Deploy FireboxV or XTMv on VMware ESXi

This installation procedure describes how to deploy and configure a FireboxV or XTMv virtual machine on a VMware vSphere ESXi host.

Installation Prerequisites

WatchGuard FireboxV VMware system requirements:

  • VMware ESXi 6.0, 6.5, or 6.7

WatchGuard XTMv VMware system requirements:

  • VMware ESXi 6.0

Hardware and System Resources

  • Each FireboxV or XTMv virtual machine requires 5 GB of disk space.
  • Other system resources vary by FireboxV model

Some WatchGuard customers have successfully used vMotion to migrate an XTMv virtual machine between ESXi hosts while the XTMv virtual machine is powered on and passing traffic. However we recommend that you power down the FireboxV or XTMv virtual machine, if possible, before you migrate it between ESXi hosts.

Before You Begin

To prepare for your installation, make sure you have:

  • FireboxV or XTMv device serial number

    You receive the serial number when you purchase the FireboxV or XTMv virtual device.
  • FireboxV or XTMv feature key
    The feature key contains the device serial number and licensed features.
  • WatchGuard FireboxV or XTMv Open Virtual Machine Format (.ovf) file
    The file name is Fireboxv_<version>.ovf or xtmv_<version>.ovf, where <version> is the Fireware version.
  • WatchGuard System Manager (optional)

    The WSM version must be the same version or higher than the Fireware version

To get the feature key:

  1. Go to www.watchguard.com/activate and activate the device serial number.
    The activation process creates a feature key for the Firebox.
  2. Copy the feature key to a local text file.

To download the installation file and other software to use with your Firebox:

  1. Go to software.watchguard.com and select FireboxV or XTMv for VMware.
  2. Download the FireboxV zip or XTMv .ova template file.
  3. Download WatchGuard System Manager (optional).

Installation Overview

To complete initial installation:

  1. In the VMware vSphere Client, deploy the FireboxV or XTMv virtual appliance to the ESXi host and power on the FireboxV or XTMv virtual machine.
  2. Connect to the FireboxV or XTMv virtual machine and run the Web Setup Wizard to set up a basic configuration.
  3. Allocate additional resources to the FireboxV or XTMv virtual machine.

This guide describes how to run the Web Setup Wizard to create your initial configuration for a FireboxV virtual machine. If you have installed WatchGuard System Manager on a computer on the FireboxV or XTMv trusted network, instead of the Web Setup Wizard, you can run the Quick Setup Wizard in WatchGuard System Manager to discover the virtual machine and set up the basic configuration.

To activate your Firebox in the Web Setup Wizard, you must have the Firebox serial number. You cannot use a serial number that ends with 000000000, which is the serial number for an unactivated device.

Network Considerations

When you create a FireboxV or XTMv virtual appliance, it is initially configured with two active interfaces.

External interface

The external interface, Interface 0, is set up by default to request an IP address from a DHCP server. To connect to this interface for the initial device configuration, you must map this interface to a destination network that has a DHCP server.

Trusted interface

The trusted interface, Interface 1, has a default IP address of 10.0.1.1.

When you create the FireboxV or XTMv virtual machine in the ESXi environment, before you run the Fireware Web Setup Wizard, you must map each of these interfaces to a destination network.

For the best network performance and stability, we recommend that you choose a vmxnet3 virtual network adapter for each Firebox interface. Do not use a e1000 virtual network adapter.

After you create the FireboxV or XTMv virtual machine, you can enable and configure additional network interfaces. For additional interfaces to operate, you must configure the FireboxV or XTMv virtual machine in the vSphere Web Client to add the number of network adapters you want to enable in the FireboxV device configuration.

You must configure the ESXi MAC addresses in increasing order by the ESXi interface number. This ensures that the Firebox interfaces correspond to the ESXi interfaces as follows:

FireboxV or XTMv Interface ESXi Interface ESXi Interface MAC Address
eth0 1 11:11:11:11:11:11
eth1 2 22:22:22:22:22:22
eth2 3 33:33:33:33:33:33
eth3 4 44:44:44:44:44:44

Deploy the FireboxV or XTMv Virtual Appliance

You can use the vSphere Client, vSphere Web Client, or vCenter Server to deploy the FireboxV or XTMv virtual appliance (OVF template file). The OVF template file installs as a 64-bit virtual machine.

Different versions of VMware ESXi support different VMware clients. You can use any supported client to deploy the .ova file and assign required resources to the Firebox. For example, VMware 6.5 supports these clients:

  • VMware Host Client
  • vSphere Client - HTML5
  • vSphere Web Client
  • vSphere Appliance Management UI (VAMI) - HTML5
  • PSC Management UI - HTML5

The next procedures describe how to deploy a virtual machine on the ESXi Host Client.

For information about how to deploy a virtual machine and configure necessary resources for another VMware client , see the documentation for that VMware client.

Older versions of ESXi support the Windows vSphere Client, which is not supported in v6.5 and higher. For instructions about how to use the Windows vSphere client to install a FireboxV or XTMv virtual machine, see the v11.11 version of the WatchGuard XTMv Setup Guide available on the Documentation page at https://www.watchguard.com/wgrd-help/documentation/xtm

To use the VMware Host Client to deploy the FireboxV virtual machine:

  1. Connect to the VMware Host Client at https://<ESXi_Host>/UI.
    Replace <ESXi_Host> with the FQDN or IP address of your ESXi host.
  2. In the Navigator pane, select Host.
  3. Select Actions > Create/Register VM.
    The New virtual machine wizard starts.
  4. Complete the steps in the New virtual machine wizard.

The wizard helps you to complete these steps:

Creation type

Select Deploy a virtual machine from an OVF or OVA file.

License agreement

Review and accept the WatchGuard End-User License Agreement.

Name

Specify the name of the virtual machine.

OVA file

The FireboxV or XTMv .ovf file you downloaded from WatchGuard

Destination datastore

Select a datastore with at least 5 GB available space.

Network mappings

Select the networks to map to Network 0 (Eth0: External) and Network 1 (eth1:Trusted). Eth) is configured to use DHCP to get an IP address by default. Select a vmxnet3 network adapter for each interface.

Disk provisioning

We recommend you select Thick to allocate all storage immediately.

Additional settings

Do not configure additional network settings. You will use Fireware Web Setup Wizard to configure the Firebox networks.

After you finish the wizard and deployment is complete, the FireboxV or XTMv virtual machine appears in the Virtual Machines list. The virtual machine is powered on automatically.

FireboxV and XTMv Factory Default Settings

When you power on a FireboxV or XTMv virtual machine for the first time, before you run the setup wizard, it starts with these factory default settings:

  • There are two active interfaces: external and trusted.
  • The trusted interface has the IP address 10.0.1.1.
  • The external interface is configured to receive an IP address through DHCP.
  • The trusted interface is not configured to assign IP addresses with DHCP.
    This is different than the default setting for other Fireboxes.
  • Both the trusted and external interfaces accept management connections.
    This is different than the default setting for other Fireboxes.
  • The admin account passphrase is readwrite.
  • The serial number for an unactivated FireboxV or XTMv device ends with 000000000.
    You assign the actual serial number during device activation.

To find the assigned external IP address:

  1. In the virtual machines list, click the FireboxV or XTMv virtual machine.
  2. In the General Information > Networking section, look for the IP addresses.

Use the Web Setup Wizard to Create a Basic Configuration

The Fireware Web Setup Wizard is almost the same for FireboxV as it is for any other Firebox. One difference is that, for a FireboxV virtual machine, you can connect to either the trusted interface or the external interface to run the Web Setup Wizard. Another difference is that the virtual machine reboots after the wizard is complete, so that the virtual machine can restart with the new serial number.

If you do not complete all of the Web Setup Wizard steps within 15 minutes, the wizard does not save any of your settings. You must log in and start again.

The Web Setup Wizard includes a step to activate your FireboxV device. You must activate the Firebox with a feature key to get the serial number and to enable all licensed features.

To set up the basic configuration on a FireboxV virtual machine:

  1. Open a web browser and connect to Fireware Web UI on either the external or trusted interface.
  • Connect to the external interface — From any computer on the FireboxV external network, connect to:
    https://<External_IP_Address>:8080
    For <External_IP_Address>, use the IP address assigned to the external interface.
  • Connect to the trusted interface — From any computer on the FireboxV trusted network, connect to:
    https://10.0.1.1:8080
  1. Log in to Fireware Web UI with the default administrator account credentials.
  • Username — admin
  • Passphrase — readwrite
  1. Select New Configuration.
  2. Complete the steps in the Web Setup Wizard.

The Web Setup Wizard helps you to complete these steps:

Configure the External interface

Select and configure the method you want your device to use to set an external IP address. The choices are:

  • DHCP — Type the DHCP identification as supplied by your ISP.
  • PPPoE — Type the PPPoE information as supplied by your ISP.
  • Static — Type the static IP address and gateway IP address, as supplied by your ISP.

For more information about these methods, see Configure an External Interface.

Configure DNS and WINS servers (Optional)

Configure the DNS and WINS server addresses you want the Firebox to use.

Configure the Trusted interface

Type the IP address of the trusted interface. (Optional) If you want the Firebox to assign IP addresses to computers that connect to the trusted network, you can enable the DHCP server and assign a range of IP addresses on the same subnet as the interface IP address.

Create passphrases for your device

Set new passphrases for the status (read-only) and admin (read/write) built-in user accounts.

Enable remote management (Optional)

Enable remote management if you want to manage this Firebox through the external interface.

Add device information

You can type a device name, location, and contact information to save management information for this device. By default, the device name is the model number of your Firebox. We recommend that you choose a unique name that you can use to easily identify this Firebox, especially if you use remote management. The location and contact information are optional.

Set the Time Zone

Select the time zone where the Firebox is located.

Add the feature key

Paste the text of the feature key into the setup wizard.

If you did not copy the feature key when you activated your Firebox serial number, you can get it on the Product Details page for your Firebox. For more information, see About the Product Details Page.

Configure subscription services

The setup wizard shows a list of licensed services from the feature key. The setup wizard automatically enables the listed services with recommended settings. For WebBlocker, the setup wizard recommends content categories to block, and you can change these settings in the setup wizard.

Review the Configuration

After you review the configuration settings, the setup wizard saves the configuration to the Firebox.

After the Setup Wizard Finishes

After you complete the wizard, the FireboxV or XTMv virtual machine reboots with the new serial number. The setup wizard creates a basic configuration that allows outbound TCP, UDP, and ping, traffic, and blocks all unrequested traffic from the external network. It also uses the interface IP addresses and administrative passphrases you specified. The wizard automatically enabled default policies and services with recommended settings. For details about the default policies and services, see Setup Wizard Default Policies and Settings.

If you changed the IP address of the interface you used to connect to the Fireware Web Setup Wizard, you must use the new address to connect and manage the device.

Management Connections to FireboxV and XTMv

For a FireboxV or XTMv virtual machine, the default WatchGuard and WatchGuard Web UI policies allow management connections from any computer on the trusted, optional, or external networks. This is different from the default configuration for other WatchGuard devices, which do not allow management connections from the external network by default. If you do not want to allow management connections from the external network, edit the WatchGuard and WatchGuard Web UI policies to remove the Any-External alias from the From list. To allow management from only a specific computer on the external network, you can add the address of that management computer to the From list in these policies.

You can use Fireware Web UI, WatchGuard System Manager, or the Fireware Command Line Interface (CLI) to change the configuration for your FireboxV or XTMv virtual machine. You can connect to either the trusted or external interface from any computer on the same network.

For more information, see:

If you need to reset a FireboxV or XTMv device to factory-default settings, you can use the Fireware Command Line interface. For more information, see Reset FireboxV or XTMv to Factory-Default Settings.