Move a Configuration to a New Firebox

If you can connect to the original Firebox, use Policy Manager to save the current device configuration to a local XML file. For more information, go to Save the Configuration File.

If the original Firebox is unavailable or inoperable, look for the latest configuration file saved on your management computer. By default, Policy Manager saves configuration files in the Documents\My WatchGuard\configs directory.

If you can connect to the original device with Fireware Web UI, you can manually save the current configuration to an XML file. For more information, go to Manage the Firebox Configuration File.

To download the configuration file, from Fireware Web UI:

1. Select System > Configuration File.
2. Click Download the Configuration File.

A Firebox that starts with factory-default settings automatically connects to WatchGuard to download its feature key. If you need to reset a Firebox to factory-default settings, go to Reset a Firebox for instructions.

To download the feature key to the new Firebox:

1. Connect the Firebox interface 0 to a network with Internet access and DHCP.
2. Start the Firebox with factory-default settings.
   

The Firebox connects to WatchGuard to download the feature key. If the download fails, the Firebox automatically continues to try to download the feature key if the Firebox has an active Internet connection.

You can manually download the feature key from the WatchGuard account where you activated the Firebox. You must use this method to get the feature key for FireboxV virtual devices. It can be useful to manually download the feature key for any Firebox model if the Firebox is unable to connect to automatically download the feature key. For more information, go to About the Product Details Page.

To get the feature key for your device:

1. Open a web browser and go to https://myproducts.watchguard.com/manage-products.
2. Log in to your WatchGuard account.
   
3. On the Manage Products page, in the Network Security section, click View Products.
4. Select a friendly name to open details for that device or product.

5. Click Get Feature Key.
   
6. Click Copy.
7. Save the feature key to a local text file.

To use this method, you must have WatchGuard System Manager (WSM) installed on a Windows management computer. In WSM, you use Policy Manager to update the configuration file from the original Firebox, and save it to the new Firebox. For more information, see the Firebox Migration with WSM video tutorial (7 minutes).

To connect to the new Firebox:

1. Connect interface 0 to a network with a DHCP Server and Internet access.
2. Power on the Firebox with factory-default settings.
3. Connect your management computer to interface 1.
   If the Firebox can connect to the Internet through interface 0, it automatically connects to WatchGuard to download its feature key.

Next, use Policy Manager to open and update the configuration file from the original device with the new feature key and device details.

• When you use Policy Manager to migrate a configuration to a new Firebox model that is different than the original model, you must import the feature key for the new Firebox model into the configuration and we recommend you review the device name, location, and time zone before you save the configuration to the new Firebox.
• If the original and new Fireboxes run different Fireware versions, make sure you review and update the OS Compatibility setting in the configuration file to the OS version that the new Firebox uses if required.

To open and edit the configuration file, in Policy Manager:

1. Open Policy Manager.
2. Select File > Open > Configuration File.
3. Select the XML configuration file you saved from the original Firebox.
4. Click Open.
5. To update the feature key, select Setup > Feature Keys.
   The Firebox Feature Key dialog box opens.
6. Click Remove to remove the current feature key of the original Firebox.
7. To download the feature key from the new Firebox, click Download.
   The Get Firebox Feature Keys dialog box opens.

• In the IP Address or Name text box, type the IP address of Firebox interface 1. For a Firebox with factory-default settings, the IP address is 10.0.1.1.
• In the Passphrase text box, type the passphrase for the status user account. For a Firebox with factory-default settings, the passphrase is readonly.

Click OK.

Policy Manager connects to the new Firebox and downloads the feature key. This is the feature key that the new Firebox downloaded when it started with factory-default settings. In the Firebox Feature Keys dialog box, the Summary and Features sections show information from the feature key.

If you cannot connect to the new Firebox to get the feature key, or if the device does not have a feature key, you can manually add the feature key you downloaded from the Product Details page in your WatchGuard account.

To manually update the feature key:

1. Click Import.
2. Paste the feature key text or click Browse and select the text file you saved it to.
3. Click OK.
8. After you download or manually update the feature key, click OK.
   Policy Manager updates the Firebox model in the device configuration to match the model in the feature key.
9. To verify or update the device name and time zone:
   1. Select Setup > System.
      The Device Configuration dialog box opens.
      

   The Firebox Model information matches the model in the feature key of the new Firebox. The name is still the same as the original Firebox.

   2. Update the Name for the new Firebox, and update the Location, Contact, and Time zone, as required.

   

   3. Click OK.
10. Select Network > Configuration and review the network interface configuration.

If you migrate a configuration to a new Firebox model with a different number or different types of network interfaces, make sure you verify your network configuration before you save the configuration to the new Firebox.

If you migrate your current Firebox configuration to a Firebox model with fewer interfaces than your original Firebox, when you save the configuration to the new Firebox, the process removes any network interfaces that are not physically available on the new Firebox. This includes the removal of wireless interfaces when you migrate a configuration from a wireless model to a non-wireless model.

These issues might occur when the process removes interfaces. To correct these issues, configure the feature to use an available interface.

• You might lose a configured network that used a removed interface.
• You might lose a BOVPN gateway that uses an IP address associated with a removed interface.
• You might have issues with Mobile VPN, SD-WAN, Multi-WAN, or a FireCluster that used a removed interface.
• You might lose a configured network that used a removed wireless interface.
• If you migrate your configuration to a Firebox with fewer interfaces than the original device, configured VLANs fail to pass traffic. When this occurs, the Firebox System Manager Status Report tab shows the interfaces as down. To correct this issue, change the interfaces for each configured VLAN. For more information about VLAN settings, go to Define a New VLAN.
• When you migrate a configuration to a Firebox that supports an interface module, you might see a Policy Manager dialog box that suggests that your new Firebox has more interfaces than it physically has. This is because the count also includes the interfaces on the optional interface module.

11. If the new Firebox runs a different version of Fireware, select Setup > OS Compatibility and from the For Fireware version drop-down list, select the Fireware version that the new Firebox uses. For more information, go to OS Compatibility.
    
12. If you use third-party certificates, go to Additional Migration Steps.
13. To save the configuration to the new Firebox:
    1. Select File > Save > To Firebox.
    2. In the IP Address or Name text box, type the IP address of Firebox interface 1. For a Firebox with factory-default settings, the IP address is 10.0.1.1.
    3. In the Administrator Passphrase text box, type the passphrase for the admin user account. For a Firebox with factory-default settings, the passphrase is readwrite.
    4. Click OK.
    5. If Policy Manager asks you whether to continue with the save, click Yes.

After you save the configuration to the Firebox, edit the administrative user accounts to change the passphrases to more secure settings. For more information, go to Manage Users and Roles on Your Locally-Managed Firebox.

If your new Firebox has removable interface modules, the number of configurable interfaces that appear in Policy Manager depends on the interface modules installed on the Firebox. After you save the configuration to the new Firebox, you must open the configuration file from the new Firebox to update the interface list.

You can use Fireware Web UI to connect to your new Firebox from a management computer and migrate the XML configuration file. For more information, see the Firebox Migration with Web UI video tutorial (4 minutes).

To use Fireware Web UI to migrate the configuration, the original and new Firebox must have the same number of interfaces. If the Fireboxes have different numbers of interfaces, follow the steps to use Policy Manager to migrate the configuration.

To prepare the new Firebox:

1. Connect to the new Firebox with the Web Setup Wizard to configure the device with a new, temporary basic configuration. For more information, go to Run the Web Setup Wizard.
2. We recommend you upgrade the Firebox to the latest Fireware version. In Fireware Web UI, select System > Upgrade OS. For more information, go to Upgrade Fireware or WatchGuard System Manager.

To migrate the configuration to the new Firebox, from Firebox Web UI:

1. Select System > Configuration File.
   The Configuration File page opens.

2. Click Choose File or Browse and select the configuration file to upload.
   The button name depends on the browser you use.
   
3. Click Restore.
   The Firebox configuration is updated to the settings from the configuration file.

For more information, go to Manage the Firebox Configuration File.

After you save a configuration file that changes the IP address of the Firebox interface that your computer is connected to, before you can connect to the Firebox, you must make sure your computer has an IP address on the same network as the updated interface IP address.

By default, all certificates are different on the new Firebox. If you use the default certificates, network clients do not automatically trust the certificate on the new Firebox.

If the original Firebox used a third-party certificate, and you want to use the third-party certificate on the new Firebox:

1. On the new Firebox, select the default certificate option in the settings for Firebox features that use a third-party certificate. You must complete this step before you can save the configuration on the new Firebox. For example, you might use a third-party certificate for inbound HTTPS content inspection, BOVPN, Mobile VPN with IKEv2, and Mobile VPN with L2TP.

• To configure HTTPS content inspection certificates, go to Use Certificates with Outbound HTTPS Proxy Content Inspection.
• To configure BOVPN certificates, go to Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.
• To configure Mobile VPN with IKEv2 certificates, go to Edit the Mobile VPN with IKEv2 Configuration.
• To configure Mobile VPN with L2TP certificates, go to Certificates for Mobile VPN with L2TP Tunnel Authentication.
• If you use the Firebox web server certificate:
  1. In Fireware v12.2.1 or higher, select Setup > Certificates and then select the Firebox Web Server Certificate tab.
     In Fireware v12.2 or lower, select Setup > Authentication > Web Server Certificate.
  2. Make sure that Default certificate signed by the Firebox is selected.
  3. If you have a third-party certificate, the option Third party certificate is selected. You must select Default certificate signed by the Firebox instead.

2. After you save the configuration on the new Firebox, import the third-party certificate after you migrate the configuration. For information about how to import a certificate, go to Manage Device Certificates (Web UI), and Manage Device Certificates (WSM).
3. Apply the certificate to features as required. For example, if you used the third-party certificate for inbound HTTPS content inspection on the old Firebox, you can select to use the imported third-party certificate for HTTPS content inspection on your new Firebox. You might also have to do this in the BOVPN, IKEv2 mobile VPN, and L2TP mobile VPN configurations.

For general information about how the Firebox uses certificates, go to About Certificates.

If you use Mobile VPN with IKEv2, and you use the default Firebox IKEv2 certificate, you must do one of the following:

• Distribute an updated VPN client profile to all VPN client devices, which will distribute the new default Firebox IKEv2 certificate to clients. For more information, go to Configure Client Devices for Mobile VPN with IKEv2.
• Distribute only the new default Firebox IKEv2 certificate to all VPN client devices (if you do not want to distribute an updated VPN profile to clients).

If the original Firebox used a third-party certificate and you update the new Firebox to use the same third-party certificate, it is not necessary to distribute an updated VPN client profile. The existing VPN clients can connect after you update the new Firebox to use the third-party certificate.

The first time the WatchGuard Mobile VPN with SSL client connects to the new Firebox, users must respond to a prompt to trust the certificate.

For devices that use the OpenVPN client to connect with Mobile VPN with SSL, users must import a new VPN client profile and delete the old VPN client profile. For more information, go to Use Mobile VPN with SSL with an OpenVPN Client.

When you move an existing Firebox configuration to a new Firebox, the existing Firebox resource in AuthPoint is no longer associated with the new Firebox and you must delete the resource. To continue to use the AuthPoint authentication server on the new Firebox, you must add the device to WatchGuard Cloud again and add a new Firebox resource for the device in AuthPoint.

To replace a Firebox that you have already added to AuthPoint as a Firebox resource:

1. Add the new Firebox to WatchGuard Cloud.
2. Add the device as a new Firebox resource in AuthPoint.
3. Add the new Firebox resource to your AuthPoint authentication policies, and remove the old Firebox resource from those policies. For more information, go to About AuthPoint Authentication Policies.
4. Delete the Firebox resource associated with the old Firebox from your AuthPoint account.