Add a Cloud-Managed Firebox to WatchGuard Cloud
Applies To: Cloud-managed Fireboxes
To manage a Firebox configuration from WatchGuard Cloud, you must add the Firebox to WatchGuard Cloud as a cloud-managed device. A cloud-managed Firebox can be managed only from WatchGuard Cloud.
Before You Begin
Before you add a Firebox to WatchGuard Cloud, make sure that:
- You have activated the Firebox in your WatchGuard Portal account
- The Firebox has a current Total Security or Basic Security Suite subscription
- The Firebox has been allocated to a subscriber account (Service Providers only). For more information, see Firebox Allocation.
To add a Firebox as a cloud-managed device, it must meet these requirements:

For a Firebox to successfully connect to WatchGuard Cloud as a cloud-managed device, it must run Fireware v12.5.4 or higher.
The Fireware version your new Firebox was manufactured with is printed on a sticker on the Firebox packaging. The version of Fireware originally manufactured on the device appears in the Device Information section of the Product Details page in the WatchGuard Portal.
If your Firebox uses a lower version of Fireware, you must first set up the Firebox as a locally managed device and upgrade it to Fireware to v12.5.4 or higher before you can add it as a cloud-managed device. For information about Fireware upgrade methods, see Firebox Upgrade, Downgrade, and Migration.

If you previously configured the Firebox as a locally-managed device, you must reset it to factory-default settings before it can connect to WatchGuard Cloud as a cloud-managed device. For the steps to reset your Firebox, see Reset a Firebox.
Add a Cloud-Managed Firebox to WatchGuard Cloud
When you add a Firebox to WatchGuard Cloud as a cloud-managed device, you configure the device name, time zone, external network settings, wireless, and device passwords. Other device settings are automatically configured with secure defaults.
To add a Firebox to WatchGuard Cloud as a cloud-managed device:
- Log in to your WatchGuard Cloud subscriber account.
- Select Manage > Devices or Configure > Devices.
- Click Add Device.
A list of activated Fireboxes opens. - Click the Name of the Firebox you want to add or click
.
A confirmation dialog box opens. - Click Add Device.
The Add Device page opens.
- Select Cloud-Managed.
- Configure Firebox system settings:
- Name — the name to identify the Firebox in WatchGuard Cloud
- Time Zone — the time zone of the location where the Firebox is installed.
- Select the Connection Type for the Firebox external interface. Select and configure one of these options:
DHCP
Select this option to configure the Firebox to use DHCP to request an IP address on the external network.
If you select DHCP, there are no other network settings to configure.
Static IP
Select this option to configure the Firebox to use a static IP address on the external network.
If you select Static IP, configure the Firebox external network IP address and netmask, a network gateway on the same subnet, and the IP address for a public DNS server.
PPPoE
Select this option to configure the Firebox to use PPPoE to get an IP address on the external network.
If you select PPPoE, configure the User Name and Password, and choose whether to obtain an IP address automatically or to configure a specific IP address.
- For a wireless Firebox, you can enable wireless on the internal and guest networks.
- Enable Wireless — Enable this option to configure an SSID and passphrase for wireless connections to the internal network.
- Enable Guest Wireless — Enable this option to configure an SSID and passphrase for wireless connections to the guest network.
- Set Firebox device passwords for connections to Fireware Web UI on the Firebox. Device passwords must be 8-32 characters long, and must contain upper and lowercase letters, at least one number, and at least one symbol.
For a cloud-managed Firebox, you can use Fireware Web UI to recover the Firebox connection to WatchGuard Cloud. You cannot use Fireware Web UI to modify the Firebox configuration.
- On the last page of the Add Device wizard, review the steps to connect the Firebox.
If the Connection Type is Static IP or PPPoE, you must complete additional steps to configure the Firebox to connect.
- To print the entire page of instructions, click Print instructions.
- To download the connection settings, click Download the connection settings file.
After you add a cloud-managed Firebox, the device configuration is immediately deployed and available for the Firebox to download.
Firebox Default Configuration Settings
The initial configuration for a cloud-managed Firebox includes these settings:
Networks:
- External (Interface 0) — IP address settings you configured
- Internal (all other interfaces, bridged) — IP address 10.0.1.1/24
- Guest (wireless, if supported and enabled) — IP address 10.0.1.2/24
Policies:
- Outgoing — Allows outbound TCP, UDP, and Ping connections from internal network to the external networks
- Guest — Allows outbound TCP, UDP, and Ping connections from guest networks
Security Services:
- Security Services are enabled in the default policies
After you add the cloud-managed Firebox, you can edit the configuration and deploy the updates for the Firebox to download.
Connect the Firebox
Connect the Firebox to a network with reliable Internet access. The steps to set up and connect the Firebox depend on how the Firebox gets an IP address for the external interface.
To connect a Firebox that can use DHCP to get an IP address:
- Connect interface 0 to the network.
- Start the Firebox with factory-default settings.
The Firebox automatically tries to connect to WatchGuard Cloud to download its configuration.
For steps to reset the Firebox to factory-default settings, see Reset a Firebox.
If your Firebox cannot get an address through DHCP, you can use the Web Setup Wizard to configure connection settings, or you can use the connection settings file.
To use the Web Setup Wizard:
- Connect Firebox interface 0 to a network with Internet access.
- Start the Firebox with factory-default settings.
- Connect Firebox interface 1 to your computer.
- Open a web browser and go to https://10.0.1.1:8080.
- Log in with the user name admin and the passphrase readwrite.
- Select Cloud-Managed as the configuration method.
- Configure external network settings required for the Firebox to connect to your network.
The Firebox uses these settings to connect to the local network, and then connects to WatchGuard Cloud to download its configuration.
For information about how to use the connection settings file to set up your Firebox, see Use a USB Drive to Configure Interface Settings.
To use the Web Setup Wizard:
- Connect Firebox interface 0 to a network with Internet access.
- Start the Firebox with factory-default settings.
- Connect Firebox interface 1 to your computer.
- Open a web browser and go to https://10.0.1.1:8080.
- Log in with the user name admin and the passphrase readwrite.
- Select Cloud-Managed as the configuration method.
- Configure external network settings required for the Firebox to connect to your network.
The Firebox uses these settings to connect to the local network, and then connects to WatchGuard Cloud to download its configuration.
For information about how to use the connection settings file to set up your Firebox, see Use a USB Drive to Configure Interface Settings.
Automatic Firmware Upgrade
The minimum version of Fireware required for WatchGuard Cloud to deploy a configuration might be higher than the version currently installed on the Firebox. The minimum firmware version required for cloud management is v12.5.7 or v12.6.4, whichever version is supported for your Firebox model.
The first time the Firebox connects, WatchGuard Cloud determines if your Firebox requires an upgrade before it can download the configuration. If an upgrade is required, WatchGuard Cloud automatically upgrades the Firebox to the minimum Fireware version required for cloud-management. After the upgrade is complete, the Firebox connects to WatchGuard Cloud to download its configuration.
Verify the Firebox Status
After you connect the Firebox, verify the Firebox connection status and other summary information on the Device Summary page and Live Status pages.
For more information, see