Setup Wizard Default Policies and Settings

You use the Web Setup Wizard or WSM Quick Setup Wizard to set up a Firebox with a basic configuration. The setup wizards help you to configure basic network and administrative settings and automatically configure security policies and licensed security services with recommended settings.

Default Enabled Interfaces

The setup wizards enable these interfaces with settings you specify:

  • External — Interfaces 0
  • Trusted —  Interface 1 
  • Optional — Interface 2 (configurable in the WSM Quick Setup Wizard only)

All other interfaces are disabled by default.


In Fireware v12.5.3 and higher, the setup wizards enable and configure the built-in wireless access point on wireless Fireboxes. In the setup wizard, you configure the SSID and password to enable Wi-Fi connections to the trusted network. The Web Setup Wizard configures a trusted network bridge:

  • Network and DHCP settings match the trusted network settings configured in the setup wizard
  • Bridge Members — Trusted (interface1) and the wireless access point (ath1)

If you disable the default trusted bridge, you lose your connection to the Firebox. Before you disable the trusted bridge, configure another trusted network interface that you can connect to.

Default Policies and Services

The default policies and services that the setup wizards configure depend on the version of Fireware installed on the Firebox, and on whether the Firebox feature key includes a license for subscription services.

When you use the setup wizards to create a new configuration, they automatically configure proxy policies and enable most licensed subscription services with recommended settings.

The setup wizards add these default policies:

  • FTP-proxy, with the Default-FTP-Client proxy action
  • HTTP-proxy, with the Default-HTTP-Client proxy action
  • HTTPS-proxy, with the Default-HTTPS-Client proxy action
  • WatchGuard Certificate Portal (Fireware v12.3 and higher)
  • WatchGuard Web UI
  • Ping
  • DNS
  • WatchGuard
  • Outgoing

With these default policies, the Firebox: 

  • Does not allow connections from the external network to the trusted or optional networks, or the Firebox
  • Allows management connections to the Firebox from the trusted and optional networks only
  • Inspects outgoing FTP, HTTP, and HTTPS traffic, with recommended proxy action settings
  • Uses Application Control, WebBlocker, Gateway AntiVirus, Intrusion Prevention, Application Control, Reputation Enabled Defense, Botnet Detection, Geolocation, and APT Blocker security services to protect the trusted and optional networks

The web reputation authority service provided by Reputation Enabled Defense (RED) is deprecated. For more information, go to this Partner Blog post.

  • Allows outgoing FTP, Ping, DNS, TCP, and UDP connections from the trusted and optional networks

For a Firebox that runs Fireware v11.12 or higher, the setup wizards create three proxy actions that are used by the default proxy policies.


  • Used by the FTP-proxy
  • Based on FTP-Client.Standard
  • Gateway AntiVirus is enabled
  • Logging for reports is enabled


  • Used by the HTTP-proxy
  • Based on the HTTP-Client.Standard proxy action
  • WebBlocker, Gateway AntiVirus, Reputation Enabled Defense, and APT Blocker are enabled

The web reputation authority service provided by Reputation Enabled Defense (RED) is deprecated. For more information, go to this Partner Blog post.

  • Logging for reports is enabled


  • Used by the HTTPS-proxy
  • Based on the HTTPS-Client.Standard proxy action
  • WebBlocker is enabled
  • Content Inspection uses the Default-HTTP-Client proxy action, but Content Inspection is not enabled
  • Logging for reports is enabled

You can edit these proxy actions to suit the needs of your network, and you can use these proxy actions for other proxy policies you add.

Default Subscription Services Configuration

The setup wizards enable most licensed security services by default with recommended settings if the feature key includes those features. The Botnet Detection, Tor Exit Node Blocking, and Geolocation features are enabled if the Firebox has a feature key for Reputation Enabled Defense.

The setup wizards configure subscription services only if the Firebox has a feature key that includes those services. If there is no feature key, or if there are no licensed subscription services in the feature key, the wizard configures the policies without subscription services enabled.

Logging for Reports

The setup wizards enable logging for reports, as described in Where to Enable Logging for Reports.

For packet-filter policies, logging is enabled at the policy level. For default proxy policies, logging is enabled in the proxy action.

  • Send a log message — Enabled in the Ping, DNS, and Outgoing policies
  • Send a log message for reports — Enabled in the Ping, DNS, and Outgoing policies
  • Enable logging for reports — Enabled in the Default-FTP-Client, Default-HTTP-Client, and Default-HTTPS-Client proxy actions

For each subscription service, the actions are configured to send log messages, as described in the previous section.

The setup wizard also enables logging of these performance statistics:

  • External interface and VPN bandwidth statistics
  • Security Services Statistics

For more information about these log messages, go to Include Performance Statistics in Log Messages (WSM).

Default Blocked Sites Exceptions

The Blocked Sites Exceptions list configured by the setup wizards includes default exceptions for servers that WatchGuard products and subscription services must connect to. For more information about the default blocked sites exceptions, go to About Blocked Sites.

Related Topics

About Firebox Setup Wizards