Migrate Fireboxes to WatchGuard Cloud — Checklist

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

Use the steps in this checklist to plan how to change your locally-managed Fireboxes to cloud management in WatchGuard Cloud:

Plan the Change to Cloud Management
Set Up WatchGuard Cloud
Plan and Set Up Templates and Configuration Settings
Change Locally-Managed Fireboxes from Visibility to Cloud-Managed
Test the Firebox After Change to Cloud Management

Plan the Change to Cloud Management

Review your current locally-managed Firebox configurations and plan for the change to cloud management.

Step	Description	Completed?
1	Verify the supported features in WatchGuard Cloud. Recommendation: If a specific feature is not yet supported in WatchGuard Cloud, consider whether you really need the feature. Contact your Sales Engineer representative with questions.
2	Plan the scope of your change to cloud management. Recommendation: Based on the size and complexity of your environment, determine whether you can change your Fireboxes to cloud management quickly at the same time or if your deployment is more complex and requires a gradual transition. Define your maintenance windows based on the scope of your deployment. Is your network large or complex? For example: Fireboxes with many unique policies, special VPN configurations or legacy VPNs, or unique routing configurations? Yes — Migrate your Fireboxes gradually. No — Migrate your Fireboxes at the same time.
3	Determine which Fireboxes to change to cloud management first. Create an inventory of your Fireboxes and a diagram of your network topology. Do any devices have dependencies? Recommendation: We recommend you migrate your Fireboxes in this order: Test or internal Fireboxes. Fireboxes for accounts that use a common, standard configuration. Configure a top level template and use the copy configuration feature. Fireboxes with complex configurations. Migrate these devices individually to make sure they are configured correctly.
4	Identify and document unique requirements of your network. Recommendation: Some unique configurations might require careful planning before you change to cloud management, such as: Special VPN configurations or legacy VPNs you must support. Some VPNs might need to be recreated after you change to cloud management. Unique routing configurations for your network.
5	Identify groups of Fireboxes with a common configuration that you can easily move to cloud management.
6	Save a backup copy of up-to-date versions of all Firebox configurations.
7	Create a test plan to verify your Fireboxes after you change to cloud management.

Set Up WatchGuard Cloud

Before you change your Fireboxes to cloud management, set up your WatchGuard Cloud account, operators, and managed accounts.

Step	Description	Completed?
1	Create a WatchGuard Cloud account.
2	Add operators to your WatchGuard Cloud account. Operators are users who can log in to WatchGuard Cloud to view and manage account information, configure services, and see reports.
3	Add managed Subscriber and Service Provider accounts. WatchGuard Cloud is a multi-tenant, multi-tier system. A Service Provider account can create and manage customer accounts up to five tiers. Do you manage other MSPs? Yes — Add a tier-2 Service Provider account to your account for each MSP. Add Subscriber accounts for each customer managed by an MSP to their Service Provider account. No — Add a Subscriber account for each customer you work with. You can manage multiple Fireboxes for a customer within one Subscriber account.
4	(Optional) Add account groups. Use account groups to restrict access to all or specific accounts in WatchGuard Cloud. To simplify account access management, you can assign an operator permissions to manage a group of similar accounts instead of each individual account. Example: Some support staff manage only a specific subset of all your Subscriber accounts. You want to make sure that you only enable access to the Subscribers the operators manage, and not all Subscribers in your WatchGuard Cloud Service Provider account. You can create different account groups and only allow access to the appropriate account group in the settings for the support staff operators. Add account groups to restrict access to all or specific accounts. Operators with Auditor and Helpdesk roles can only manage accounts in their assigned account group. Assign operators to account groups.
5	(Optional) Add device folders to organize devices. Folders enable you to see status and summarized data for groups of devices. Example: If you have devices at several geographic locations, you can create a folder for each location. This enables you to open the folder to see only the devices at that location, and to see summary status and aggregated reports for those devices.
6	Allocate devices to accounts. Fireboxes activated by a Service Provider appear in the Service Provider Inventory in WatchGuard Cloud. After you allocate a Firebox to a Subscriber account, the device appears in the list of devices you can add to that account. To identify which Fireboxes to allocate to specific Subscriber accounts, map your internal POS system to your WatchGuard Cloud Subscriber accounts. Allocate Fireboxes to the relevant Subscriber or Service Provider account. Tier-n Service Providers can then allocate devices to their managed accounts.
7	Add Fireboxes to WatchGuard Cloud for visibility and reporting. When you add your Firebox to WatchGuard Cloud for visibility and reporting, you continue to locally-manage the Firebox configuration with Fireware Web UI or WatchGuard System Manager. This makes it easier to change the Firebox to cloud management later.

Plan and Set Up Templates and Configuration Settings

After you add your Fireboxes to WatchGuard Cloud, set up templates and configuration settings for the devices.

We recommend you review your current configuration and plan your cloud configuration like a new deployment instead of a direct conversion of your existing local configuration.

Step	Description	Completed?
1	Review current policies and templates to find opportunities to reorganize how you apply settings to your devices. Recommendation: Run the Policy Usage Report for the device in WatchGuard Cloud: Determine how your current policies are used. Identify unused policies you can remove. Identify common policies you can consolidate.
2	Identify common Firebox policies and services to group together in templates. Recommendation: Use multiple templates based on specific groups of policies and services. This approach enables you to use a base template for standard settings that apply to all devices, and then apply additional templates to specific Fireboxes to enable different policies and services, as required.
3	Set up the new configuration for the Firebox in WatchGuard Cloud before you change to cloud management. Create a Service Provider level template for standard settings that apply to all Fireboxes in all accounts the Service Provider manages. Create a Subscriber level template for standard settings that apply to all Fireboxes in a specific customer environment. Update device settings for device-specific configurations.
4	Review these additional considerations: Network Configuration In WatchGuard Cloud, the Firebox network configuration is organized by network (External, Internal, Guest). For locally-managed Fireboxes, the configuration is organized by network interfaces and security zones (External, Trusted, Optional). Cloud-managed Fireboxes do not have the equivalent of an Optional security zone. Policies For Fireboxes that you added to WatchGuard Cloud for visibility and reporting, view the Policy Usage Report in WatchGuard Cloud to help determine how you currently use your policies. Identify policies that you must retain when you change to cloud management, and remove unused policies that you no longer need. Look for similar policies that you can merge or consolidate to reduce the number of policies. Cloud-managed Fireboxes do not have an Optional security zone. If your existing locally-managed policies use the Optional security zone, configure the network in WatchGuard Cloud as an Internal network. You must reconfigure any policies that use the Any-Trusted/Any-Optional built-in aliases to use the network interface aliases if you do not want both networks to connect to the same resources. Review the proxy actions in your locally-managed configuration. With performance advances in the latest Firebox models, and changes over time to the characteristics of Internet and network traffic, many of the proxy action options available in Policy Manager and Fireware Web UI are no longer necessary. In WatchGuard Cloud, you cannot customize proxy actions. If you currently modify your proxy actions, we recommend you use exceptions and First Run policies in WatchGuard Cloud. First Run policies in WatchGuard Cloud are the equivalent of the use of packet filters to override core proxy policies on locally-managed Fireboxes. Subscription Services Cloud-managed Fireboxes have one exceptions configuration that all policies use. Review your current subscription service exceptions and combine them into a single list for your cloud-managed Fireboxes. In WatchGuard Cloud, you cannot create exceptions based on a group or user. If you must create these types of exceptions, use First Run policies instead. Branch Office VPNs (BOVPNs) Identify if your current environment has complex VPNs or legacy VPN configurations you must preserve. Many legacy settings for BOVPN are not available in WatchGuard Cloud. WatchGuard Cloud uses VIF (Virtual Interface) BOVPNs (also known as route-based BOVPNs). WatchGuard Cloud does not currently support the policy-based BOVPNs used by locally-managed Fireboxes. To minimize disruption and extended downtime, plan your VPN hub and spoke configurations carefully before you start the change to cloud management. Plan for extended downtime if you change your headquarters hub VPN Firebox to cloud management, and then change your spoke VPN Fireboxes after. You must reconfigure your BOVPNs after you change a Firebox to cloud management, but the process to configure a BOVPN is much faster in WatchGuard Cloud. If you plan to change your spoke VPN Fireboxes to cloud management before you change your headquarters hub Firebox, you can create a cloud-managed to locally-managed Firebox or third-party BOVPN configuration from the spoke VPN Fireboxes to the locally-managed hub VPN Firebox. When you eventually change the hub VPN Firebox to cloud management, you can re-create the BOVPN links as a cloud-managed to cloud-managed BOVPN configuration. For more information, go to Manage BOVPNs for Cloud-Managed Fireboxes. Mobile VPNs WatchGuard Cloud supports Mobile VPN with SSL or IKEv2. Mobile VPN with L2TP and IPSec are not supported. Mobile VPNs should resume normally after the change to cloud management, but make sure the cloud configuration matches the previous configuration. Make sure that you have a plan to fix any misconfiguration issues when you change to cloud management.

Change Locally-Managed Fireboxes from Visibility to Cloud-Managed

After you build the Firebox configuration in WatchGuard Cloud, change your Firebox to cloud management. The Firebox receives the new cloud configuration when it connects to WatchGuard Cloud.

Until you complete your first configuration deployment in WatchGuard Cloud, you can continue to manage the device locally with Fireware Web UI or WatchGuard System Manager.

Step	Description	Completed?
1	Change the locally-managed Firebox to cloud management. (Optional) Copy configuration settings from an existing cloud-managed Firebox during the change to cloud management. This is helpful when Fireboxes in a managed account have the same device level configuration settings.
2	(Optional) Import settings from the configuration file of a locally-managed Firebox after you change the device to cloud management. You can import these settings: Aliases, Exceptions, Routes, Blocked Ports, Blocked Sites, Dimension Servers, Syslog Servers, Technology Integrations

Step

Description

Completed?

Change the locally-managed Firebox to cloud management.

(Optional) Copy configuration settings from an existing cloud-managed Firebox during the change to cloud management. This is helpful when Fireboxes in a managed account have the same device level configuration settings.

(Optional) Import settings from the configuration file of a locally-managed Firebox after you change the device to cloud management.

You can import these settings: Aliases, Exceptions, Routes, Blocked Ports, Blocked Sites, Dimension Servers, Syslog Servers, Technology Integrations

Test the Firebox After Change to Cloud Management

After you change your Firebox to cloud management, test the device to make sure that your Firebox works as expected.

Step	Description	Completed?
1	Execute your test plan to verify that the change to cloud management worked correctly. Make sure all devices can communicate on the network. Test basic Internet connectivity, critical business applications, connections to internal resources, routing, and VPNs.