Applies To: Cloud-managed Fireboxes
To switch a Firebox from cloud management to local management, and continue to use WatchGuard Cloud for monitoring, you can remove the Firebox from cloud management.
When you remove a Firebox from cloud management:
- The Firebox becomes locally-managed.
- The Firebox continues to use the last deployed configuration.
- The Firebox continues to send log messages to WatchGuard Cloud.
- Stored log data and reports remain visible in WatchGuard Cloud.
- The admin and status accounts use the device passwords configured in WatchGuard Cloud.
After you remove the Firebox from cloud management, you must use Fireware Web UI or Policy Manager to manage the configuration.
Before you remove a Firebox from cloud management, make sure you know the device passwords. You must use the device passwords to connect to the Firebox for local management. For information about how to update the passwords, see Update Cloud-Managed Firebox Device Passwords.
To remove a Firebox from cloud management, and keep it in WatchGuard Cloud for monitoring:
- Log in to WatchGuard Cloud.
- Select Configure > Devices.
- Select the cloud-managed Firebox.
- In the Cloud Management section, click Remove.
A confirmation dialog box opens.
- Click Remove.
The device becomes locally-managed.
To manage the Firebox with WatchGuard System Manager after you remove it from cloud management, you must add a WG-Firebox-Mgmt firewall policy to the Firebox from Fireware Web UI.
To add the WG-Firebox-Mgmt firewall policy to the Firebox, from Fireware Web UI:
- Select Firewall > Firewall Policies.
The Policies page opens.
- Click Add Policy.
The Add Firewall Policy page opens.
- For the policy type, select Packet Filter.
- From the Packet Filter drop-down list, select WG-Firebox-Mgmt. Click Add Policy.
A page that shows the new policy properties opens.
- On the Settings tab, configure the policy with these settings:
- From: Any-Trusted, Any-Optional
- To: Firebox
You can now manage the Firebox with WatchGuard System Manager.
For more information about firewall policy configuration, see Add Policies to Your Configuration.
If the cloud-managed Firebox had a BOVPN configured to another cloud-managed Firebox, the BOVPN remains in WatchGuard Cloud, but is invalid, because it has only one endpoint. You can view and delete the BOVPN, but you cannot edit it. Before you delete the BOVPN, remove references to the BOVPN in the configuration of the other Firebox.
If you remove a Firebox from cloud-management, WatchGuard continues to store device configuration data for one year, or until you deallocate the device from the account, whichever comes first. If you later add the Firebox back to the same account as a cloud-managed device, the Deployment History shows previous configurations deployed to that device.