Upgrade Firmware from WatchGuard Cloud

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes, WatchGuard Cloud-managed Access Points

You can upgrade firmware for a device from WatchGuard Cloud. Service Providers can upgrade the firmware for any account they manage. You can upgrade the firmware immediately or schedule the upgrade for a future time.

For locally-managed Fireboxes only, the Firebox automatically creates a backup when firmware is upgraded from WatchGuard Cloud. For information on how to create a backup image manually, see Manage Firebox Backup Images in WatchGuard Cloud.

An individual Firebox must run Fireware v12.5.2 or higher to be able to update the firmware from WatchGuard Cloud. To upgrade a FireCluster in WatchGuard Cloud, cluster members must run Fireware v12.7.1 or higher (or v12.5.8 or higher for T10, T15, T30, T35, T50, M200, and M300 Fireboxes).

To see and manage firmware upgrades:

  1. Sign in to your WatchGuard Cloud account.
    For Service Provider operators, select Overview or a child Service Provider account.
  2. Select Configure > Devices.
  3. Select Firmware Upgrades.

Firmware Upgrades page for Subscriber account

Firmware Upgrades page for Service Provider account

The Firmware Upgrades Overview section shows the total number of devices with each of these upgrade statuses:

  • Devices ready to upgrade now — Devices that are online, with an upgrade available
  • Devices scheduled to upgrade — Devices that have an upgrade scheduled
  • Devices pending upgrade — Devices that have an upgrade in progress
  • Devices failed to upgrade — Devices that failed to upgrade

The number of devices available for upgrade also shows on the Monitor > Devices > Device Summary page when you select the top-level folder.

To filter the device list on this page, click a tile, select the type of device, or select the view filter from the drop-down list above the device list.

To upgrade firmware for one or more devices:

  1. In the Firmware Upgrades window, click Upgrade Firmware.
    The Upgrade Firmware wizard opens. You can also click the Upgrade icon in the Firmware Version column to open the wizard.
  2. If available, select the device type, such as Firebox or Access Point. Click Next.
  3. From the Firmware Version drop-down list, select the firmware version to upgrade to. The three most recently released versions of firmware appear in the list.
  4. This list can include beta releases. For information on how to enable beta releases, see Enable Beta Features and Applications.

Screen shot of Upgrade Firmware wizard, Select Firmware Version

  1. Click Next.
    The Select Devices page opens.

Screen shot of Upgrade Firmware wizard, Select Devices

  1. From the list of devices, select the devices to upgrade. Click Next.
    The Schedule Upgrade page opens.

Screen shot of Upgrade Firmware wizard, Schedule Upgrade

  1. Select when to upgrade the firmware:
    • To upgrade selected devices now, select Upgrade now. This option is available only if all selected devices are connected to WatchGuard Cloud.
    • To schedule the upgrade for a later time, select Schedule upgrade. Specify the Start Date, Start Time, and Time Zone when the upgrade will occur.
    • Select the Adjust for daylight saving time check box to automatically adjust the time during daylight savings.
  2. The default time zone for a scheduled upgrade is based on the time zone of the web browser. Make sure that the selected upgrade time and time zone correspond to the local time you want to upgrade each selected device.

  3. Click Next.
  4. Confirm the upgrade details. Click Update.

To cancel a scheduled upgrade:

  1. Sign in to your WatchGuard Cloud account.
    For Service Provider operators, select Overview or a child Service Provider account.
  2. Select Configure > Firmware Upgrades.
  3. In the table, click in the row for the device upgrade you want to cancel.

  1. Select Delete Scheduled Upgrade.
  2. Click Delete.

Downgrade Firmware on a Cloud-Managed Device

If necessary, you can downgrade the firmware on your cloud-managed device to an older version.

Downgrade Access Points

For access points, you can select an available lower version of the current firmware to which to downgrade during the firmware update process.

Downgrade a Firebox

We recommend that for a Firebox you restore an auto-backup. For more information, see Manage Firebox Backup Images in WatchGuard Cloud.

If an auto-backup is not available or appropriate, can manually downgrade your cloud-managed device. To do this, you first remove the device from WatchGuard Cloud and then add it back. This ensures that when the device reboots, if it has DHCP, it automatically connects to WatchGuard Cloud as a cloud-managed device.

You must also have access to the sysa-dl file for the Fireware version you want to downgrade to. For more information, see Download an Upgrade File. When you downgrade the firmware, the device defaults. The Firebox automatically downloads a default configuration file. You can then restore a specific, previously deployed configuration in WatchGuard Cloud. For more information, see Manage Firebox Backup Images in WatchGuard Cloud.

If you downgrade to a Fireware version from v12.5.3 to v12.5.6 or from v12.6.1 to v12.6.3, WatchGuard Cloud automatically upgrades the firmware to the latest general (non-Beta) release for cloud management.

To downgrade firmware on a cloud-managed Firebox:

  1. In WatchGuard Cloud, select Configure > Devices.
  2. Select the cloud-managed device you want to downgrade.
  3. On the Device Settings page, click Remove Device.

  1. In the Remove Device dialog box, click Remove.
    When you remove a device, it maintains the WatchGuard Cloud passwords, but is no longer cloud-managed.
  2. At the bottom of Account Manager, click Add Device and add the Firebox back to WatchGuard Cloud as a cloud-managed device.

Screen shot of the Add Device page with the Cloud-Managed option selected
For more information, see Add a Cloud-Managed Firebox to WatchGuard Cloud.

  1. Connect to the device.
    1. From a computer on a network connected to the cloud-managed Firebox, open a web browser.
    2. In the web browser, go to https://<firebox IP address>:8080.
      The Fireware Web UI login page opens.
    3. Log in with the user name admin and the passphrase you previously set for this device in WatchGuard Cloud.
    4. From the left pane, select System > Upgrade OS.

  1. Select I have an upgrade file and then select the sysa-dl file you want to downgrade to.
  2. Click Upgrade.
  3. When no backup image is available or appropriate, click No.
  4. Click Yes to complete the downgrade and restart the device automatically.
    The Firebox completes the downgrade and restarts. This can take 5 to 10 minutes to complete.

After the downgrade, the network and security settings are reset to factory default settings, but the admin and status passphrases are not reset. To manage the device, you must connect to it on Eth1, with the default IP address 10.0.1.1. For more information about the factory default settings, see About Factory-Default Settings.

If the Firebox (with TPM chip) uses DHCP and receives an IP address, it connects automatically to WatchGuard Cloud as a cloud-managed device. If the Firebox uses a Static IP address or PPPoE external connection, there must be someone onsite to run the Web Setup Wizard or to use a USB drive to gain Internet access to connect to WatchGuard Cloud. For more information, see Connect the Firebox.

See Also

Upgrade a FireCluster in WatchGuard Cloud

Downgrade Fireware OS

About WatchGuard Cloud Account Manager (Service Providers)

About WatchGuard Cloud Device Manager (Subscribers)

Reboot a Firebox

Manage Firebox Backup Images in WatchGuard Cloud