Change the FireCluster Management Type

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

When you add a FireCluster to WatchGuard Cloud, you select one of these management types:

  • Cloud management — With this option, you use WatchGuard Cloud for all FireCluster configuration management, monitoring, and reporting. You cannot locally manage the FireCluster in WatchGuard System Manager, Fireware Web UI, or the CLI.
  • Local management — With this option, you can use WatchGuard Cloud for FireCluster monitoring and reporting. You can also upgrade, fail over, and reboot the FireCluster in WatchGuard Cloud. To manage the FireCluster configuration, you must use WatchGuard System Manager, Fireware Web UI, or the CLI.

After you add a FireCluster to WatchGuard Cloud, you can change the management type.

Change to Cloud Management

After you change to cloud management and deploy the change:

  • The cloud-managed configuration replaces the locally-managed configuration on the Firebox.
  • You can no longer locally manage the FireCluster in WatchGuard System Manager, Fireware Web UI, or the CLI.

To change a FireCluster from local management to cloud management:

  1. Sign in to your WatchGuard Cloud Subscriber account.
    For Service Provider operators, from Account Manager, select My Account.
  2. Select Configure > Devices.
  3. Select the FireCluster.
    The Device Settings page opens.

Screen shot of the Cloud Management section of the Device Settings page

  1. In the Cloud Management section, click Change to Cloud Management.
  2. Confirm that you want to change to cloud management.
    The Add Device wizard opens.
  3. Complete the FireCluster settings. For more information, go to the Method 2 section in Add a Cloud-Managed FireCluster.

After you deploy the change, the cloud-managed configuration replaces the locally-managed configuration on the Firebox. You can no longer locally manage the FireCluster in WatchGuard System Manager or Fireware Web UI.

  1. Schedule a deployment.

Remove from Cloud Management

After you remove a FireCluster from cloud management:

  • The FireCluster retains the configuration from WatchGuard Cloud, but you must now manage the configuration with WatchGuard System Manager or Fireware Web UI.
  • The deployment history from when the FireCluster was cloud managed is no longer available. This means you cannot revert to previous deployment versions that existed before you removed the FireCluster from cloud management, even if you later change the FireCluster back to cloud management.

If you plan to remove a FireCluster from cloud management, and you also plan to later change the FireCluster back to cloud management, we recommend that you save a copy of the device configuration report before you remove the FireCluster from cloud management. After you change the management type back to cloud management, you can use the information in the report to manually rebuild your configuration.

To change a FireCluster from cloud management to local management:

  1. Sign in to your WatchGuard Cloud Subscriber account.
    For Service Provider operators, from Account Manager, select My Account.
  2. Select Configure > Devices.
  3. Select the FireCluster.
    The Device Settings page opens.

Screen shot of the Device Settings page for a FireCluster

  1. In the Cloud Management section, click Remove.
    A confirmation dialog box opens.

Screen shot of the Remove from Cloud Management dialog box

  1. To confirm, click Remove.
  2. Schedule a deployment.
    The Firebox retains the configuration from WatchGuard Cloud, but you must now manage the configuration with WatchGuard System Manager or Fireware Web UI.

Add a Management Policy

To use WatchGuard System Manager to manage a FireCluster that you changed from cloud management to local management, you must manually add the WatchGuard System Manager policy to your configuration.

To add the WatchGuard System Manager policy:

  1. Use Fireware Web UI to connect to the FireCluster.
  2. Add the WatchGuard policy, which is the WG-Firebox-Mgmt policy type. This policy controls administrative connections to the FireCluster.

For more information about the WatchGuard policy, go to About FireCluster Management IP Addresses and Administer Your Firebox From a Remote Location.

If you plan to change the FireCluster management type often for testing purposes, we recommend that you add a first run template policy in WatchGuard Cloud that includes the WatchGuard System Manager ports. This policy makes it easier to configure management access after you change from cloud management to local management. For example, you can add a policy like this one:

Screen shot of a first run policy for FireCluster Management with WatchGuard System Manager

For more information, go to Firewall Policy Types and About Firebox Templates.

Related Topics

About FireCluster in WatchGuard Cloud