Contents

Deploy Firebox Cloud on Microsoft Azure

Before you can create a Firebox Cloud virtual machine, you must create a Microsoft Azure account. When you set up your account, you specify billing information and the credentials you use to connect to the Microsoft Azure portal. Firebox Cloud requires a storage account. You can create a storage account before you deploy Firebox Cloud, or you can create one as part of the deployment.

Identify your Firebox Cloud Software Plan and License Type

When you create a Firebox Cloud VM in Azure, you select one of these two software plans.

Firebox Cloud (BYOL)

With the Bring Your  Own License (BYOL) software plan, you purchase a Firebox Cloud license for a specified size, Small, Medium, Large, or Extra Large. The Firebox Cloud license defines the maximum number of Azure CPU cores that the Firebox Cloud VM can use.

When you create a Firebox Cloud (BYOL) VM, you select a License Type. To deploy your VM with appropriate resources, select the License Type that matches your Firebox Cloud license size.

Firebox Cloud (PAYG)

With the Pay As You Go (PAYG) software plan, you do not purchase a Firebox Cloud license. The PAYG option includes a 30 day free trial.

For more information about license options and trials, see Firebox Cloud License Options.

Create a Key Pair for SSH Authentication

Before you create a Firebox Cloud instance, you must generate an SSH-2 RSA public key / private key pair. You can use a tool such as puttygen, or ssh-keygen command in Linux to generate the key pair.

  • Use the public key when you deploy your Firebox Cloud instance.
  • Use the private key for ssh connections to the Fireware command line interface (CLI) for your Firebox Cloud instance.

To use the puttygen utility to generate an SSH-2 RSA key pair:

  1. Download and install the PuTTYgen utility available from www.putty.org.
  2. Start PuTTYgen.
  3. Click Generate.
  4. Move the mouse over the blank area to generate some randomness.
    PuTTYgen uses the mouse movements as input to generate the key pair.

Screen shot of the PuTTY Key Generator

  1. To save the generated public key to a file, click Save public key.
  2. (Optional) Specify a passphrase to protect the private key file.
  3. To save the generated private key to a file, click Save private key.

Deploy Firebox Cloud

To create the Firebox Cloud instance:

  1. Log on to the Azure portal with your Microsoft Azure account credentials.
  2. Click Create a Resource.
    The Azure Marketplace appears.
  3. In the Search text box, type Firebox Cloud.
  4. Select WatchGuard Firebox Cloud.
    The WatchGuard Firebox Cloud license options appear.
    Screen shot of the WatchGuard Firebox Cloud software plan selection page
  5. From the Select a software plan drop-down list, select WatchGuard Firebox Cloud (BYOL) or WatchGuard Firebox Cloud (PAYG).
  6. Click Create.
    The VM configuration steps appear.

Screen shot of the Firebox Cloud template steps in Microsoft Azure

  1. In the Basics step, specify basic information about your virtual machine.

Firebox Cloud VM Name

The name for the Firebox Cloud virtual machine in the Azure portal.

Subscription

The name of the Azure subscription where the virtual machine and resources are stored. This is the account that Microsoft bills for VM use and storage.

Resource group

A resource group is a collection of resources that share the same lifecycle, permissions, and policies. All objects, such as networks and interfaces, and data for the Firebox Cloud instance will be associated with the resource group you specify.

Microsoft Azure does not support deployment of a managed application to a resource group with existing resources. You must create a new resource group or use an empty resource group.

Location

The Azure region for this Firebox Cloud instance.

  1. In the VM Size and Key Data step, specify virtual machine configuration details.

Firebox Cloud License Type and VM Size — for Firebox Cloud (BYOL)

For a BYOL license, select the Firebox Cloud License Type. This is the Firebox Cloud license you purchased from WatchGuard or a WatchGuard reseller. Select Small, Medium, Large or Extra Large. After you select the License Type, an appropriate VM size is selected by default. To select a different size, click Change size.

Azure VM Tier and VM Size — for Firebox Cloud (PAYG)

For a PAYG license, select the Azure VM tier for the virtual machine. Select Free Tier Eligible or Standard. After you select the VM tier, an appropriate VM size is selected by default. To select a different size, click Change size.

SSH public key

The public key for this Firebox. You can use a tool such as puttygen, or ssh-keygen command in Linux to generate the key pair. You must use the private key associated with this public key to connect to the Firebox Cloud CLI.

Storage account

The name of the storage account to store boot diagnostic log files. The storage account you select must not be in another resource group in your subscription. Boot diagnostic log files contain information that can help WatchGuard support troubleshoot issues.

  1. In the Network step, specify required network configuration information.

Virtual network

The virtual network to use for this Firebox Cloud. By default, a new available address space with a /16 netmask is selected. You can use the default virtual network, edit the default virtual network, or choose another existing virtual network.

Subnets

Review and configure the subnets to use for the External (Public) and Trusted (Private) networks.

Public IP address

Select or create a public IP address to use for your Firebox Cloud external interface. For a new public IP address, specify a name, and select the SKU type (Basic or Standard). If you select a Basic SKU type, select the IP address assignment type, Dynamic or Static.

Inbound connections to a public IP address with the Standard SKU type fail until you create and associate a network security group and explicitly allow the desired inbound traffic. For more information, see the article IP address types and allocation methods in Azure in the Microsoft Azure documentation.

Domain name label

Specify the DNS label for the Firebox Cloud public IP address. It must be all lowercase letters and numbers.

  1. In the Summary step, review the information, and correct any errors.
  2. In the Buy step, review the terms and conditions and click Create.
    The deployment starts.

After the deployment is completed, you can go to the resource group or pin the VM to the Microsoft Azure dashboard.

Find the Instance ID (VM ID)

After you deploy your Firebox Cloud instance, you must find the Instance ID, also known as the VM ID. You will need this to activate your license, and to log in to the Fireware Web UI to run the Firebox Cloud Setup Wizard. You can find the instance ID in the name of the storage container for boot diagnostic logs.

To find the Firebox Cloud Instance ID:

  1. In the Azure left navigation menu, select Storage accounts.
  2. Click the name of the storage account associated with your Firebox Cloud instance.
  3. In the Blob Service list, select Containers.
  4. Find the boot diagnostic container.The name of the boot diagnostic container is in the format:
    <bootdiagnostics>-<vmname>-<vmid>
    For example:
    bootdiagnostics-fbcloud-11111111-2222-3333-4444-f86331913a6d
  5. Copy the VMID at the end of the container name.

You must have this instance ID to activate your Firebox Cloud license and to run the Firebox Cloud Setup Wizard.

Activate your Firebox Cloud License

For Firebox Cloud with a BYOL license, you must activate the Firebox Cloud serial number in the WatchGuard portal. Before you can activate Firebox Cloud, you must have the Firebox Cloud serial number you received from WatchGuard and you must know the Firebox Cloud Instance ID.

To activate your Firebox Cloud license:

  1. Go to www.watchguard.com.
  2. Click Support.
  3. Click Activate Products.
  4. Log in to your WatchGuard Customer or Partner portal account. If you do not have an account, you can create one.
  5. If necessary, navigate to the Support Center and select My WatchGuard > Activate Product.
  6. When prompted, provide your Firebox Cloud serial number and Instance ID.
  7. When activation is complete, copy the feature key and save it to a local file.

Run the Firebox Cloud Setup Wizard

After you deploy Firebox Cloud, you can connect to Fireware Web UI through the public IP address to run the Firebox Cloud Setup Wizard. You use the wizard to set the administrative passphrases for Firebox Cloud.

To run the Firebox Cloud Setup Wizard:

  1. Connect to Fireware Web UI for your Firebox Cloud with the public IP address:
    https://<eth0_public_IP>:8080
  2. Log in with the default Administrator account user name and passphrase:
    • User name — admin
    • Passphrase — The Firebox Cloud Instance ID

    The Firebox Cloud Setup Wizard welcome page appears.

  3. Click Next.
    The setup wizard starts.
  4. Review and accept the End-User License Agreement. Click Next.

Screen shot of the Create passphrases step in the Web Setup Wizard

  1. Specify new passphrases for the built-in status and admin user accounts.
  2. Click Next.
    The configuration is saved to Firebox Cloud and the wizard is complete.

Connect to Fireware Web UI

To connect to Fireware Web UI and administer Firebox Cloud:

  1. Open a web browser and go to the public IP address for your instance of Firebox Cloud at:
    https://<eth0_public_IP>:8080
  2. Log in with the admin user account. Make sure to specify the passphrase you set in the Firebox Cloud Setup Wizard.

By default, Firebox Cloud allows more than one user with Device Administrator credentials to log in at the same time. To prevent changes by more than one administrator at the same time, the configuration is locked by default. To unlock the configuration so you can make changes, click the Locked icon.

If you prefer to allow only one Device Administrator to log in at the same time, select System > Global Settings and clear the Enable more than one Device Administrator to log in at the same time check box.

Microsoft Azure automatically terminates your management connection to Firebox Cloud after 30 minutes of inactivity. To avoid unexpected disconnection of your management session, do not set the Management Session Idle Timeout in the Fireware Authentication > Settings page to a value higher than 30 minutes.

Add the Feature Key

If you have received or downloaded the Firebox Cloud feature key to a local file, in the Feature Key Wizard select Yes I have a local copy of the feature key and paste the feature key into the wizard.

If you activated a Firebox Cloud license in the WatchGuard portal, your feature key is available directly from WatchGuard. You must add this feature key to the Firebox Cloud configuration to enable all functionality and configuration options on Firebox Cloud.

After you add the feature key, Firebox Cloud automatically reboots with a new serial number.

To add the feature key, from Fireware Web UI:

  1. Select System > Feature Key.
    The Feature Key Wizard page appears.

Screen shot of the Feature Key Wizard welcome page

  1. To unlock the configuration file, click the Locked icon.
  2. To download and install the feature key, click Next.
  3. On the Summary page, verify that your feature key was successfully installed.
    When your feature key has been installed, Feature Key Retrieval Success appears on the Summary page.

Screen shot of the Feature Key wizard Summary page

  1. Click Next.
    The wizard completes and Firebox Cloud reboots with a new serial number.

Next Steps

After you run the setup wizard and add the feature key you can use Fireware Web UI or Policy Manager to configure the settings for Firebox Cloud.

Enable Feature Key Synchronization

Enable Firebox Cloud to automatically check for feature key updates when services are about to expire.

To enable feature key synchronization, in Fireware Web UI:

  1. Select System > Feature Key.
  2. Select the Enable automatic feature key synchronization check box.
  3. Click Save.

To enable feature key synchronization, in Policy Manager:

  1. Connect to Firebox Cloud in WatchGuard System Manager.
  2. Open Policy Manager.
  3. Select System > Feature Keys.
  4. Select the Enable automatic feature key synchronization check box.
  5. Click Save.

Configure Firebox Cloud to Send Feedback to WatchGuard

To enable Firebox Cloud to send feedback, in Fireware Web UI:

  1. Select System > Global Settings.
  2. Select the Send device feedback to WatchGuard check box.
  3. Select the Send Fault Reports to WatchGuard daily check box.

To enable Firebox Cloud to send feedback, in Policy Manager:

  1. Connect to Firebox Cloud in WatchGuard System Manager.
  2. Open Policy Manager.
  3. Select Setup > Global Settings.
  4. Select the Send device feedback to WatchGuard check box.
  5. Select the Send Fault Reports to WatchGuard daily check box.

Configure Firewall Policies and Services

Configure policies and services as you would for any other Firebox.

Firebox Cloud does not support every Fireware feature. For a summary of the differences between Firebox Cloud and other Firebox models, see Firebox Cloud Feature Differences.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search