How to Forward Ports on a Watchguard Firebox

Firewall appliances can be notoriously confusing to set up when it comes to something that should be relatively simple, that’s one of its most commonly performed tasks, like port forwarding. Perhaps the most confusing box I’ve come across is the Watchguard Firebox XTM21, which works great once you decipher the confusing way it expects you to configure it. Here’s what always works for me if I want to, say, forward all traffic coming in on port 41000 to an internal machine at IP address 192.168.1.5. (I’m sure this procedure (or something like it) applies to other similar Watchguard models as well.) 

Log in to the box via a web browser at whatever IP address it’s been assigned (e.g., https://192.168.1.1:8080)
Click on Firewall, then SNAT.
Click ADD button.
Give it a name (e.g., “RDP incoming to port 41000).
Click ADD button.
Enter internal address to send traffic to. (e.g., 192.168.1.5)
Click OK.
Click Save.
Click Firewall, then Firewall Policies.
Click the + button at the upper-right.
Click CUSTOM button.
Give it a name (e.g., “RDP incoming to port 41000).
Click ADD button.
Enter a port # and click OK. (e.g., 41000)
Click Save.
Click triangle next to “Custom” to expand it. Scroll to bottom and click on your newly added policy.
Click ADD POLICY button.
Change “FROM” box to contain only “Any-External”.
Remove what’s in “TO” box and click ADD button.
Change “Member Type” to “Static NAT”.
Scroll down the list to select your newly added translation and click OK.
Click SAVE.

I hope this saves you some of the headaches it caused me!!

Steve