If you have one external address,, externally, you can only manage the firewall on the same IP address as the external interface. Set the Manage-IP address to be 0.0.0.0 - (it defaults to the same IP as the untrust interface). Then enable ssh and web etc. Note however, that web and telnet are clear text so the admin login userid password and configuration changes are not encrypted, so not really meant for external connections. You should use ssh or ssl communications for the encrypted equivalent.
Also have a look under admin, management and permitted IPs list. This allows you to restrict by source IP who can connect to manage the firewall in the first place. Remember to firstly add your internal IP/range othewise you may lock yourself out.
Hope this is helpful.
AM
formatting link