I recently put a Watchguard XTM25 on my home network. Everything was pretty straight forward until I got to port forwarding. I had a couple of ports I wanted forwarded to some internal addresses. On most firewalls I’ve worked on port forwarding is typically pretty easy to find and setup. Watchguard port forwarding is a combination of two things, one SNAT (static NAT) and a firewall policy.
So, you first want to setup the SNAT. It’s found under the Firewall section. Click add, give it a name and then click add under the SNAT members section. This is where you specify the IP address of your internal client that will receive the traffic. You aren’t specifying ports at this point. If you have multiple clients you will be forwarding to you can create them here. I created separate SNAT rules for each of my internal clients. The SNAT members area seems to be able to have multiple members but I’m not sure how that works.
Next you will create a firewall policy that uses the SNAT and specifies the port you want to forward.
Navigate to the Firewall Policies section.
Click Add Policy
In the Packet Filter drop down select the protocol you want to forward.
If you are forwarding a port that’s not listed click custom then click Add and you can give it a name and specify the port.
Click Add Policy.
In the From box click Any-Trusted and click remove.
Then click the Add button under the From box and select Any then OK.
In the To box click Any-External and click Remove.
Then click the Add button under the To box and select Static NAT in the Member Type drop down.
You should see the Static NAT entry you created previously.
Select that and hit OK.
Scroll down to the bottom and click Save.
You should now have port forwarding setup for the port and client you specified!
You can recreate these steps for each of the ports you need to forward.