Before you begin the installation process, complete these tasks:
- Verify the basic components for your Firebox
- Activate your Firebox
- Record network address information
- Select a network configuration mode
- Select a location to install your servers
- Select a Firebox setup wizard
In these instructions, we assume your Firebox has one trusted, one external, and one optional interface configured. To configure additional interfaces on your Firebox, use the configuration tools and procedures described in the Network Interface Settings topics.
Verify Basic Components
Make sure you have these components before you begin the installation process:
- Computer with an Ethernet network interface and a web browser
- WatchGuard Firebox
- Network with Internet access
Activate Your Firebox
To enable configuration of the licensed features on your Firebox, you must activate the Firebox in your WatchGuard account. To activate your Firebox, open a web browser and go to https://myproducts.watchguard.com/activate.
The activation process generates a feature key for the Firebox. The feature key is a file that lists the licensed features and services and their expiration dates. The Firebox automatically connects to WatchGuard to download its feature key. You can also copy the feature key from the WatchGuard website and paste it into the Firebox configuration.
If the Firebox does not have a feature key, it allows only one outbound connection to an external network, such as the Internet.
To learn how to activate your Firebox and get a feature key, go to Get a Firebox Feature Key.
Record Network Address Information
We recommend that you record your network information before and after you configure your Firebox. Use List 1 for your network IP addresses before you put the device into operation.
WatchGuard uses slash notation to show the subnet mask. For more information, see About Slash Notation. For more information about IP addresses, go to About IP Addresses.
| List 1: Network IP Addresses without the Firebox | |
|---|---|
| Wide Area Network | _____._____._____._____ / ____ |
| Default Gateway | _____._____._____._____ |
| Local Area Network | _____._____._____._____ / ____ |
| Secondary Network (if applicable) | _____._____._____._____ / ____ |
| Public Server(s) (if applicable) |
_____._____._____._____ |
| _____._____._____._____ | |
| _____._____._____._____ | |
Use List 2 to record your network IP addresses after you put the Firebox into operation.
External interface
Connects to the external network (typically the Internet) that is not trusted.
Trusted interface
Connects to the private LAN (local area network) or internal network that you want to protect.
Optional interface(s)
Usually connects to a mixed trust area of your network, such as servers in a DMZ. You can use optional interfaces to create zones in the network with different levels of access.
| List 2: Network IP Addresses with the Firebox | |
|---|---|
| Default Gateway | _____._____._____._____ |
| External Interface | _____._____._____._____/ ____ |
| Trusted Interface | _____._____._____._____ / ____ |
| Optional Interface | _____._____._____._____ / ____ |
| Secondary Network (if applicable) |
_____._____._____._____ / ____ |
Select a Network Configuration Mode
You must decide how you want to connect the Firebox to your network. For most networks, Mixed Routing Mode, is the correct choice.
Fireware supports three network configuration modes:
Mixed Routing Mode
In mixed routing mode (also known as routed mode), each interface has a separate IP address and connects to a separate network. The Firebox uses static NAT (network address translation) to map public addresses to private addresses behind the trusted or optional interfaces. Mixed routing mode is the only mode that supports all Firebox features.
This is the default mode and is appropriate for most networks. For more information, go to Mixed Routing Mode.
Drop-In Mode
In drop-in mode, all of the Firebox interfaces are on the same network and have the same IP address. NAT is not necessary because the computers that have public access have public IP addresses. In drop-in mode, you cannot enable wireless. For more information, go to Drop-In Mode.
Bridge Mode
In bridge mode, the Firebox examines traffic from all trusted or optional interfaces and sends it to the external interface. Traffic sent or received through the Firebox appears to come from its original source. In bridge mode, you cannot configure routing, NAT, or VLANs. For more information about bridge mode, go to Bridge Mode.
Select a Location to Install Server Software
In the WatchGuard System Manager (WSM) installer, you can install WSM and the WatchGuard servers. You can install the WatchGuard Servers on different computers. You must install the Management Server on a computer that also has WSM installed.
If you install server software on a computer with an active desktop firewall other than Windows Firewall, you must open the ports necessary for the servers to connect through the firewall. For more information, go to Install WatchGuard Servers on Computers with Desktop Firewalls .
For information about how to install WatchGuard System Manager and WatchGuard Servers, go to Install WatchGuard System Manager Software.
Select a Firebox Setup Wizard
You can use the Web Setup Wizard or the WSM Quick Setup Wizard to create the initial Firebox configuration. When you run the Web Setup Wizard, the firewall configuration is automatically set to mixed routing mode. When you run the WSM Quick Setup Wizard, you can configure the device in mixed routing mode or drop-in mode. In Fireware v12.5.3 and higher, the Web Setup Wizard supports setup options for RapidDeploy and WatchGuard Cloud.
For more information, go to About Firebox Setup Wizards.