Move a Configuration to a New Firebox

Every Firebox uses an XML file to store configuration settings. You can save the Firebox configuration to a local XML file and then use that file to configure a different Firebox. For more information about the configuration file, see Administer the Firebox from Policy Manager

You cannot use a saved backup image to migrate a configuration. A backup image includes device-specific information such as the serial number, certificates, and private keys.

Before you begin, review the requirements, migration methods, and additional configuration steps that might be required to fully configure the new or replacement Firebox.

The XML configuration file does not include Firebox-specific settings, such as the feature key, certificates, and management user credentials. By default, the new Firebox uses different certificates than the original Firebox.

If you use Mobile VPN with IKEv2 or Mobile VPN with SSL and the OpenVPN client, you must complete additional steps after the migration before VPN clients can connect to the new Firebox. For more information see Additional Migration Steps.

For a Firebox that is a FireCluster member:

Requirements

To migrate the configuration from one Firebox to another, you must have:

  • A saved copy of the XML configuration file from the original Firebox
  • The feature key for the new Firebox
  • JSON file (for Firebox Cloud only)

To save the configuration file from the original Firebox, you can use Policy Manager or Fireware Web UI.

The feature key for the new Firebox is available for download after you activate the device in your WatchGuard account. For an RMA device, WatchGuard activates the new device. To get the feature key for the new device, you can use one of these methods:

For Firebox Cloud, you must also save a copy of the JSON file because it contains the interface information. Save the JSON file and the XML file in the same directory so that Policy Manager can open the configuration. For information about how to save a copy of the JSON file, see Open the Configuration File for a Firebox Cloud Instance.

Migrate the Configuration

To migrate a saved configuration to a new device, you must save the XML configuration file from the original device on the new device. To enable the configured features and services, the new device must also have a feature key with a license for those services.

To migrate a configuration to a FireboxV or XTMv virtual device, or to Firebox Cloud, you must use Policy Manager.

You can use several methods to configure the new Firebox:

The new Firebox has a different MAC address than the original Firebox. Devices in your network that previously connected to the original Firebox might fail to communicate with the new Firebox until their old ARP entries for the Firebox IP address expire. This can take up to 60 minutes or require you to reboot the affected devices. If a device in your network has a static ARP entry configured for the Firebox IP address, you must change it on that device.

Additional Migration Steps

After you migrate the configuration to the new Firebox, you might have to make other configuration changes to the Firebox and network clients.

Certificates

By default, all certificates are different on the new Firebox. If you use the default certificates, network clients do not automatically trust the certificate on the new Firebox.

If the original Firebox used a third-party certificate, and you want to use the third-party certificate on the new Firebox:

  1. On the new Firebox, select the default certificate option in the settings for Firebox features that use a third-party certificate. You must complete this step before you can save the configuration on the new Firebox. For example, you might use a third-party certificate for inbound HTTPS content inspection, BOVPN, Mobile VPN with IKEv2, and Mobile VPN with L2TP.
  1. After you save the configuration on the new Firebox, import the third-party certificate after you migrate the configuration. For information about how to import a certificate, see Manage Device Certificates (Web UI), and Manage Device Certificates (WSM).
  2. Apply the certificate to features as required. For example, if you used the third-party certificate for inbound HTTPS content inspection on the old Firebox, you can select to use the imported third-party certificate for HTTPS content inspection on your new Firebox. You might also need to do this in the BOVPN, IKEv2 mobile VPN, and L2TP mobile VPN configurations.

For general information about how the Firebox uses certificates, see About Certificates.

Mobile VPN with IKEv2

If you use Mobile VPN with IKEv2, and you use the default Firebox IKEv2 certificate, you must do one of the following:

  • Distribute an updated VPN client profile to all VPN client devices, which will distribute the new default Firebox IKEv2 certificate to clients. For more information, see Configure Client Devices for Mobile VPN with IKEv2.
  • Distribute only the new default Firebox IKEv2 certificate to all VPN client devices (if you do not want to distribute an updated VPN profile to clients).

If the original Firebox used a third-party certificate and you update the new Firebox to use the same third-party certificate, it is not necessary to distribute an updated VPN client profile. The existing VPN clients can connect after you update the new Firebox to use the third-party certificate.

Mobile VPN with SSL

The first time the WatchGuard Mobile VPN with SSL client connects to the new Firebox, users must respond to a prompt to trust the certificate.

For devices that use the OpenVPN client to connect with Mobile VPN with SSL, users must import a new VPN client profile and delete the old VPN client profile. For more information, see Use Mobile VPN with SSL with an OpenVPN Client

See Also

About Policy Manager

Administer the Firebox from Policy Manager

About Feature Keys