that you used to create the rule for that server. To edit the TCP/IP ports of your existing policy template:

1.  In the main Policy Manager screen, click Edit/Add Policy on the menu.
2.  In the Add Policy window, select the existing policy template on the list at the top, and click Edit.
3.  In the Edit Policy Template window, add the TCP/IP port(s) you want to redirect to the same server.
4.  Click OK to save the changes and then click Close at the bottom of the Add Policy Template window.

This will change the ports on the policy template and on any existing policies that use that template.

If you have multiple TCP/IP ports coming in through the same external IP address but being redirected to different servers, then you have to create multiple SNAT entries and then create a policy redirecting each port to the internal IP address of the server that should get that traffic. So, you'd create a new SNAT entry, create a new policy template and then add the policy with the SNAT entry for that server in the To box (i.e., the same procedure outlined in my first post).
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.