Prepare to Install Your Firebox

Before you begin the installation process, complete these tasks:

  • Verify the basic components for your Firebox
  • Activate your Firebox
  • Record network address information
  • Select a network configuration mode
  • Select a location to install your servers
  • Select a Firebox setup wizard

In these instructions, we assume your Firebox has one trusted, one external, and one optional interface configured. To configure additional interfaces on your Firebox, use the configuration tools and procedures described in the Network Interface Settings topics.

Verify Basic Components

Make sure you have these components before you begin the installation process:

  • Computer with an Ethernet network interface and a web browser
  • WatchGuard Firebox
  • Network with Internet access

Activate Your Firebox

To enable configuration of the licensed features on your Firebox, you must activate the Firebox in your WatchGuard account. To activate your Firebox, open a web browser and go to

The activation process generates a feature key for the Firebox. The feature key is a file that lists the licensed features and services and their expiration dates. The Firebox automatically connects to WatchGuard to download its feature key. You can also copy the feature key from the WatchGuard website and paste it into the Firebox configuration.

If the Firebox does not have a feature key, it allows only one outbound connection to an external network, such as the Internet.

To learn how to activate your Firebox and get a feature key, see Get a Firebox Feature Key.

Record Network Address Information

We recommend that you record your network information before and after you configure your Firebox. Use List 1 for your network IP addresses before you put the device into operation. For information about how to identify your network IP addresses, see Identify Your Network Settings.

WatchGuard uses slash notation to show the subnet mask. For more information, see About Slash Notation. For more information about IP addresses, see About IP Addresses.

List 1: Network IP Addresses without the Firebox
Wide Area Network _____._____._____._____ / ____
Default Gateway _____._____._____._____
Local Area Network _____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Public Server(s) (if applicable)



Use List 2 to record your network IP addresses after you put the Firebox into operation.

External interface

Connects to the external network (typically the Internet) that is not trusted.

Trusted interface

Connects to the private LAN (local area network) or internal network that you want to protect.

Optional interface(s)

Usually connects to a mixed trust area of your network, such as servers in a DMZ. You can use optional interfaces to create zones in the network with different levels of access.

List 2: Network IP Addresses with the Firebox
Default Gateway _____._____._____._____
External Interface _____._____._____._____/ ____
Trusted Interface _____._____._____._____ / ____
Optional Interface _____._____._____._____ / ____
Secondary Network (if applicable)

_____._____._____._____ / ____

Select a Network Configuration Mode

You must decide how you want to connect the Firebox to your network. For most networks, Mixed Routing Mode, is the correct choice.

Fireware supports three network configuration modes:

Mixed Routing Mode

In mixed routing mode (also known as routed mode), each interface has a separate IP address and connects to a separate network. The Firebox uses static NAT (network address translation) to map public addresses to private addresses behind the trusted or optional interfaces. Mixed routing mode is the only mode that supports all Firebox features.

This is the default mode and is appropriate for most networks. For more information, see Mixed Routing Mode.

Drop-In Mode

In drop-in mode, all of the Firebox interfaces are on the same network and have the same IP address. NAT is not necessary because the computers that have public access have public IP addresses. In drop-in mode, you cannot enable wireless. For more information, see Drop-In Mode.

Bridge Mode

In bridge mode, the Firebox examines traffic from all trusted or optional interfaces and sends it to the external interface. Traffic sent or received through the Firebox appears to come from its original source. In bridge mode, you cannot configure routing, NAT, or VLANs. For more information about bridge mode, see Bridge Mode.

Select a Location to Install Server Software

In the WatchGuard System Manager (WSM) installer, you can install WSM and the WatchGuard servers. You can install the WatchGuard Servers on different computers. You must install the Management Server on a computer that also has WSM installed.

If you install server software on a computer with an active desktop firewall other than Windows Firewall, you must open the ports necessary for the servers to connect through the firewall. For more information, see Install WatchGuard Servers on Computers with Desktop Firewalls .

For information about how to install WatchGuard System Manager and WatchGuard Servers, see, Install WatchGuard System Manager Software.

Select a Firebox Setup Wizard

You can use the Web Setup Wizard or the WSM Quick Setup Wizard to create the initial Firebox configuration. When you run the Web Setup Wizard, the firewall configuration is automatically set to mixed routing mode. When you run the WSM Quick Setup Wizard, you can configure the device in mixed routing mode or drop-in mode. In Fireware v12.5.3 and higher, the Web Setup Wizard supports setup options for RapidDeploy and WatchGuard Cloud.

For more information, see About Firebox Setup Wizards.