When you enable WatchGuard Cloud on a Firebox, the Firebox connects to WatchGuard Cloud to register. Firebox registration happens only once, to associate the Firebox with your WatchGuard Cloud account. After successful registration, the Firebox sends log messages and device status to WatchGuard Cloud.
This topic describes how to troubleshoot issues with Firebox registration and connections to WatchGuard Cloud.
See the Firebox Connection Status
You can see the Firebox connection status in the Device Summary. For more information, see WatchGuard Cloud Device Summary.
The connection status indicates whether the Firebox is connected to your WatchGuard Cloud account. It can be one of these values:
Never Connected — The device has never connected to WatchGuard Cloud.
Connected — The device is connected to WatchGuard Cloud.
Not Connected — The device is not connected to WatchGuard Cloud.
Inactive — The device is inactive. For more information, see Inactive Devices and Data Retention.
If the device status is not Connected, the Firebox is not connected to WatchGuard Cloud. To troubleshoot the issue you must connect to the Firebox and get more information. For more information, see WatchGuard Cloud Status on the Firebox.
The expected status of cluster members depends on the cluster type:
Only the cluster master connects to WatchGuard Cloud. The status of the cluster master is Connected. The status of the backup master is Never Connected or Not Connected.
Both cluster members connect to WatchGuard Cloud. The status of both members is Connected. To determine which Firebox serial number corresponds to the cluster master or backup master, connect to Fireware Web UI and select System Status > FireCluster. Or, in WatchGuard System Manager, connect to the cluster and expand the Cluster section.
Troubleshoot Registration Errors
When you enable WatchGuard Cloud, your Firebox connects to WatchGuard Cloud on HTTPS port 443 to register. To register to your WatchGuard Cloud account, the Firebox sends the WatchGuard Cloud Verification Code. A problem with the connection or the Verification Code can cause a registration error.
If your Firebox has a TPM (Trusted Platform Module) chip, and runs Fireware v12.5.3 or higher, the Firebox uses TPM to register with WatchGuard Cloud.
Firebox T10, T30, T50, T70, M200, M300, M400, M500, M440, M4600, and M5600 models do not have a TPM chip.
For an active/passive FireCluster, you must always paste the verification code into the Firebox configuration, regardless of Firebox model.
If the Firebox could not register to your WatchGuard Cloud account:
- WatchGuard Cloud status on the Firebox is Failed Registration.
- Firebox status in WatchGuard Cloud is Never Connected.
To resolve a Firebox registration failure:
- Make sure your Firebox can make outbound connections on HTTPS port 443.
- If your Firebox requires a Verification Code, make sure the Verification Code on the Firebox matches the code generated in WatchGuard Cloud. Each Verification Code is for a specific Firebox, and expires after 30 days. To make sure that the Verification Code matches, you can regenerate the Verification Code and paste it into the Firebox configuration. For more information, see Regenerate the Firebox Verification Code.
If you remove a Firebox that runs Fireware v12.4 or lower from WatchGuard Cloud, you must upgrade the Firebox to Fireware v12.4.1 or higher before you can add a new Verification Code to the Firebox.
If you cannot find where to paste the Verification Code on the Firebox:
- The Verification Code is not required.
- In Fireware v12.5.3 or higher, the Verification Code is required only for:
- Firebox T10, T30, T50, T70
- Firebox M200, M300, M400, M500, M440, M4600, M5600
- Active/passive FireCluster (all Firebox models)
In Fireware v12.5.2 and lower, all Firebox models require the Verification Code. If your Firebox was manufactured with Fireware v12.5.2 or lower, WatchGuard Cloud always requires you to copy the Verification Code.
If you upgrade the Firebox to Fireware v12.5.3 or higher, and your Firebox does not require the Verification Code, there is no text box to paste it in Fireware Web UI or Policy Manager, and you do not have to paste the code to complete registration.
Troubleshoot Connection Errors
After the Firebox is registered, it connects to WatchGuard Cloud to send log messages and device status. The port the Firebox uses to connect to WatchGuard Cloud after registration depends on the Fireware version:
- In Fireware v12.0.x – v12.2.x it connects on TCP port 8883
- In Fireware v12.3 or higher it connects on TCP port 443
WatchGuard Cloud connection status displays in the Front Panel in Firebox System Manager and Fireware Web UI.
If the Firebox is registered but cannot connect to WatchGuard Cloud:
- WatchGuard Cloud status on the Firebox is Connection Failed.
- Firebox status in WatchGuard Cloud Device Summary is Offline.
If the Firebox connection failed:
- If your Firebox runs Fireware v12.0.x – v12.2.x, make sure any intermediate firewalls do not block outbound connections on TCP port 8883. Or, upgrade the Firebox to Fireware v12.3 or higher so that it uses TCP port 443 to connect.
- Make sure that the Firebox can resolve the FQDN of the WatchGuard Cloud server. Tip!
- Check the WatchGuard Cloud Status section of the Status Report on the Firebox for more detailed information to help you troubleshoot the issue.
See WatchGuard Cloud Status in the Firebox Status Report
You can see information that is useful for troubleshooting in the Status Report on the Firebox.
To see the Firebox Status Report:
- Connect to the Firebox with Firebox System Manager.
- Select the Status Report tab.
WatchGuard Cloud status information shows in the WatchGuard Cloud Status section.
The WatchGuard Cloud Status section includes this information:
Indicates whether the Firebox successfully registered with WatchGuard Cloud. It can have one of these values:
- 0 — Not registered
- 1 — Registration in progress
- 2 — Registration successful
- 3 — Registration failed
Indicates whether WatchGuard Cloud is enabled on the Firebox. It can have one of these values:
- 0 — Not enabled
- 1 — Enabled
Indicates whether the Firebox is connected to WatchGuard Cloud. It can have one of these values:
- 0 — Not connected
- 1 — Connected
The token_required status indicates whether the Firebox has a TPM chip. If the Firebox does not have a TPM chip, or is a member of an active/passive FireCluster, it requires a Verification Code to register.
- 0 — Firebox has a TPM chip
- 1 — Firebox does not have a TPM chip
The FQDN and port of the WatchGuard Cloud server.
The FQDN of the Firebox API endpoint.
Indicates whether logging is enabled for this device in WatchGuard Cloud. It can have one of these values:
- 0 — Disabled
- 1 — Enabled
Indicates whether Firebox management from WatchGuard Cloud is enabled. The value is always 0 (Disabled). Firebox management from WatchGuard Cloud is not yet supported.