Move a Configuration to a New Firebox

Every Firebox uses an XML file to store configuration settings for recovery purposes. You can also use the XML file to configure a different Firebox. If you have a new Firebox, you can save the Firebox configuration settings from your existing Firebox to a local XML file and then save that configuration file to the new Firebox.

You cannot use a saved backup image to migrate a configuration. A backup image includes device-specific information such as the serial number, certificates, and private keys.

Before You Begin

Before you begin, review the requirements, migration methods, and additional configuration steps that might be required to fully configure the new or replacement Firebox.

  • To use Fireware Web UI to migrate the configuration, the original and new Firebox must have the same number of interfaces. If the Fireboxes have different numbers of interfaces, you must use Policy Manager to migrate the configuration.
  • The XML configuration file does not include Firebox-specific settings such as:
  • Feature key
  • Certificates (The new Firebox uses different certificates than the original Firebox)
  • Management user credentials
  • If you migrate a configuration to new Firebox model that is different than the original model, import the feature key for the new Firebox model and update the device name to help you distinguish between the two Fireboxes. If you migrate to a new Firebox model with fewer interfaces, take action to resolve issues such as the loss of a configured network or a VLAN that fails to pass traffic. If the Fireboxes have different numbers of interfaces, you must use Policy Manager to migrate the configuration. For more information, go to Migrate a Configuration to a Different Firebox Model.
  • Review the network interface configuration. For information about issues that might occur when you migrate a configuration to a Firebox model with fewer interfaces than your original Firebox, go to Verify Configured Interfaces.
  • If you use Mobile VPN with IKEv2 or Mobile VPN with SSL and the OpenVPN client, there are additional steps you must complete additional steps after the migration so that VPN clients can connect to the new Firebox. For more information, go to Additional Migration Steps.
  • For a Firebox that is a FireCluster member:
  • To migrate a FireCluster to a new model, go to Move a FireCluster Configuration to a New Device Model.
  • For information about how to configure an RMA Firebox that replaces a member of a FireCluster, go to Configure a Replacement (RMA) FireCluster Member.

Requirements

To migrate the configuration from one Firebox to another, you must have:

Save Configuration File from Original Firebox

To save the configuration file from the original Firebox, you can use Policy Manager or Fireware Web UI.

Get Feature Key for New Firebox

The feature key for the new Firebox is available for download after you activate the device in your WatchGuard account. For an RMA device, WatchGuard activates the new device. To get the feature key for the new device, you can use one of these methods:

Get JSON File for Firebox Cloud (AWS or Azure only)

For Firebox Cloud, you must also save a copy of the JSON file because it contains the interface information. Save the JSON file and the XML file in the same directory so that Policy Manager can open the configuration. For information about how to save a copy of the JSON file, go to Open the Configuration File for a Firebox Cloud Instance.

Migrate the Configuration

To migrate a saved configuration to a new device, you must save the XML configuration file from the original device on the new device. To enable the configured features and services, the new device must also have a feature key with a license for those services.

To migrate a configuration to a FireboxV or XTMv virtual device, or to Firebox Cloud, you must use Policy Manager.

You can use several methods to configure the new Firebox:

The new Firebox has a different MAC address than the original Firebox. Devices in your network that previously connected to the original Firebox might fail to communicate with the new Firebox until their old ARP entries for the Firebox IP address expire. This can take up to 60 minutes or require you to reboot the affected devices. If a device in your network has a static ARP entry configured for the Firebox IP address, you must change it on that device.

Additional Migration Steps

After you migrate the configuration to the new Firebox, you might have to make other configuration changes to the Firebox and network clients.

Migrate a Configuration to a Different Firebox Model

You must use Policy Manager if you migrate a configuration to a different Firebox model that has a different number of interfaces.

After you migrate your Firebox configuration to a new Firebox model:

  • Import the feature key for the new Firebox model.
  • Update the device name to help you distinguish between the two Fireboxes.
  • If the new Firebox model has fewer interfaces than the original Firebox, take action to resolve issues such as the loss of a configured network or a VLAN that fails to pass traffic.

Update the Firebox Model and Name

You do not have to change the new Firebox model in the Device Configuration dialog box. The model information updates automatically when you import the feature key for the new Firebox. To distinguish the new Firebox from the original Firebox, update the device name and, if necessary, the time zone of the new Firebox.

To update the new Firebox device name and time zone, from Policy Manager:

  1. Select Setup > System.
    The Device Configuration dialog box opens.
  2. In the Name text box, type a name for the new Firebox.
  3. From the Time Zone drop-down list, select your time zone.
  4. Click OK.

Verify Configured Interfaces

You must use Policy Manager if you migrate a configuration to a different Firebox model that has a different number of interfaces.

If you migrate your current Firebox configuration to a Firebox model with fewer interfaces than your original Firebox, when you save the configuration to the new Firebox, the process removes any network interfaces that are not physically available on the new Firebox. This includes the removal of wireless interfaces when you migrate a configuration from a wireless model to a non-wireless model.

These issues might occur when the process removes interfaces. To correct these issues, configure the feature to use an available interface.

  • You might lose a configured network that used a removed interface.
  • You might lose a BOVPN gateway that uses an IP address associated with a removed interface.
  • You might have issues with Mobile VPN, SD-WAN, multi-WAN, or a FireCluster that used a removed interface.
  • You might lose a configured network that used a removed wireless interface.
  • If you migrate your configuration to a Firebox with fewer interfaces than the original device, configured VLANs fail to pass traffic. When this occurs, the Firebox System Manager Status Report tab shows the interfaces as down. To correct this issue, change the interfaces for each configured VLAN. For more information about VLAN settings, go to Define a New VLAN.
  • When you migrate a configuration to a Firebox that supports an interface module, you might see a Policy Manager dialog box that suggests that your new Firebox has more interfaces than it physically has. This is because the count also includes the interfaces on the optional interface module.

Related Topics

About Policy Manager

Administer the Firebox from Policy Manager

About Feature Keys