Deploy FireboxV or XTMv on VMware ESXi
This installation procedure describes how to deploy and configure a FireboxV or XTMv virtual machine on a VMware vSphere ESXi host.
- For FireboxV, you must have a VMware vSphere Hypervisor ESXi 5.5, 6.0, or 6.5 host installed on a server that supports your ESXi version.
- For XTMv, you must have a VMware vSphere Hypervisor ESXi 5.0. 5.1, 5.5, or 6.0 host installed on a server that supports your ESXi version.
- Your VMware vSphere/ESXi software must be updated to the latest patch level.
- If you use a version of VMware that supports the Windows vSphere Client, you must install the Windows vSphere Client on a supported Windows computer.
Hardware and System Resources
- The hardware requirements for FireboxV and XTMv are the same as the hardware requirements for VMware ESXi.
For information about VMware hardware compatibility, see the VMware Compatibility Guide at http://www.vmware.com/resources/compatibility/search.php.
- Each FireboxV or XTMv virtual machine requires 5 GB of disk space.
- Other system resources vary by FireboxV model
|FireboxV Model||Memory||Maximum vCPUs|
|Extra Large||4096 MB||16|
4096 MB memory is required to enable Intelligent AV.
|XTMv Model||Memory||Recommended vCPUs|
|Small Office Edition||2048 MB||1|
|Medium Office Edition||4096 MB||2|
|Large Office Edition||4096 MB||3|
|Datacenter Edition||4096 MB||8|
Some WatchGuard customers have successfully used vMotion to migrate an XTMv virtual machine between ESXi hosts while the XTMv virtual machine is powered on and passing traffic. However we recommend that you power down the FireboxV or XTMv virtual machine, if possible, before you migrate it between ESXi hosts.
FireboxV or XTMv Installation Requirements
To prepare for your installation, make sure you have:
- FireboxV or XTMv device serial number
You receive the serial number when you purchase the FireboxV or XTMv virtual device.
- WatchGuard FireboxV or XTMv Open Virtual Machine Format (.ovf) file
The file name is Fireboxv_<version>.ovf or xtmv_<version>.ovf, where <version> is the Fireware version.
- WatchGuard System Manager (optional)
The WSM version must be the same version or higher than the Fireware version
Download the FireboxV or XTMv .ova template file for VMware and the WatchGuard System Manager software (optional) from the from the Software Downloads page on the WatchGuard website.
To complete initial installation:
- In the VMware vSphere Client, deploy the FireboxV or XTMv virtual appliance to the ESXi host and power on the FireboxV or XTMv virtual machine.
- Connect to the FireboxV or XTMv virtual machine and run the Web Setup Wizard to set up a basic configuration.
- Allocate additional resources to the FireboxV or XTMv virtual machine.
This guide describes how to run the Web Setup Wizard to create your initial configuration for a FireboxV virtual machine. If you have installed WatchGuard System Manager on a computer on the FireboxV or XTMv trusted network, instead of the Web Setup Wizard, you can run the Quick Setup Wizard in WatchGuard System Manager to discover the virtual machine and set up the basic configuration.
To activate your Firebox in the Web Setup Wizard, you must have the Firebox serial number. You cannot use a serial number that ends with 000000000, which is the serial number for an unactivated device.
When you create a FireboxV or XTMv virtual appliance, it is initially configured with two active interfaces.
The external interface, Interface 0, is set up by default to request an IP address from a DHCP server. To connect to this interface for the initial device configuration, you must map this interface to a destination network that has a DHCP server.
The trusted interface, Interface 1, has a default IP address of 10.0.1.1.
When you create the FireboxV or XTMv virtual machine in the ESXi environment, before you run the Fireware Web Setup Wizard, you must map each of these interfaces to a destination network.
For the best network performance and stability, we recommend that you choose a vmxnet3 virtual network adapter for each Firebox interface. Do not use a e1000 virtual network adapter.
After you create the FireboxV or XTMv virtual machine, you can enable and configure additional network interfaces. For additional interfaces to operate, you must configure the FireboxV or XTMv virtual machine in the vSphere Web Client to add the number of network adapters you want to enable in the FireboxV device configuration.
You must configure the ESXi MAC addresses in increasing order by the ESXi interface number. This ensures that the Firebox interfaces correspond to the ESXi interfaces as follows:
|FireboxV or XTMv Interface||ESXi Interface||ESXi Interface MAC Address|
Deploy the FireboxV or XTMv Virtual Appliance
You can use the vSphere Client, vSphere Web Client, or vCenter Server to deploy the FireboxV or XTMv virtual appliance (OVF template file). The OVF template file installs as a 64-bit virtual machine.
Different versions of VMware ESXi support different VMware clients. You can use any supported client to deploy the .ova file and assign required resources to the Firebox. For example, VMware 6.5 supports these clients:
- VMware Host Client
- vSphere Client - HTML5
- vSphere Web Client
- vSphere Appliance Management UI (VAMI) - HTML5
- PSC Management UI - HTML5
The next procedures describe how to deploy a virtual machine on the ESXi Host Client.
For information about how to deploy a virtual machine and configure necessary resources for another VMware client , see the documentation for that VMware client.
Older versions of ESXi support the Windows vSphere Client, which is not supported in v6.5 and higher. For instructions about how to use the Windows vSphere client to install a FireboxV or XTMv virtual machine, see the v11.11 version of the WatchGuard XTMv Setup Guide available on the Documentation page at https://www.watchguard.com/wgrd-help/documentation/xtm
To use the VMware Host Client to deploy the FireboxV virtual machine:
- Connect to the VMware Host Client at https://<ESXi_Host>/UI.
Replace <ESXi_Host> with the FQDN or IP address of your ESXi host.
- In the Navigator pane, select Host.
- Select Actions > Create/Register VM.
The New virtual machine wizard starts.
- Complete the steps in the New virtual machine wizard.
The wizard helps you to complete these steps:
Select Deploy a virtual machine from an OVF or OVA file.
Review and accept the WatchGuard End-User License Agreement.
Specify the name of the virtual machine.
The FireboxV or XTMv .ovf file you downloaded from WatchGuard
Select a datastore with at least 5 GB available space.
Select the networks to map to Network 0 (Eth0: External) and Network 1 (eth1:Trusted). Eth) is configured to use DHCP to get an IP address by default. Select a vmxnet3 network adapter for each interface.
We recommend you select Thick to allocate all storage immediately.
Do not configure additional network settings. You will use Fireware Web Setup Wizard to configure the Firebox networks.
After you finish the wizard and deployment is complete, the FireboxV or XTMv virtual machine appears in the Virtual Machines list. The virtual machine is powered on automatically.
FireboxV and XTMv Factory Default Settings
When you power on a FireboxV or XTMv virtual machine for the first time, before you run the setup wizard, it starts with these factory default settings:
- There are two active interfaces: external and trusted.
- The trusted interface has the IP address 10.0.1.1.
- The external interface is configured to receive an IP address through DHCP.
- The trusted interface is not configured to assign IP addresses with DHCP.
This is different than the default setting for other Fireboxes.
- Both the trusted and external interfaces accept management connections.
This is different than the default setting for other Fireboxes.
- The admin account passphrase is readwrite.
- The serial number for an unactivated FireboxV or XTMv device ends with 000000000.
You assign the actual serial number during device activation.
To find the assigned external IP address:
- In the virtual machines list, click the FireboxV or XTMv virtual machine.
- In the General Information > Networking section, look for the IP addresses.
Use the Web Setup Wizard to Create a Basic Configuration
The Fireware Web Setup Wizard is almost the same for FireboxV and XTMv as it is for any other Firebox. One difference is that, for a FireboxV or XTMv virtual machine, you can connect to either the trusted interface or the external interface to run the Web Setup Wizard. Another difference is that the virtual machine reboots after the wizard is complete, so that the virtual machine can restart with the new serial number.
If you do not complete all of the Web Setup Wizard steps within 15 minutes, the wizard does not save any of your settings. You must log in and start again.
The Web Setup Wizard includes a step to activate your FireboxV or XTMv device. You must activate the Firebox with a feature key to get the serial number and to enable all licensed features.
To set up the basic configuration on a FireboxV or XTMv virtual machine:
- Open a web browser and connect to Fireware Web UI on either the external or trusted interface.
- Connect to the external interface — From any computer on the FireboxV or XTMv external network, connect to:
For <External_IP_Address>, use the IP address assigned to the external interface.
- Connect to the trusted interface — From any computer on the FireboxV or XTMv trusted network, connect to:
- Log in to Fireware Web UI with the default administrator account credentials.
- Username — admin
- Passphrase — readwrite
- Complete the steps in the Web Setup Wizard.
The Web Setup Wizard helps you to complete these steps:
Select a configuration type
Select whether to create a new configuration or restore a configuration from a saved backup image.
Accept the End-User License Agreement.
Restore a Firebox Backup Image
If you selected the option to restore a configuration from a saved backup image, select a backup image file to restore to the Firebox.
Admin credentials are stored in the backup image file. Make sure that you know the admin passphrase at the time the backup image was created before you restore the backup. If you do not know the admin passphrase, you will not be able to log in to the Firebox after the backup image is restored.
The choices are:
- Import and restore a backup image from a file — Select a backup image file saved on your computer or network, and type the password that was used to encrypt the file.
- Restore a backup image file saved on the Firebox or USB drive — Select a backup image file that is saved on the Firebox (Fireware 12.2.1 and higher only) or a backup image stored on the USB drive that is connected to the Firebox (Fireware 12.3 and higher only). If you select a backup image stored on the USB drive, type the password that was used to encrypt the file.
Backup images saved on the Firebox appear in the Available backup images list only if you used the CLI command restore factory-default without the all option to reset the Firebox. All other methods used to reset the Firebox automatically delete all backup images saved on the Firebox.
After the backup image restores, the Firebox reboots and the Fireware Web UI Login page appears.
Configure the External Interface
Select and configure the method you want your device to use to set an external IP address. The choices are:
- DHCP — Type the DHCP identification as supplied by your ISP.
- PPPoE — Type the PPPoE information as supplied by your ISP.
- Static — Type the static IP address and gateway IP address, as supplied by your ISP.
For more information about these methods, see Configure an External Interface.
Configure DNS and WINS Servers (Optional)
Configure the Domain DNS and WINS server addresses you want the Firebox to use.
Configure the Trusted Interface
Type the IP address of the trusted interface. (Optional) If you want the Firebox to assign IP addresses to computers that connect to the trusted network, you can enable the DHCP server and assign a range of IP addresses on the same subnet as the interface IP address.
Create passphrases for your device
Set new passphrases for the status (read only) and admin (read/write) built-in user accounts.
Enable remote management (Optional)
Enable remote management if you want to manage this Firebox through the external interface.
Add device information
You can type a device name, location, and contact information to save management information for this device. By default, the device name is set to the model number of your Firebox. We recommend that you choose a unique name that you can use to easily identify this Firebox, especially if you use remote management. The location and contact information are optional.
Set the Time Zone
Select the time zone where the Firebox is located.
Activation: Add the Firebox feature key
The Web Setup Wizard can use one of three methods to apply a feature key to your device:
Automatic Activation — If the Firebox has been previously activated, the wizard automatically retrieves the device feature key from the WatchGuard website when the it starts with factory-default settings. If automatic activation is successful, the wizard does not show a page for the activation step. Automatic activation is not possible for FireboxV or XTMv,
Online Activation — If the Firebox has not yet been activated, you can use Online Activation in the wizard to activate the device in your account on the WatchGuard website. The device then automatically retrieves and applies the feature key to the device. To use Online Activation, your device must have a connection to the Internet.
Manual Activation — If you previously activated your Firebox and have a copy of the feature key on your computer, you can choose to skip online activation, and instead paste the text of the feature key into the wizard.
If the Firebox does not have an Internet connection when you run the wizard, you can also choose to skip activation entirely and apply the feature key later. For more information about how to apply the feature key outside the wizard, see Get a Firebox Feature Key.
Device functionality is limited until you apply a feature key. Without a feature key, the Firebox allows only one user to access the Internet. If the Firebox does not have a feature key, the Web Setup Wizard cannot configure licensed subscription services.
Subscription Services and WebBlocker settings
For a Firebox that uses Fireware v11.12 or higher, the setup wizard shows you a list of licensed services from the feature key. The wizard automatically enables the listed services with recommended settings. For WebBlocker, the wizard recommends content categories to block, and you can change these settings in the wizard.
After you review and apply your configuration settings, the Firebox saves the configuration.
After the Setup Wizard Finishes
After you complete the wizard, the FireboxV or XTMv virtual machine reboots with the new serial number. The setup wizard creates a basic configuration that allows outbound TCP, UDP, and ping, traffic, and blocks all unrequested traffic from the external network. It also uses the interface IP addresses and administrative passphrases you specified. The wizard automatically enabled default policies and services with recommended settings. For details about the default policies and services, see Setup Wizard Default Policies and Settings.
If you changed the IP address of the interface you used to connect to the Fireware Web Setup Wizard, you must use the new address to connect and manage the device.
Management Connections to FireboxV and XTMv
For a FireboxV or XTMv virtual machine, the default WatchGuard and WatchGuard Web UI policies allow management connections from any computer on the trusted, optional, or external networks. This is different from the default configuration for other WatchGuard devices, which do not allow management connections from the external network by default. If you do not want to allow management connections from the external network, edit the WatchGuard and WatchGuard Web UI policies to remove the Any-External alias from the From list. To allow management from only a specific computer on the external network, you can add the address of that management computer to the From list in these policies.
You can use Fireware Web UI, WatchGuard System Manager, or the Fireware Command Line Interface (CLI) to change the configuration for your FireboxV or XTMv virtual machine. You can connect to either the trusted or external interface from any computer on the same network.
For more information, see:
If you need to reset a FireboxV or XTMv device to factory-default settings, you can use the Fireware Command Line interface. For more information, see Reset FireboxV or XTMv to Factory-Default Settings.