Add a Cloud-Managed Firebox to WatchGuard Cloud

Applies To: Cloud-managed Fireboxes

To manage a Firebox configuration from WatchGuard Cloud, you must add the Firebox to WatchGuard Cloud as a cloud-managed device. You can manage a cloud-managed Firebox from WatchGuard Cloud only.

Before You Begin

Before you add a Firebox to WatchGuard Cloud, make sure that:

  • You have activated the Firebox in your WatchGuard Portal account.
  • The Firebox has a current Total Security or Basic Security Suite subscription.
  • The Firebox is allocated to a Subscriber account (Service Providers only). For more information, see Firebox Allocation.
  • The Firebox is connected to the network and has reliable Internet access.

To add a Firebox as a cloud-managed device, it must meet these requirements:

For a Firebox to successfully connect to WatchGuard Cloud as a cloud-managed device, it must run Fireware v12.5.7 or higher (M series) or Fireware v12.6.4 or higher (T series).

The Fireware version your new Firebox was manufactured with is printed on a sticker on the Firebox packaging. The version of Fireware originally manufactured on the device also appears in the Device Information section of the Product Details page in the WatchGuard Portal.

If your Firebox uses a lower version of Fireware, you must first set up the Firebox as a locally-managed device and upgrade it to Fireware to v12.5.4 or higher (M series) or Fireware v12.6.4 or higher (T series) before you can add it as a cloud-managed device. The device will auto-upgrade to the latest firmware version for that device. For information about Fireware upgrade methods, see Firebox Upgrade, Downgrade, and Migration.

If you previously configured the Firebox as a locally-managed device, you must reset it to factory-default settings before it can connect to WatchGuard Cloud as a cloud-managed device. For the steps to reset your Firebox, see Reset a Firebox.

Add a Cloud-Managed Firebox to WatchGuard Cloud

When you add a Firebox to WatchGuard Cloud as a cloud-managed device, you configure the device name, time zone, external network settings, wireless, and device passwords. Other device settings are automatically configured with secure defaults.

To add a Firebox to WatchGuard Cloud as a cloud-managed device:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Manage > Devices or Configure > Devices.
  4. Click Add Device.
    A list of activated Fireboxes opens.
  5. Click the Name of the Firebox you want to add or click .
    A confirmation dialog box opens.
  6. Click Add Device.
    The Add Device to WatchGuard Cloud page opens.

Screen shot of the Add Device page with the Cloud-Managed option selected

  1. Select Cloud-Managed.
  2. Configure Firebox system settings:
    • Name — The name to identify the Firebox in WatchGuard Cloud
    • Time Zone — The time zone of the location where the Firebox is installed.

Screen shot of the Device Name and Time Zone settings

  1. Select the Connection Type for the Firebox external interface. Select and configure one of these options:

DHCP

Select this option to configure the Firebox to use DHCP to request an IP address on the external network.

Screen shot of the External Network settings, DHCP

If you select DHCP, there are no other network settings to configure.

Static IP

Select this option to configure the Firebox to use a static IP address on the external network.

Screen shot of the External Network settings, Static IP

If you select Static IP, configure the Firebox external network IP address and netmask, a network gateway on the same subnet, and the IP address for a public DNS server.

PPPoE

Select this option to configure the Firebox to use PPPoE to get an IP address on the external network.

Screen shot of the External Network settings, PPPoE

If you select PPPoE, configure the user name and password, and select whether to obtain an IP address automatically or to configure a specific IP address.

  1. For a wireless Firebox, you can enable wireless on the internal and guest networks.
    • Enable Wireless — Enable this option to configure an SSID and passphrase for wireless connections to the internal network.
    • Enable Guest Wireless — Enable this option to configure an SSID and passphrase for wireless connections to the guest network.

Screen shot of the wireless settings

  1. Set Firebox device passwords for connections to Fireware Web UI on the Firebox. Device passwords must be 8-32 characters long, and must contain upper and lowercase letters, at least one number, and at least one symbol.

For a cloud-managed Firebox, you can use Fireware Web UI to recover the Firebox connection to WatchGuard Cloud. You cannot use Fireware Web UI to modify the Firebox configuration.

  1. On the last page of the Add Device wizard, review the steps to connect the Firebox.
    If the Connection Type is Static IP or PPPoE, you must complete additional steps to configure the Firebox to connect.

Screen shot of the Connect Your Device page for the Static IP connection type

  • To print the entire page of instructions, click Print instructions.
  • To download the connection settings, click Download the connection settings file. The following are required for correct downloads: 
    • The USB drive must be formatted with the FAT, VFAT, or FAT32 file system and must be writable. 
    • The file must be saved as the CSV (Comma Delimited) (*.csv) file type.

For more information, see Use a USB Drive to Configure Interface Settings.

After you add a cloud-managed Firebox, the device configuration is immediately deployed and available for the Firebox to download.

Firebox Default Configuration Settings

The initial configuration for a cloud-managed Firebox includes these settings:

Networks:

  • External (Interface 0) — IP address settings you configured
  • Internal (all other interfaces, bridged) — IP address 10.0.1.1/24
  • Guest (wireless, if supported and enabled) — IP address 10.0.1.2/24

Policies:

  • Outgoing — Allows outbound TCP, UDP, and Ping connections from the internal network to the external networks
  • Guest — Allows outbound TCP, UDP, and Ping connections from guest networks

Security Services:

  • Security Services are enabled in the default policies

After you add the cloud-managed Firebox, you can edit the configuration and deploy the updates for the Firebox to download.

Connect the Firebox

Connect the Firebox to a network with reliable Internet access. The steps to set up and connect the Firebox depend on how the Firebox gets an IP address for the external interface.

To connect a Firebox that can use DHCP to get an IP address:

  1. Connect interface 0 to the network.
  2. Start the Firebox with factory-default settings.
    The Firebox automatically tries to connect to WatchGuard Cloud to download its configuration.

For steps to reset the Firebox to factory-default settings, see Reset a Firebox.

If your Firebox cannot get an address through DHCP, you can use the Web Setup Wizard to configure connection settings, or you can use the connection settings file.

To use the Web Setup Wizard:

  1. Connect Firebox interface 0 to a network with Internet access.
  2. Start the Firebox with factory-default settings.
  3. Connect Firebox interface 1 to your computer.
  4. Open a web browser and go to https://10.0.1.1:8080.
  5. Log in with the user name admin and the passphrase readwrite.
  6. Select Cloud-Managed as the configuration method.
  7. Configure external network settings required for the Firebox to connect to your network.
    The Firebox uses these settings to connect to the local network, and then connects to WatchGuard Cloud to download its configuration.

For information about how to use the connection settings file to set up your Firebox, see Use a USB Drive to Configure Interface Settings.

Automatic Firmware Upgrade

The minimum version of Fireware required for WatchGuard Cloud to deploy a configuration might be higher than the version currently installed on the Firebox. The minimum firmware version required for cloud management is v12.5.7 or v12.6.4, whichever version is supported for your Firebox model.

The first time the Firebox connects, WatchGuard Cloud determines if your Firebox requires an upgrade before it can download the configuration. If an upgrade is required (for example, v12.5.4 to v12.5.6 or v12.6.1 to v12.6.3), WatchGuard Cloud automatically upgrades the Firebox to the latest Fireware version for cloud-management. After the upgrade is complete, the Firebox connects to WatchGuard Cloud to download its configuration.

Verify the Firebox Status

After you connect the Firebox, verify the Firebox connection status and other summary information on the Device Summary page and Live Status pages.

For more information, see

See Also

About WatchGuard Cloud

Recover the Firebox Connection to WatchGuard Cloud

Add FireboxV to WatchGuard Cloud (Cloud-Managed)

Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)