Firebox Feature Comparison — Locally-Managed and Cloud-Managed
Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
WatchGuard Cloud provides a single user interface where you can monitor and configure all your WatchGuard products and services, and a multi-tier architecture that makes it easy to manage inventory across your accounts.
When you can add a Firebox or FireCluster to WatchGuard Cloud, you can do so as either a locally-managed or cloud-managed device.
Both locally-managed and cloud-managed devices in WatchGuard Cloud can use monitoring and reporting features, perform system actions such as upgrades and reboots, and send incident data to ThreatSync — the difference is where you manage the device configuration and the configuration features that are available.
Cloud-Managed Device
You manage the Firebox configuration in WatchGuard Cloud. For more information, see Manage the Firebox Configuration in WatchGuard Cloud Help.
Cloud-managed Fireboxes are automatically added to WatchGuard Cloud for visibility and reporting, so you can monitor live status and see log messages and reports.
MSPs can create Firebox configuration templates and use them to quickly apply configuration settings to multiple devices across multiple managed accounts.
You can manage authentication domains and certificates at the account level and share them across devices.
Locally-Managed Device
You manage the Firebox configuration in WSM, Fireware Web UI, or the Command Line Interface. For more information, see Fireware Help.
You can add the locally-managed Firebox to WatchGuard Cloud for visibility and reporting.
We strongly recommend that you add all locally-managed Fireboxes to WatchGuard Cloud for visibility and reporting, so you can monitor live status, see log messages and reports, easily upgrade firmware, and benefit from platform features such as ThreatSync.
The Firebox features that you can configure depend on the tool you use to manage your device. To determine whether to use local management or cloud management, review the information in these sections:
- Firebox Features Supported by Different Management Tools
- WatchGuard Cloud Features Supported by Fireboxes
For information on how to move a device from local management to cloud management, see Change a Locally-Managed Firebox to Cloud Management.
Firebox Features Supported by Different Management Tools
Several management tools are available to configure your Firebox. However, different management tools support different Firebox features.
This table compares the Firebox features you can configure with different management tools:
Product Feature | WatchGuard Cloud (Cloud-Managed Firebox) |
WatchGuard System Manager Tools (Locally-Managed Firebox) |
Fireware Web UI (Locally-Managed Firebox) |
---|---|---|---|
Firewall Policy | |||
Port/Protocol and Source/Destination Firewall Rules | ✓ | ✓ | ✓ |
Predefined Packet Filter Service List | ✓ | ✓ | ✓ |
First Run/Last Run Policies | ✓ | × | × |
Traffic Types Combined in One Firewall Policy | ✓ | × | × |
Explicit Proxy | × | ✓ | ✓ |
Scheduled Policies | × | ✓ | ✓ |
Zero-Touch Deployment/RapidDeploy | ✓ | ✓ | ✓ |
Policy Tags and Categories | × | ✓ | ✓ |
Browser SafeSearch | × | ✓ | ✓ |
Google for Business | × | ✓ | ✓ |
YouTube Enforcement Level | × | ✓ | ✓ |
Safeguarding Reports | ✓ | × | × |
Proxy-specific Controls | |||
Header Length and Fields | × | ✓ | ✓ |
Content Types and Body Content Types | × | ✓ | ✓ |
Maximum URL Length | × | ✓ | ✓ |
Range Requests | × | ✓ | ✓ |
Cookies | × | ✓ | ✓ |
Web Cache Server | × | ✓ | ✓ |
Email: Maximum Recipients | × | ✓ | ✓ |
Email: Maximum Size/Line Length/Header | × | ✓ | ✓ |
STARTTLS | × | ✓ | ✓ |
Sender From/To Rules | × | ✓ | ✓ |
Custom Deny and Warn Pages | × | ✓ | ✓ |
Logging and Notification | |||
WatchGuard Cloud | ✓ | ✓ | ✓ |
Syslog | ✓ | ✓ | ✓ |
Dimension | ✓ | ✓ | ✓ |
Syslog/Dimension Configuration in Templates | ✓ | ✓ | × |
SNMP | ✓ | ✓ | ✓ |
Netflow | × | ✓ | ✓ |
TLS Decryption and Inspection | |||
Inspect by URL Category | ✓ | ✓ | ✓ |
Manage TLS Exception List | ✓ | ✓ | ✓ |
Import Certificate | ✓ | ✓ | ✓ |
Enforce TLS Versions | × | ✓ | ✓ |
Inbound Inspection | × | ✓ | ✓ |
SSL Offloading | × | ✓ | ✓ |
PFS Cipher Setting | × | ✓ | ✓ |
Third-party Integrations & API Support | |||
API for Blocked Sites/IP Address | ✓ | ✓ | ✓ |
API for Exceptions | ✓ | ✓ | ✓ |
API for Device Information | ✓ | × | × |
API for Account Creation | ✓ | × | × |
Connectwise | ✓ | ✓ | ✓ |
Autotask | ✓ | ✓ | ✓ |
Tigerpaw | × | ✓ | ✓ |
FireCluster Configuration | |||
Active/Passive | ✓ | ✓ | × |
Active/Active | × | ✓ | × |
View Cluster Status | ✓ | ✓ | ✓ |
Alerts and Log Messages on Failover | ✓ | ✓ | ✓ |
Cluster Diagnostics | ✓ | ✓ | ✓ |
Upgrade Cluster Firmware | ✓ | ✓ | ✓ |
Multi-Firebox Management | |||
Templates for Firewall Rules | ✓ | ✓ | × |
Template Inheritance | ✓ | ✓ | × |
One to Many Mapping | ✓ | ✓ | × |
Many to One Mapping | ✓ | ✓ | × |
Firmware Upgrades | ✓ | ✓ | × |
Alias in Templates | ✓ | ✓ | × |
Role-based Access Control | ✓ | ✓ | × |
Networking | |||
Static NAT | ✓ | ✓ | ✓ |
Dynamic NAT | ✓ | ✓ | ✓ |
1-to-1 NAT | × | ✓ | ✓ |
DHCP Server and Options | ✓ | ✓ | ✓ |
DNS Settings for DHCP | ✓ | ✓ | ✓ |
Dynamic DNS | ✓ | ✓ | ✓ |
IPv6 | ✓ | ✓ | ✓ |
Integrated Wi-Fi Configuration on Wireless Firebox Models | ✓ | ✓ | ✓ |
Gateway Wireless Controller (GWC) | × | ✓ | ✓ |
Use Wireless as External Interface on -W Models | × | ✓ | ✓ |
Rogue Access Point Detection | × | ✓ | ✓ |
Hotspot/Guest Access | × | ✓ | ✓ |
Dynamic Routing | × | ✓ | ✓ |
Link Aggregation | × | ✓ | ✓ |
Multi-WAN | ✓ | ✓ | ✓ |
SD-WAN | |||
Dynamic Path - Jitter, Packet Loss, Latency | ✓ | ✓ | ✓ |
Link Monitoring - Ping, DNS, TCP | ✓ | ✓ | ✓ |
Failback - Immediate, Gradual, No Failback | ✓ | ✓ | ✓ |
Load Sharing (Round-Robin) | ✓ | ✓ | ✓ |
Traffic Management | |||
Guarantee/Restrict Bandwidth | ✓ | ✓ | ✓ |
Apply to All Policies, Per Policy, Per IP Address | ✓ | ✓ | ✓ |
Forward / Reverse | ✓ | ✓ | ✓ |
Apply to Applications and Application Categories | ✓ | ✓ | ✓ |
QoS | |||
QoS Marking | ✓ | ✓ | ✓ |
Traffic Priority | ✓ | ✓ | ✓ |
Quotas | × | ✓ | ✓ |
Mobile VPN | |||
Mobile VPN with IKEv2 | ✓ | ✓ | ✓ |
Mobile VPN with SSL | ✓ | ✓ | ✓ |
Custom Networks for Mobile VPN with SSL | × | ✓ | ✓ |
Mobile VPN with L2TP | × | ✓ | ✓ |
Mobile VPN with IPSec | × | ✓ | ✓ |
Network Access Enforcement (Endpoint) | ✓ | ✓ | ✓ |
Branch Office VPN | |||
Firebox to Firebox - IKEv2 Routed | ✓ | ✓ | ✓ |
Firebox to Third-Party - IKEv2 Routed | ✓ | ✓ | ✓ |
BOVPN Over SSL | × | ✓ | ✓ |
Firebox to Third-Party - IPSec | × | ✓ | ✓ |
Policy-Based VPNs | × | ✓ | ✓ |
DF Bit and MTU per VPN | ✓ | ✓ | ✓ |
Multiple External Interfaces for BOVPNs to Third-Party Endpoints | × | ✓ | ✓ |
Domain User as Endpoint ID for BOVPNs to Third-Party Endpoints | × | ✓ | ✓ |
1-to-1 NAT through BOVPN | ✓ | ✓ | ✓ |
Security Services | |||
Blocked Ports | ✓ | ✓ | ✓ |
Blocked Sites | ✓ | ✓ | ✓ |
Manage Auto-Blocked Ports | × | ✓ | ✓ |
Manage Auto-Blocked Sites | × | ✓ | ✓ |
Intrusion Prevention Service (IPS) | ✓ | ✓ | ✓ |
- IPS Signature Exceptions | ✓ | ✓ | ✓ |
- Signature Updates through Proxy Server | × | ✓ | ✓ |
Application Control | ✓ | ✓ | ✓ |
WebBlocker | ✓ | ✓ | ✓ |
- URL Filtering by Policy | ✓ | ✓ | ✓ |
- Alarm by Category | ✓ | ✓ | ✓ |
- Warn | ✓ | ✓ | ✓ |
- On-Premises WebBlocker Server | × | ✓ | ✓ |
- Password Override | × | ✓ | ✓ |
spamBlocker | ✓ | ✓ | ✓ |
Gateway AntiVirus | ✓ | ✓ | ✓ |
Geolocation | ✓ | ✓ | ✓ |
Botnet Protection | ✓ | ✓ | ✓ |
APT Blocker | ✓ | ✓ | ✓ |
- Select Server Region | × | ✓ | ✓ |
DNSWatch | ✓ | ✓ | ✓ |
IntelligentAV | ✓ | ✓ | ✓ |
Visibility in WatchGuard Cloud | ✓ | ✓ | ✓ |
Network Discovery | × | × | ✓ |
Access Portal | × | ✓ | ✓ |
Data Loss Prevention | × | ✓ | ✓ |
EDR Core | ✓ | ✓ | ✓ |
ThreatSync | ✓ | ✓ | ✓ |
Default Threat Protection | |||
Default Packet Handling | ✓ | ✓ | ✓ |
Authentication | |||
Firebox Database | ✓ | ✓ | ✓ |
RADIUS | ✓ | ✓ | ✓ |
Active Directory | ✓ | ✓ | ✓ |
Authentication Domains | ✓ | × | × |
SSO | ✓ | ✓ | ✓ |
AuthPoint Integration (no RADIUS) | ✓ | ✓ | ✓ |
Terminal Services | × | ✓ | ✓ |
General Settings | |||
NTP Servers | ✓ | ✓ | ✓ |
Device Feedback | ✓ | ✓ | ✓ |
Fault Reports | ✓ | ✓ | ✓ |
Certificate Management | |||
Proxy Authority Certificates | ✓ | ✓ | ✓ |
VPN Certificates | ✓ | ✓ | ✓ |
Certificate Signing Requests | ✓ | ✓ | ✓ |
Web Server Certificates | ✓ | ✓ | ✓ |
Troubleshooting Tools | |||
Interface Status | ✓ | ✓ | ✓ |
Ping | ✓ | ✓ | ✓ |
TCP Dump | ✓ | ✓ | ✓ |
nslookup | ✓ | ✓ | ✓ |
Download Support.TGZ File | ✓ | ✓ | ✓ |
For information on the Firebox security features available with a Standard Support, Basic Security Suite, or Total Security Suite license, go to Security Services on WatchGuard.com.
WatchGuard Cloud Features Supported by Fireboxes
You can add both locally-managed and cloud-managed devices to WatchGuard Cloud.
This table shows the WatchGuard Cloud features supported by locally-managed and cloud-managed Fireboxes that you add to WatchGuard Cloud:
WatchGuard Cloud Features | Cloud-Managed | Locally-Managed |
---|---|---|
Manage Firebox configuration settings, such as policies, security services, VPNs, and more. | ✓ | × |
Manage FireCluster configurations | ✓ | × |
Initiate FireCluster system actions (upgrade firmware, reboot, and failover) | ✓ | ✓ |
Configure shared device settings in templates | ✓ | × |
Schedule and deploy changes to device settings | ✓ | × |
Revert to a previously deployed configuration | ✓ | × |
Monitor live status (network status, routes, VPNs, users, FireCluster, etc.) | ✓ | ✓ |
View log messages and reports | ✓ | ✓ |
Upgrade firmware | ✓ | ✓ |
Manage Firebox backups | × | ✓ |
Reboot the Firebox | ✓ | ✓ |
Send incident data to ThreatSync | ✓ | ✓ |
Features and Benefits of Firebox Management in WatchGuard Cloud (KB article)
Get Started — Add a Device to WatchGuard Cloud
Change a Locally-Managed Firebox to Cloud Management
Upgrade Firmware in WatchGuard Cloud
Manage Firebox Backup Images in WatchGuard Cloud
Live Status Reporting for Fireboxes and FireClusters