United States
Live worldwide spam monitor detects outbreaks as they occur. See what's swarming.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Brochures & Datasheets

Frequently Asked Questions

Network Security Education Center

Product Demos

Microsoft® Visio® Icons

White Papers

Case Studies

Network Security Glossary

Certifications

End-of-Life Policy

Frequently Asked Questions
Firebox® X Appliance Software

General Questions

Fireware and Fireware Pro - Comparison Questions

Fireware and WFS - Comparison Questions

Appliance Software - Support by Model

Appliance Software - Firebox X Core legacy models

Fireware - Features

Multi-WAN Failover

Multi-WAN Load Sharing

VPN Failover

Port Independence

Fireware Pro - Features

VLAN Support

Policy Based Routing

Traffic Management

Traffic Prioritization/QoS

High Availability

Dynamic Routing - BGP4 and OSPF

Appliance Software - What's New

Purchasing Fireware Pro

Upgrading to Fireware Pro

Did you find what you were looking for?

Yes
No


General Questions

Q: What is Fireware®?
A: Fireware® is appliance software from WatchGuard® for Firebox® X Core™ and Peak™ security appliances. Fireware offers advanced networking features, powerful security protection, and simple, easy-to-use management features. Fireware appliance software provides support for WatchGuard's newest subscription-based unified threat management (UTM) security services, including Gateway AntiVirus/Intrusion Prevention Service, spamBlocker, and WebBlocker - for comprehensive security against known and unknown threats.

Q: What is Fireware® Pro?
A: Fireware® Pro is an enhanced version of Fireware, with advanced features needed to support more complex network environments. Fireware Pro includes all features of Fireware, plus these additional features:

  • High Availability appliance redundancy
  • VLAN support
  • Policy-based Routing
  • Traffic Shaping (including Quality of Service (QoS), bandwidth allocation, rate-limiting, and more)
  • Enhanced Multi-WAN support
  • Multi-WAN Load Balancing
  • Dynamic Routing - BGP4, OSPF

Q: What is WatchGuard Firebox System (WFS)?
A: WFS is the appliance software used for managing legacy Firebox X Core devices (non e-Series) and earlier appliances. WFS enables the configuration of policies of the Firebox, setting up and customizing services, logging, monitoring, and reporting.


Fireware and Fireware Pro - Comparison Questions

Q: How are Fireware and Fireware Pro different?
A: Fireware Pro is an enhanced version of Fireware. It is designed to provide the features and capabilities needed by more complex network installations.

Q: What are the advanced features in Fireware Pro that are not enabled in Fireware?
A: Advanced features offered by Fireware Pro include:

  • VLAN Support. Fireware Pro supports 802.1q VLAN tagging and trunking, for interoperability with VLAN-enabled network equipment, and increased network flexibility and performance
  • Policy-Based Routing. Fireware Pro gives the user the ability to tie specific Internet-bound traffic to a specific WAN interface. This allows mission-critical traffic to be sent over higher-grade connections, and non-critical traffic to be sent over inexpensive, lower-bandwidth connections.
  • Traffic Prioritization/Quality of Service (QoS). Prioritization of traffic allows latency-sensitive traffic such as Voice over IP (VoIP) to be prioritized over traffic that is not time sensitive.
  • Dynamic Routing using BGP or OSPF. Maximizes the reliability and resiliency of your network by incorporating dynamic routing protocols, including BGP and OSFP. Support for RIP dynamic routing is enabled in both Fireware and Fireware Pro
  • High Availability. Prevents network failure by allowing redundant Firebox appliances.

Q: Is Fireware Pro a different software image than Fireware?
A: No. Fireware and Fireware Pro are the same appliance software image. A Fireware Pro license key is used to enable the additional features of Fireware Pro.


Fireware and WFS - Comparison Questions

Q: What appliance features does Fireware offer that are not available in WFS?
A: Fireware offers many advanced features and capabilities beyond those present in WFS, the appliance software provided with older WatchGuard appliances. Capabilities in Fireware that are not present in WFS include:

  • Multi-WAN Failover and Load Sharing. Allows up to four ISP connections, letting you load share traffic across multiple ISPs or provide failover backup in the event of an ISP outage.
  • VPN Failover. Used in conjunction with WAN Failover and Multi-WAN, WAN failover allows VPN traffic to automatically fail over to a secondary WAN connection if the primary connection fails.
  • Dynamic DNS client. The DynDNS client allows use of fully qualified domain names (www.company.com) on appliances that have a dynamically assigned IP address from their Internet Service Provider.
  • User Authentication via LDAP/Active Directory.
  • Port Independence. Prevents network failure by allowing redundant Firebox appliances.
  • Traffic Management. All bandwidth to be controlled per policy, letting the Firebox administrator control bandwidth allocations by traffic type. (Only available with Fireware Pro; not Fireware).
  • Traffic Prioritization. Traffic can be prioritized by type, to support applications such as VoIP. (Only available with Fireware Pro).
  • Dynamic Routing. RIP (comes with Fireware and Fireware Pro); BGP4, OSPF (Only available with Fireware Pro).

Q: What enhanced security features does Fireware offer that are not available in WFS?
A: Fireware offers advanced security features not available in WFS; features designed to improve security and provide advanced protection capabilities. New security features in include:

  • Inbound HTTP protection. Prevents attacks against Web servers.

  • Configurable email attachment control. Attachments can be selectively allowed, permitting attachment downloads from trusted sources. Email attachments with suspicious content can be:

    • Allowed
    • Stripped (while allowing the rest of the email through)
    • Locked so that a user cannot open it without intervention from a Firebox administrator
    • Emails with suspicious attachments can be denied altogether. The sending IP address can optionally be placed on the Blocked Sites list

    When scanned by the AntiVirus engine (optional Gateway AV/IPS subscription required), any of the above actions can be applied, based on the result of the AV scan.

  • AES encryption. 128-, 192-, and 256-bit Advanced Encryption Standard offers the latest standard in strong encryption
  • Progressive DDoS protection.
  • Time-based firewall rules.
  • Enhanced proxies: Fireware proxies are more sophisticated in the breadth and depth of functionality available, and in the granularity of control available over proxy actions.

Q: What management features does Fireware offer that are not available in WFS?
A: WatchGuard System Manager (WSM) management features are enhanced when managing appliances running Fireware. WSM feature enhancements provided by Fireware include:

  • Performance Console graphs
  • All WSM modules (HostWatch™, Traffic Monitor, Blocked Sites list, etc) have enhanced functionality in support of Fireware
  • Interactive components in HostWatch and Traffic Monitor
  • SNMP support
  • New Historical Reports on Gateway AV/IPS and spamBlocker
  • Policy Manager refinements (layout, icons)
  • Choice of manual or auto rules ordering
  • "From-To" traffic metaphor replaces "incoming-outgoing"

Q: Are there different security services available for Fireware than there are for WFS?
A: Yes. Fireware supports WatchGuard's latest subscription-based services, including Gateway AV/IPS and spamBlocker:

  • Gateway AntiVirus/Intrusion Prevention Service with anti-spyware. Fireware supports the Gateway AV/IPS security service. Gateway AV/IPS provides powerful signature-based anti-virus and IPS protection for mail, Web, and FTP traffic. The anti-virus service available for WFS, Gateway AntiVirus for E-mail, provides signature-based protection only for SMTP email traffic and does not provide equivalent IPS capabilities.

  • spamBlocker. This is the latest anti-spam service for Fireware, offers significant advantages over the SpamScreen anti-spam service available for WFS. Advantages include real-time detection of spam outbreaks, and the ability to detect spam regardless of the content, format, or language of a message.


Appliance Software - Support by Model

Q: Which appliance software runs on the different Firebox X appliances?
A: The following table summarizes the applicable default appliance software for Firebox X Core and Peak models and the available appliance software upgrades:

Product Family Appliance Software Upgradeable to
Firebox X Core e-Series

X550e, X750e, X1250e

 Fireware Fireware Pro
Firebox X Core

X500, X700, X1000, X2500

 WFS Fireware Pro
Firebox X Peak e-Series

X5500e, X6500e, X8500e, X8500e-F

 Fireware Pro N/A
Firebox X Peak

X5000, X6000, X8000

 Fireware Pro N/A

Appliance Software - Firebox X Core legacy models

Q: Can Firebox X Core appliances running WFS be upgraded to Fireware Pro?
A: Yes. Because Fireware Pro is a different software image from WFS, the Fireware Pro appliance software will need to be downloaded and installed on the appliance, replacing the WFS appliance software image.

Q: Can Firebox X Core appliances running WFS be upgraded to Fireware?
A: No. Firebox X Core models (X500, X700, X1000, and X2500) are sold with WFS appliance software. These models can be upgraded to Fireware Pro appliance software as a purchased upgrade. At this time, they can not be upgraded to Fireware however.

Q: Are the newer Firebox® X Core™ X550e, X750e, and X1250e models compliant with European Union RoHS and WEEE regulations?
A: Yes, these models are fully compliant with EU RoHS and WEEE regulations. Previously released Firebox® X Core models (X500, X700, X1000, X2500) are not compliant with the new EU RoHS regulations.

Q: Will WFS continue to be supported when the Firebox Core X500, X700, X1000 and X25000 models sales are ended?
A: Yes. WFS will continue to be supported. Hardware and software support remains available to customers with active LiveSecurity Service subscriptions.


Fireware - Features

Multi-WAN Failover

Q: What is Multi-WAN failover?
A: Multi-WAN failover allows up to four External (WAN) ports to be configured to handle WAN traffic while providing failure backup and/or traffic load sharing across the ports. If connections are not possible via one WAN port, the next designated failover WAN port will be used.

Q: In WAN failover mode, how does Fireware determine if the WAN link is down?
A: Fireware checks the physical link status and also pings the user-configured IP address to determine whether a WAN link is active. If the physical link status indicates the connection is broken or there is no response from the ping target, then Fireware Pro will declare the WAN link down and failover to another WAN connection.

Multi-WAN Load Sharing

Q: What types of WAN load sharing are supported?
A: Fireware® supports per-session round robin load sharing, and in Fireware Pro 9.0 and later, weighted round robin and interface spillover algorithms. All traffic for a given TCP session will be sent via the WAN port used when the session was initiated (sometimes known as “session stickiness”).

Q: Can traffic be sent out over different WAN ports based on traffic type?
A: Yes, with Fireware Pro 9.0 and later.

VPN Failover

Q: What is VPN failover?
A: VPN failover, introduced in Fireware and Fireware Pro 9.0, allows the Firebox to be configured to automatically send VPN traffic to or through an alternate Internet connection in the event that the primary connection fails. This can be true whether the Internet connection failure occurs on the local Firebox or the remote Firebox, as long as both appliances run Fireware or Fireware Pro 9.0 or later and at least one of them uses Multi-WAN or WAN Failover.

Port Independence

Q: What is port independence?
A: Port Independence allows any physical port on the Firebox X appliance to be configured as External, Trusted, or Optional. The port type is not fixed in the hardware.

Q: What are the benefits of port independence?
A: Port independence provides the most flexibility in configuring the Firebox X appliance to fit into your network environment and to respond to changes in the network configuration. Additionally, no ports are ever wasted because they are of the wrong type.

Q: Are there any limits on how many ports can be configured as WAN, Trusted, or Optional?
A: The only port independence limit is that a maximum of four ports can be configured as WAN ports. There is no limit to how many ports can be configured as Trusted or Optional.

Q: Is port independence possible on Firebox X Core appliances?
A: Yes. The Port Independence feature is present if the appliance is running the Fireware appliance software.


Fireware Pro - Features

VLAN Support

Q: What type of VLAN support is included?
A: Introduced with Fireware Pro 9.0, this suite of features includes 802.1q VLAN tagging and trunking support. VLANs can be configured in one of two basic ways: a single VLAN can span two or more physical interfaces on the Firebox, or more than one VLAN can be configured on a single physical interface. In either case, the Firebox can enforce rules to allow, deny, or proxy traffic between VLANs (regardless of the relationships between the physical interfaces and the distributions of the VLANs).

Policy Based Routing

Q: What is Policy Based Routing?
A: Introduced with Fireware Pro 9.0 and used in conjunction with Multi-WAN, this feature allows the administrator to designate, on a per-policy basis, which WAN interface is used for outgoing traffic. If the administrator chooses not to configure this feature, the other Multi-WAN algorithms (round-robin, weighted round-robin, etc) apply.

Traffic Management

Q: What traffic management capabilities are provided by Fireware Pro?
A: Fireware Pro offers per-policy traffic management. Settings include:

  • Maximum bandwidth
  • Minimum bandwidth
  • Maximum Connections per Second

Q: Can traffic management be based on IP address or application type?
A: Yes. Fireware Pro traffic management is policy-based. Traffic management is applied at the policy level, so it can be based on IP address, traffic type, or any other user-defined policy specification.

Traffic Prioritization/QoS

Q: What QoS priority settings are available in Fireware Pro?
A: Traffic matching a policy can be assigned any of eight priority levels.

Q: Can Traffic Prioritization/QoS be based on IP address or application type?
A: Yes. Traffic prioritization/QoS is policy-based. Traffic management is applied at the policy level, so it can be based on IP address, traffic type, or any other user-defined policy specification.

Q: Are QoS priority settings based on 802.1p, DiffServ, or other standards?
A: Fireware 9.0 and later supports DiffServ and IP precedence (ToS) marking types with flexible marking methods for granular control over QoS settings.

Q: Is Traffic Prioritization possible on Firebox X Core appliances?
A: Yes. The Traffic Prioritization feature is present if the appliance is running the Fireware Pro appliance software.

High Availability

Q: What high availability (HA) failover modes are possible?
A: Firebox X appliances running Fireware Pro support Active/Passive failover, in which one appliance is active and the other is available as a hot standby.

Q: What information is synchronized between high availability pair devices? Is any information lost during failover?
A: Synchronization includes:

  • Firewall and VPN configuration settings
  • Active Firewall and VPN session

Q: Is the high availability pair synchronization traffic encrypted?
A: By default, the high availability synchronization traffic is not encrypted; however, this is a user-selectable option.

Q: Can a Firebox device running Fireware Pro and a Firebox device running Fireware or WFS work together as a high availability pair?
A: No. Both appliances in the high availability pair must be running Fireware Pro.

Q: Can different Firebox model lines (e.g., a Firebox X Peak and Firebox X Core) device work together as a high availability pair?
A: No. High availability pairs must be identical appliances running the same appliance software.

Q: Can different models of Firebox devices within a product line (e.g., X500 and X2500) work together as a high availability pair?
A: No. High availability pairs must be identical appliance models running the same appliance software.

Q: If I upgrade my primary Firebox X to a higher model, am I required to upgrade my standby appliance to a higher model as well?
A: Yes. You must model upgrade the standby appliance.

Q: Do I have to purchase security service licenses for both appliances in the high availability pair?
A: No. If the primary unit has active licenses for additional security services such as WebBlocker and Gateway AV/IPS, the secondary unit will be provided with complimentary licenses for each like service. The LiveSecurity Service subscription must be active on each device to receive the complimentary licenses.

Q: Is high availability possible on Firebox X Core appliances?
A: Yes. The high availability feature is present if the appliance is running Fireware Pro appliance software. It is also available as a 3-Port Upgrade and High Availability Bundle for Firebox X Core appliances running WFS.

Dynamic Routing - BGP4 and OSPF

Q: What dynamic routing protocols are supported on Fireware Pro?
A: Fireware Pro supports BGP4, OSPF, and RIPv1,v2. Fireware supports RIPv1 and RIP v2.

Q: What is the maximum routing table size?
A: The Fireware Pro routing table can hold up to 32,000 entries, including both static and dynamic entries.

Q: Does OSPF support load balancing across multi-path equal-cost links?
A: OSPF multi-path equal-cost routing is not supported at this time.


Appliance Software - What's New

Q: What enhancements are introduced with Fireware Pro 9.0?
A: Primary enhancements include:

  • Networking enhancements
    • Policy Based Routing
    • VLAN support
    • Enhancements to Multi-WAN, including new algorithms to determine WAN failure, a weighted-round-robin algorithm, interface spillover, and more
    • Enhancements to the QoS implementation

Q: Are there any enhancements to WFS?
A: WatchGuard System Manager (WSM) 9.0 includes WatchGuard Firebox System (WFS) 7.5 with these enhancements:

  • Support for AES encryption for Branch Office VPN tunnels
  • Gateway AntiVirus for E-mail engine is updated, and now supports dynamic updates (this allows the scanning engine itself to be automatically updated when a new version is available; previously, it could only be updated by installing a new WFS image).

Purchasing Fireware Pro

Q: Does Fireware run as a stand-alone product or do I need to run it on a Firebox X appliance?
A: Fireware is the appliance software and must be run on Firebox X Core or Peak appliances. It is not a stand-alone software package.

Q: Can Fireware Pro be purchased separately?
A: Yes. Fireware Pro is available as a purchase upgrade for Firebox X Core appliances.

Q: Why is Fireware Pro a purchase upgrade for Firebox X Core appliances?
A: It is typical in the security appliance industry to offer "standard" appliance software geared toward typical customer needs and an "advanced" version with additional functionality required primarily in advanced network environments. Fireware Pro has the advanced security and networking features required in demanding and complex network environments. Customers who need those features should upgrade to Fireware Pro.

Q: Is upgrading to Fireware Pro covered by my LiveSecurity Service subscription if I have WFS running on my Firebox?
A: No. Fireware Pro is advanced appliance software. It is a separate product from WFS, the standard appliance software on Firebox X Core appliances. A customer's LiveSecurity Service subscription covers software updates to and future releases of WFS, but does not cover the Fireware Pro software product.

Q: I'm running WFS can I get the same features as Fireware Pro by purchasing the 3-Port and High Availability upgrade?
A: The 3-Port Upgrade and High Availability Bundle for Firebox X Core appliances enables three additional 10/100 ports (for a total of six) and enables the high availability feature. Both of these are standard with Fireware Pro. However, none of the additional Fireware Pro features are available without upgrading from WFS to Fireware Pro.

Q: If I'm using high availability on a Firebox X Core appliance can I get Fireware Pro free of charge?
A: No. Fireware Pro is advanced appliance software and a separate product from the WFS appliance software.


Upgrading to Fireware Pro

Q: How do I upgrade my Firebox X Core appliance running WFS or Fireware to Fireware Pro?
A: After purchasing a Fireware Pro license key, you activate that license key on the LiveSecurity site. Upon activation of the license key you will be presented with a feature key and the software necessary to use Fireware Pro on your Firebox X Core appliance.

Q: When I migrate to from WFS 7.x to Fireware Pro is my LiveSecurity subscription still active?
A: Yes. Upgrading to Fireware Pro has no effect on the LiveSecurity subscription.

Q: If I'm using Gateway AV for E-mail and migrating from WFS 7.x to Fireware Pro how do I move to Gateway AV/IPS?
A: Gateway AV for E-mail is not supported on Fireware Pro. The newer Gateway AV/IPS service provides more advanced capabilities, including HTTP and FTP traffic protection, as well as signature-based IPS.

A separate product SKU is provided for Firebox X Core customers who are running WFS and Gateway AV for E-mail and wish to move to Gateway AV/IPS. The service is offered at a significant discount (75%), allowing customers to recoup their previous investment in Gateway AV for E-mail. Time remaining on the Gateway AV for E-mail subscription is not prorated.

Q: If I'm using SpamScreen and migrating from WFS 7.x to Fireware Pro how do I move to spamBlocker?
A: SpamScreen is not supported on Fireware Pro. The newer spamBlocker service provides more advanced capabilities than SpamScreen, including real-time spam detection and the ability to block spam regardless of the content, format, or language of the message.

A separate product SKU is provided for Firebox X Core customers who are running WFS and SpamScreen and wish to move to spamBlocker. The service is offered at a significant discount (75%), allowing customers to recoup their previous investment in SpamScreen. Time remaining on the SpamBlocker subscription is not prorated.

Q: Is there a migration tool available for customers migrating from WFS to Fireware Pro?
A: A migration guide is available to assist users migrating to Fireware Pro. Because of the significant difference between WFS and Fireware, a complete configuration conversion tool is not available.