Prepare to Install Your Firebox

Before you begin the installation process, you must make sure you have the basic components for your Firebox, get the feature key for your Firebox, select your network addresses, select a firewall configuration mode, decide where to install your servers, and select a setup wizard.

In these installation instructions, we assume your Firebox has one trusted, one external, and one optional interface configured. To configure additional interfaces on your Firebox, use the configuration tools and procedures described in the Network Setup and Configuration topics.

Verify Basic Components

Make sure that you have these items:

  • A computer with a 10/100BaseT Ethernet network interface card and a web browser installed
  • A WatchGuard Firebox
  • A serial cable (blue)
  • One crossover Ethernet cable (red)
  • One straight Ethernet cable (green)
  • Power cable or AC power adapter

Get a Feature Key

To enable all of the features on your Firebox, you must register the device on the WatchGuard website and get your feature key. If you register your Firebox before you use the Quick Setup Wizard, you can paste a copy of your feature key in the wizard. The wizard then applies it to your device. If you do not paste your feature key into the wizard, you can still finish the wizard. Until you add your feature key, the Firebox allows only one connection to an external network, such as the Internet.

You also get a new feature key to enable optional products or services when you purchase them. After you register your Firebox or any new feature, you can synchronize your Firebox feature key with the feature keys kept in your registration profile on the WatchGuard website.

To learn how to activate your Firebox and get a feature key, see Get a Firebox Feature Key.

Gather Network Addresses

We recommend that you record your network information before and after you configure your Firebox. Use the first list for your network IP addresses before you put the device into operation. For information about how to identify your network IP addresses, see Identify Your Network Settings.

WatchGuard uses slash notation to show the subnet mask. For more information, see About Slash Notation. For more information on IP addresses, see About IP Addresses.

List 1: Network IP addresses without the Firebox
Wide Area Network _____._____._____._____ / ____
Default Gateway _____._____._____._____
Local Area Network _____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Public Server(s) (if applicable)



Use the second list for your network IP addresses after you put the Firebox into operation.

External interface

Connects to the external network (typically the Internet) that is not trusted.

Trusted interface

Connects to the private LAN (local area network) or internal network that you want to protect.

Optional interface(s)

Usually connects to a mixed trust area of your network, such as servers in a DMZ (demilitarized zone). You can use optional interfaces to create zones in the network with different levels of access.

List 2: Network IP addresses with the Firebox
Default Gateway _____._____._____._____
External Interface _____._____._____._____/ ____
Trusted Interface _____._____._____._____ / ____
Optional Interface _____._____._____._____ / ____
Secondary Network (if applicable)

_____._____._____._____ / ____

Select a Firewall Configuration Mode

You must decide how you want to connect the Firebox to your network before you run the Quick Setup Wizard. The way you connect the device controls the interface configuration. When you connect the device, you select the configuration mode—routed or drop-in—that is best suited to your current network.

Many networks operate best with mixed routing configuration, but we recommend the drop-in mode if:

  • You have already assigned a large number of static IP addresses and do not want to change your network configuration.
  • You cannot configure the computers on your trusted and optional networks that have public IP addresses with private IP addresses.

This list and the descriptions below the list show three conditions that can help you to select a firewall configuration mode.

Mixed Routing Mode Drop-in Mode
All of the Firebox interfaces are on different networks. All of the Firebox interfaces are on the same network and have the same IP address.
Trusted and optional interfaces must be on different networks. Each interface has an IP address on its network. The computers on the trusted or optional interfaces can have a public IP address.
Use static NAT (network address translation) to map public addresses to private addresses behind the trusted or optional interfaces. NAT is not necessary because the computers that have public access have public IP addresses.

For more information about drop-in mode, see Drop-In Mode.

For more information about mixed routing mode, see Mixed Routing Mode.

The Firebox also supports a third configuration mode called bridge mode. This mode is less commonly used. For more information about bridge mode, see Bridge Mode.

You can now start the Web Setup Wizard or Quick Setup Wizard. For more information, see About Firebox Setup Wizards.

You can use the Web Setup Wizard or the WSM Quick Setup Wizard to create your initial configuration. When you run the Web Setup Wizard, the firewall configuration is automatically set to mixed routing mode. When you run the WSM Quick Setup Wizard, you can configure the device in mixed routing mode or drop-in mode.

Decide Where to Install Server Software

When you run the WatchGuard System Manager Installer, you can install WatchGuard System Manager and the WatchGuard servers on the same computer. You can also use the same installation procedure to install the WatchGuard servers on different computers. This helps to distribute the server load and supply redundancy. To ensure the Management Server operates correctly, you must install it on a computer also has WSM installed. To decide where to install server software, you must examine the capacity of your management computer and select the installation method that matches your environment.

If you install server software on a computer with an active desktop firewall other than Windows Firewall, you must open the ports necessary for the servers to connect through the firewall. Windows Firewall users do not have to change their desktop firewall configuration because the installation program opens the necessary ports through Windows Firewall automatically.

For more information, see Install WatchGuard Servers on Computers with Desktop Firewalls .

To start the installation process, Install WatchGuard System Manager Software.

Decide Which Setup Wizard to Use

You can use the Web Setup Wizard or the WSM Quick Setup Wizard to create the initial Firebox configuration. When you run the Web Setup Wizard, the firewall configuration is automatically set to mixed routing mode. When you run the WSM Quick Setup Wizard, you can configure the device in mixed routing mode or drop-in mode. For more information, see About Firebox Setup Wizards.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search