Firebox Cloud Feature Differences
Because Firebox Cloud is optimized to protect servers in a virtual private cloud, some setup requirements, configuration options, and available features are different from other Firebox models. This section summarizes the differences between Firebox Cloud and other Fireboxes.
To add a Firebox Cloud instance to WatchGuard Cloud, the Firebox Cloud instance must have a BYOL license.
To manage Firebox Cloud from Policy Manager or a WatchGuard Management Server you must install WatchGuard System Manager v12.2 or higher.
Licensing and Services
For Firebox Cloud with a BYOL license, you must activate a license key for Firebox Cloud on the WatchGuard website, and add the feature key to your instance of Firebox Cloud. For more information, go to Deploy Firebox Cloud on AWS or Deploy Firebox Cloud on Microsoft Azure.
Most supported features and services are included with Firebox Cloud. Some security services are supported only for Firebox Cloud with a BYOL license. For information about license options and supported services, go to Firebox Cloud License Options.
Firebox Cloud supports two to eight interfaces. It supports one external interface (eth0), and up to seven private interfaces (eth1–eth7). All Firebox Cloud interfaces use DHCP to request an IP address. Because you must configure all network interface IP addresses and settings in AWS or Azure, you cannot configure the network interfaces in Fireware Web UI. The Network > Interfaces configuration page is not visible in Fireware Web UI for Firebox Cloud.
For Firebox Cloud on AWS, you assign an Elastic IP (EIP) address to the external interface. For Firebox Cloud on Azure, you can configure the external interface with a dynamic or static IP address. The internal IP addresses are assigned based on the private networks assigned to your Firebox Cloud instance in AWS or Azure.
Firebox Cloud supports one or more secondary IP addresses on the external interface in Fireware v12.1 and higher.
Default Firebox Configuration
When you launch an instance of Firebox Cloud, it automatically starts with a default configuration. For Firebox Cloud with a BYOL license, you must get a feature key to enable configuration of all features.
The Firebox Cloud Setup Wizard runs the first time you connect to Fireware Web UI. In the wizard you accept the End User License Agreement and choose new passphrases.
After you run the setup wizard, the default configuration for Firebox Cloud is different from other Firebox models in these ways:
- All interfaces use DHCP to obtain an IPv4 primary IP addresses
- Firebox Cloud allows more than one Device Administrator to connect at the same time
- You can connect to any interface for administration with Fireware Web UI
- The default policies allow management connections and pings to Firebox Cloud, but do not allow outbound traffic from private subnets through Firebox Cloud
- Licensed subscription services are not configured by default
The default WatchGuard and WatchGuard Web UI policies allow management connections from any computer on the trusted, optional, or external networks.
We strongly recommend that you do not allow management connections from the external network, and that you edit the WatchGuard and WatchGuard Web UI policies to remove the Any-External alias from the From list after you complete initial configuration.
To allow management from only a specific computer on the external network, you can add the address of that management computer to the From list in these policies.
Firebox Cloud supports most policy and security features available on other Firebox models. It supports a subset of networking features appropriate for the AWS environment. For supported features, the available configuration settings are the same as for any other Firebox. Most features and options that are not supported for Firebox Cloud do not appear in Fireware Web UI.
Networking features not supported:
- Drop-in mode and Bridge mode
- DHCP server and DHCP relay (all interfaces are DHCP clients)
- Multi-WAN (includes sticky connections and policy-based routing)
- ARP entries
- Link Aggregation
- Bridge interfaces
- DNS forwarding and conditional DNS forwarding
Policies and Security Services not supported:
- Explicit-proxy and Proxy Auto-Configuration (PAC) files
- DNSWatch (supported with a BYOL license only)
- Network Discovery
- Mobile Security
Authentication features not supported:
Firebox Cloud supports Single Sign-On (SSO) in Fireware v12.2 or higher.
System Administration features not supported:
- Logon disclaimer for device management connections
- USB drive for backup and restore
Other features not supported:
- Gateway Wireless Controller
- Mobile VPN with SSL Bridge VPN Traffic option
Features you cannot configure from Fireware Web UI:
- Change the logging settings for default packet handling options
- Edit the name of an existing policy
- Add a custom address to a policy
- Use a host name (DNS lookup) to add an IP address to a policy
- Add or edit a secondary PPPoE interface
It is possible to configure some features, such as IPv6 routes, that are not supported for Firebox Cloud. This does not enable the unsupported feature, but does no harm.