Firebox Migration to Cloud Management Guide

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

WatchGuard Cloud enables you to view and manage your products and services in one place. You can set up your devices and configure and manage security and networking policies across multiple Fireboxes with flexible templates.

This guide describes the procedures and best practices to help you migrate your locally-managed Fireboxes to cloud management in WatchGuard Cloud.

• About Firebox Management in WatchGuard Cloud
• Plan Your Migration to Cloud Management
• Overview of Migration to Cloud Management
• Change a Locally-Managed Firebox to Cloud Management
• Before You Begin
• About Copy Configuration with Change to Cloud Management
• About Import Configuration After Migration to Cloud Management
• Example: Change a Locally-Managed Firebox to Cloud Management with Copy Configuration
• Revert the Firebox to Local Management

About Firebox Management in WatchGuard Cloud

There are two ways you can manage a Firebox in WatchGuard Cloud:

• Firebox Visibility and Reporting in WatchGuard Cloud (Local Management) — When you add a Firebox to WatchGuard Cloud as locally-managed, you can monitor live status, view log messages and reports, and perform firmware upgrades. You continue to configure the device locally from Fireware Web UI or WatchGuard System Manager.
• Firebox Management in WatchGuard Cloud (Cloud Management) — When a Firebox is cloud-managed, in addition to visibility, monitoring, and reporting, you fully manage the configuration in WatchGuard Cloud. You no longer manage the device configuration with Fireware Web UI or WatchGuard System Manager.

To more easily migrate a large number Fireboxes from local management to cloud management, we recommend you first add your locally-managed Fireboxes to WatchGuard Cloud for visibility and reporting. With this method, it is easier to move a Firebox to cloud management because the device is already available in WatchGuard Cloud, and you can gradually migrate your devices. For more information, go to Add a Locally-Managed Firebox to WatchGuard Cloud.

Plan Your Migration to Cloud Management

As you plan to move your locally-managed Fireboxes to cloud management, consider these recommendations:

• Verify the supported features in WatchGuard Cloud — Before you move your locally-managed Fireboxes to cloud management, review the supported and unsupported Fireware features in WatchGuard Cloud and make sure the features you use in your current configuration are available.
  For more information about supported features, go to Firebox Feature Comparison — Locally-Managed and Cloud-Managed.
• Plan the scope of your migration to cloud management — Based on the size and complexity of your network, determine whether you can migrate your Fireboxes to cloud management quickly or if your deployment requires a gradual transition.
• Identify unique requirements of your network — Some unique Firebox configurations might require careful planning before you move the devices to cloud management.
  For example:
• Special VPN configurations or legacy VPNs you must support
• Unique routing configurations for your network
• Identify Fireboxes with similar configurations for easier migration — Identify groups of Fireboxes that you can easily move to cloud management, such as devices that share the same or similar configurations.
• Add Fireboxes to WatchGuard Cloud for visibility and reporting — When you add your Firebox to WatchGuard Cloud for visibility and reporting only, you still locally-manage the Firebox configuration with Fireware Web UI or WatchGuard System Manager. This makes it easier to change the Firebox to cloud management later.
  After you add a locally-managed Firebox, run the Policy Usage Report in WatchGuard Cloud for the device to determine how your current policies are used, identify unused policies you can remove, and find common policies that you can consolidate before you migrate the Firebox to cloud management.
• Plan Firebox templates to simplify the migration process — Review your current configuration and plan your cloud configuration like a new deployment instead of a direct conversion of your existing local configuration.
  This enables you to:
• Review your current policies and Firebox templates to find opportunities to reorganize how you apply settings to your devices.
• Identify common Firebox policies and services that you can group together in Firebox templates.
• Use multiple templates based on specific groups of policies and services. With this approach, based on the size of your deployment and the number of customers you support, you can use a base template for standard settings that you apply to all devices, and then apply additional templates to specific Fireboxes to enable different policies and services as required.

For more detailed information, go to About Firebox Templates.

We recommend you select a locally-managed Firebox as an initial test device to move to cloud management. Create a cloud configuration with a base configuration that includes common settings for your Fireboxes, and then use Firebox templates to configure additional policies and services, as required. When you move other Fireboxes to cloud management, you can copy the configuration settings from this initial cloud-managed Firebox.

These are some other items to consider:

Network Configuration

• In WatchGuard Cloud, the Firebox network configuration is organized based on networks (External, Internal, Guest), while for locally-managed Fireboxes, the configuration is organized based on network interfaces and security zones (External, Trusted, Optional).
• Cloud-managed Fireboxes do not have the equivalent of an Optional security zone.

Policies

• For Fireboxes that you have added to WatchGuard Cloud for visibility and reporting, view the Policy Usage Report in WatchGuard Cloud to help determine how you currently use your policies.
• Identify policies that you must retain when you change to cloud management, and remove unused policies that you no longer need. Look for similar policies that you can merge or consolidate to reduce the number of policies.
• Cloud-managed Fireboxes do not have an Optional security zone. If you have existing policies on your locally-managed Firebox that use the Optional security zone, configure the network in WatchGuard Cloud as an Internal network. You must reconfigure any policies that use the Any-Trusted/Any-Optional built-in aliases to use the network interface aliases if you do not want both networks to connect to the same resources.
• Review the proxy actions in your locally-managed configuration. With performance advances in the latest Firebox models, and changes over time to the characteristics of Internet and network traffic, many of the proxy action options available in Policy Manager and Fireware Web UI are no longer necessary.
• In WatchGuard Cloud, you cannot customize proxy actions. If you currently modify your proxy actions, we recommend you use exceptions and First Run policies in WatchGuard Cloud. First Run policies in WatchGuard Cloud are the equivalent of the use of packet filters to override core proxy policies on locally-managed Fireboxes.

Subscription Services

• Cloud-managed Fireboxes have one exceptions configuration that all policies use. We recommend you review the your current subscription service exceptions and combine them into a single list for your cloud-managed Fireboxes.
• In WatchGuard Cloud, you cannot create exceptions based on a group or user. If you must create these types of exceptions, we recommend you use First Run policies instead.

Branch Office VPNs (BOVPNs)

• Identify if your current environment has complex VPNs or legacy VPN configurations you must preserve. Many legacy settings for BOVPN are not available in WatchGuard Cloud.
• WatchGuard Cloud uses VIF (Virtual Interface) BOVPNs (also known as route-based BOVPNs). WatchGuard Cloud does not currently support the policy-based BOVPNs used by locally-managed Fireboxes.
• To minimize disruption and extended downtime, plan your VPN hub and spoke configurations carefully before you start migration.
• Plan for extended downtime if you start with the migration of your headquarters hub VPN Firebox to cloud management, and then migrate your spoke VPN Fireboxes.
• You must reconfigure your BOVPNs after you change a Firebox to cloud management, but the process to configure a BOVPN is much faster in WatchGuard Cloud.
• If you plan to migrate your spoke VPN Fireboxes to cloud management before you migrate your headquarters hub Firebox, you can create a cloud-managed to locally-managed Firebox or third-party BOVPN configuration from the spoke VPN Fireboxes to the locally-managed hub VPN Firebox. When you eventually migrate the hub VPN Firebox to cloud management, you can re-create the BOVPN links as a cloud-managed to cloud-managed BOVPN configuration.

For more information, go to Manage BOVPNs for Cloud-Managed Fireboxes.

Mobile VPNs

• WatchGuard Cloud supports only Mobile VPN with SSL or IKEv2.
  Mobile VPN with L2TP and IPSec are not supported.
• Mobile VPNs should resume normally after the migration to cloud management, but make sure the cloud configuration matches the previous configuration. Make sure that you have a plan to fix any misconfiguration issues when you change to cloud management.

Overview of Migration to Cloud Management

When you are ready to start the migration of your locally-managed Fireboxes to WatchGuard Cloud, there are two methods you can use, based on the requirements of your current deployment.

• Add a locally-managed Firebox to WatchGuard Cloud as a new cloud-managed device — You can add your locally-managed Firebox directly to WatchGuard Cloud as a new cloud-managed device.
• When you add a Firebox to cloud management, you must create a new configuration for the device in WatchGuard Cloud. You cannot convert an existing locally-managed Firebox configuration to WatchGuard Cloud when you make the initial change to cloud management.
• Until you reset your locally-managed Firebox to factory-default settings to connect to WatchGuard Cloud, you can continue to manage the device with Fireware Web UI or WatchGuard System Manager.
• We recommend you set up your new configuration for the Firebox in WatchGuard Cloud in advance. When you are ready to connect the device to WatchGuard Cloud, you restart the locally-managed Firebox with factory-default settings. When the device connects to WatchGuard Cloud, the Firebox receives the new cloud configuration.
• To help simplify the configuration process when you add a Firebox to WatchGuard Cloud, you can copy configuration settings from an existing cloud-managed Firebox. For more information, go to Copy Configuration Settings from a Cloud-Managed Device.
• Although you cannot convert an existing locally-managed Firebox configuration to a new configuration in WatchGuard Cloud when you add the device, WatchGuard Cloud provides an option to import some settings of the configuration file of a locally-managed Firebox after you change the device to cloud management. For more information, go to Import Configuration Settings From a Locally-Managed Firebox.

For detailed instructions on how to add a locally-managed Firebox to WatchGuard Cloud as a new cloud-managed device, go to Add a Cloud-Managed Firebox to WatchGuard Cloud.

• Add the locally-managed Firebox to WatchGuard Cloud for visibility and reporting — To more easily move a large number of Fireboxes from local management to cloud management, you can first add your locally-managed Fireboxes to WatchGuard Cloud for visibility and reporting, and then move the devices to cloud management.
• When you add the Firebox to WatchGuard Cloud for visibility and reporting, you continue to manage and configure the Firebox locally from Fireware Web UI or WatchGuard System Manager, but use WatchGuard Cloud for monitoring and reports.
• When you are ready to move your Fireboxes to cloud management, you can click the Change to Cloud Management button for the device in WatchGuard Cloud. This simplifies the process because the devices are already in WatchGuard Cloud, and you can move each Firebox in your network to cloud management as required.
• When you change to cloud management, you can no longer administer the device with WSM. Fireware Web UI is simplified for cloud-managed devices and enables you to perform only basic administration and diagnostic tasks.
• When you update the passwords for the Firebox during the change to cloud management, the new passwords take effect immediately, If you back out of the process and revert the device to local management, these passwords also become the new passwords for local management.
• Until you make the first cloud configuration deployment, the device continues to run in its current configuration. This enables you to take your time to complete your configuration in WatchGuard Cloud before you deploy the cloud configuration to the device.
• You must create a new configuration for the device in WatchGuard Cloud. You cannot convert an existing locally-managed Firebox configuration to WatchGuard Cloud while you make the initial change to cloud management.
• To help simplify the configuration process when you move the device to cloud management, you can copy configuration settings from an existing cloud-managed Firebox. For more information, go to Copy Configuration Settings from a Cloud-Managed Device.
• WatchGuard Cloud also provides an option to import some settings from the configuration file of a locally-managed Firebox after you change the device to cloud management. For more information, go to Import Configuration Settings From a Locally-Managed Firebox.

For detailed instructions on how to add a locally-managed Firebox to WatchGuard Cloud for visibility and reporting, go to Add a Locally-Managed Firebox to WatchGuard Cloud.

Change a Locally-Managed Firebox to Cloud Management

Before you change a locally-managed Firebox to cloud management, review the recoomendations and planning steps.

To change a locally-managed Firebox to cloud management:

1. Save the most recent configuration of your locally-managed Firebox as a backup. This enables you to restore the configuration if you encounter any issues when you change the device to cloud management.
2. Change the Firebox from locally-managed to cloud-managed. You can use one of these methods:

• Add the locally-managed Firebox to WatchGuard Cloud as a new cloud-managed device.
• If you have already added the locally-managed Firebox to WatchGuard Cloud for visibility and monitoring, change the Firebox to cloud management in WatchGuard Cloud.

3. Configure the Firebox in WatchGuard Cloud.

When you migrate the device to cloud management, you can initially configure the device with one of these methods:

• Create a new configuration for your device in WatchGuard Cloud.
• Copy the configuration from an existing cloud-managed device.

After you move the Firebox to cloud management, you can also:

• Import configuration settings from a locally-managed Firebox configuration.

4. When you complete the WatchGuard Cloud migration, deploy the cloud-managed configuration to the Firebox.

The original configuration remains on the Firebox until you deploy the cloud-managed configuration.

Before You Begin

Before you change a Firebox to cloud management:

• Make sure you create a backup of the configuration. This enables you to restore a backup configuration if you have to revert the Firebox to local management.
• We recommend that you upgrade your locally-managed Firebox to the latest Fireware release before you change the device to cloud management. At minimum, the Firebox must run Fireware v12.5.7 or Fireware v12.6.4 or higher, depending on the Firebox model.
• For more information about Fireware requirements for cloud management, go to Fireware Requirements.

About Copy Configuration with Change to Cloud Management

When you change a locally-managed Firebox to cloud management, you can copy configuration settings from a cloud-managed Firebox you already added to WatchGuard Cloud. This provides a ready-made configuration that contains general settings and policies appropriate for your network. For more information, go to Copy Configuration Settings from a Cloud-Managed Device.

Follow these guidelines when you select an existing cloud-managed Firebox configuration to copy from:

• The cloud-managed Firebox to copy from must be in the same WatchGuard Cloud account.
• When you copy a configuration, all network settings, wireless settings, and device policies, and Firebox template subscriptions are copied.
• Select a Firebox that contains the most network configurations available for your deployment. It is easier to remove unneeded networks after you copy the configuration to the new device.
• Select a Firebox with the fewest unique device policies. It is easier to add a required policy for a specific device than to remove unneeded policies from the Firebox configuration you copied from.
• Select a Firebox that subscribes to all your configured Firebox templates.
• Review your network settings, including any wireless interfaces, before you deploy the configuration.
• Review the external network interface settings of the new Firebox after you copy a configuration. If your source configuration has a static external network configuration, review the settings before you deploy your new configuration. If you do not update these settings before deployment, the external interface settings might result in a Firebox that is unable to communicate with WatchGuard Cloud.
• When you copy the configuration from a cloud-managed Firebox, make sure you review the list of settings that are not copied to the new device.
• To back out of the copy configuration process, click Cancel in the step where you want to stop. After you cancel, you cannot resume the same copy configuration session. You must restart the copy configuration process.

About Import Configuration After Migration to Cloud Management

After you change a locally-managed Firebox to cloud management, you can also import a configuration from a locally-managed Firebox. This enables you to import some settings from a backup configuration file you saved from your locally-managed Firebox after you move the device to cloud management.

With the Import Configuration wizard, you can import these settings from a locally-managed Firebox configuration file to a cloud-managed Firebox:

• Aliases
• Exceptions
• Routes
• Blocked Ports
• Blocked Sites
• Dimension Servers
• Syslog Servers
• Technology Integrations

For more information, go to Import Configuration Settings From a Locally-Managed Firebox.

Example: Change a Locally-Managed Firebox to Cloud Management with Copy Configuration

In this example, we change a locally-managed Firebox that has already been added to WatchGuard Cloud for visibility and monitoring to cloud management, and copy the configuration from another existing cloud-managed Firebox.

To change a locally-managed Firebox to cloud management and copy the configuration from another cloud-managed Firebox:

1. In Fireware Web UI or WSM, log in to your locally-managed Firebox and download the most recent configuration file as a backup.

2. Log in to your WatchGuard Cloud account.
   For Service Provider accounts, from Account Manager, select My Account.
3. Select Configure > Devices.
4. Select the Firebox you want to change to cloud management.
   The Device Settings page opens.
5. Make sure the Firebox runs the latest version of Fireware. You can click the Upgrade Firmware link to upgrade the Firebox.

6. In the Cloud Management section, click Change to Cloud Management.

7. Confirm that you want to change to cloud management.

When you advance to the next step and the Add Device wizard starts, you can no longer make configuration changes to the Firebox configiuration with Fireware Web UI or WatchGuard System Manager.

8. Select the Copy a configuration from another cloud-managed Firebox option, then click Next.
   

9. Select the cloud-managed Firebox you want to copy the configuration from, then click Next.

Make sure you review the list of settings that are not copied and require manual configuration in WatchGuard Cloud, such as VPN settings and device certificates.

10. Enter the Device Name, select a Time Zone, and select the folder location for the device in WatchGuard Cloud. Click Next.

11. If you have a wireless-capable Firebox, configure the wireless SSID network names and passphrases, then click Next.

12. Set the Status and Admin passwords for Fireware Web UI access, then click Next.

If you have to back out of the cloud management migration process and revert the device to local management, you must use these new credentials to log in to the device with Fireware Web UI or WatchGuard System Manager.

13. Click Next to configure the device.

14. Review the device configuration and make changes as necessary:

15. The current local configuration remains active until you deploy the cloud-managed configuration. The configuration to deploy appears in the Deployment History page with the description Initial Deployment and a status of Staged.
16. Make sure you review the external and internal network interfaces, network settings, wireless settings, and VPN settings, if applicable, in the cloud-managed configuration before you deploy. If you require more than one external interface or the external interface is physically connected to another port, manually configure the interface before you schedule the deployment.
17. Review your Firebox template subscriptions.
18. Add any policies that you require on the device.

15. To deploy the configuration, click Schedule Deployment.

For more information, go to Manage Device Configuration Deployment.
WatchGuard Cloud automatically creates a deployment history of all scheduled deployments. The new cloud-managed configuration replaces the locally-managed configuration on the Firebox.

Revert the Firebox to Local Management

If you must revert the device to local management before the change to cloud management successfully completes (for example, if you encounter web browser or connection issues), you can click Remove in the Cloud Management section of the Device Settings page to remove the device from cloud management.

Do not click Remove in the Remove Device section because this removes the device completely from WatchGuard Cloud instead of from cloud management.

If you remove the Firebox from cloud management before the first configuration deploys to the device, no configuration changes are applied to the device and you can manage the Firebox locally again from WatchGuard System Manager or Fireware Web UI.

If you changed the admin and status user passwords in the Add Device wizard, these passwords become the new passwords for Fireware Web UI and WatchGuard System Manager when you revert to local management.