These are the default [[network ports]] needed for a [[WatchGuard Firebox]] when it is behind a [[NAT]] device. ## Management (Policy Manager and System Manager) ^[[Administer Your Firebox From a Remote Location (watchguard.com)](https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/manage_firebox_remote_loc_c.html)] - TCP 4105 - TCP 4117 - TCP 4118 ## WebUI ^[[Connect to Fireware Web UI (watchguard.com)](https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/connecting_about_web.html)] - TCP 8080 ## BOVPN ^[[BOVPN on a Firebox Behind a Device That Does NAT (watchguard.com)](https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_nat_c.html)] - UDP port 500 (IKE) - UDP port 4500 (NAT Traversal) ### Connecting a [[Site-to-Site VPN|BOVPN]] behind a NAT device For a VPN connection to a remote Firebox behind a NAT device, specify the static public IP address of the NAT device in the VPN connection settings. For example, you have two Fireboxes A and B. Firebox B is behind a NAT device that has a static public IP address of 192.0.2.1. In the Remote Gateway Endpoint Settings for Firebox A, specify the IP address 192.0.2.1. For the gateway ID, specify any data that is not a resolvable domain name. For example, you could type test or ID-123. You can specify any type of gateway ID and any gateway ID, but the local and remote gateway IDs must correspond as follows: - The local gateway ID on Firebox A and the remote gateway ID on Firebox B must match. - The local gateway ID on Firebox B and the remote gateway ID on Firebox A must match.