About FireCloud Virtual Gateways

Applies To: FireCloud Total Access

With FireCloud Total Access, you can set up a FireCloud Virtual Gateway to give users access to local resources on the company network without a VPN.

To do this, you must:

  • Install a FireCloud Gateway on your network (the Gateway establishes a connection between FireCloud and your network).
  • Configure a private resource for each local resource that you want to allow remote FireCloud users to have access to on your network, such as a printer or an SMB share.
  • Add your private resources to FireCloud access rules to give users access to those resources.

When you deploy a FireCloud Gateway, you must have ports TCP 443 and UDP 4501 open for the Gateway to connect to FireCloud. The Gateway uses port 443 to authenticate to FireCloud and port 4501 to establish the tunnel that FireCloud uses to connect users to the private resources behind the Gateway.

You can install FireCloud Virtual gateways on Hyper-V, VMware, and Proxmox hypervisors.

Configure a Virtual Gateway

To configure a FireCloud Virtual Gateway

  1. Log in to WatchGuard Cloud.
  2. From the navigation menu, select Configure > FireCloud. If you have a Service Provider account, you must select an account from Account Manager.
  3. On the Configuration page, click the Private Resources widget.
  4. Click Add FireCloud Gateway.
  5. Select Virtual Gateway.
  6. Click Next.
  7. Enter a Name for your Gateway.
  8. For IP Address Configuration, select whether you want to give the Gateway a static or DHCP IP address.
  9. If you use a static IP address:
    1. In the Network IP Address text box, enter the static IP address that you will assign the FireCloud Gateway.
    2. In the Network Gateway text box, enter the IP address of the default gateway for your network.
    3. Enter the IP address of a DNS Server, such as the public Google DNS server 8.8.8.8.
  10. Click Next.
  11. Select the type of environment you want to deploy the FireCloud Gateway on, either Hyper-V, VMware ESXi, or Proxmox.

    For Hyper-V, FireCloud supports only Hyper-V generation 1 virtual machines.

  12. Click Next.
  13. Click Download Gateway Files. When the download completes, extract the files from the downloaded .zip folder. You will have a .ISO file and either an .OVA file (ESXi and Proxmox) or a .VHDX file (Hyper-V).
  14. Complete the steps to deploy the FireCloud Gateway in your selected environment. Leave the WatchGuard Cloud tab open so that you can test the connection to the Gateway after setup.

Deploy a FireCloud Virtual Gateway on Hyper-V

To deploy a FireCloud Virtual Gateway on Hyper-V:

  1. Log in to the Hyper-V server.
  2. Open the Hyper-V console.
  3. Select New > Virtual Machine.
    The New Virtual Machine Wizard opens.
  4. Name the virtual machine. Click Next.
  5. Select Generation 1. Click Next.
  6. Assign memory to the machine. We recommend at least 512 MB.
  7. Click Next.
  8. For Configure Networking, from the Connection drop-down list, select your network adapter that provides Internet access to your virtual machine. Click Next.
  9. For Connect Virtual Hard Disk, select Use an existing virtual hard disk.
  10. Click Browse and select the hard disk image file (.VHDX) you downloaded.
  11. Click Next.
  12. Click Finish.
  13. After the virtual machine is created, right click the virtual machine and select Settings.
  14. For Hardware, select the DVD Drive.
  15. For the DVD drive media, select Image file.
  16. Click Browse and select the image file (.ISO) you downloaded.
  17. Click Apply, then click OK.
  18. Power up the virtual gateway from the mounted .ISO file (this is the DVD drive you added).
  19. In WatchGuard Cloud, click Test Connection to make sure that the FireCloud Gateway can connect to WatchGuard Cloud.
  20. Click Finish.
  21. After you deploy the FireCloud Gateway, the next step is to configure the private resources that you want to give remote users access to. For detailed steps to configure private resources, go to Add Private Resources in FireCloud.

Deploy a FireCloud Virtual Gateway on ESXi

To deploy a FireCloud Virtual Gateway on ESXi:

  1. In a new browser tab, go to https://ESXi_Host/UI and connect to the VMware host client. Replace ESXi_Host with the FQDN or IP address of your ESXi host.
  2. Upload the .ISO file to the data store.
  3. Create and deploy a virtual machine from the downloaded .OVA file.
  4. Edit the settings for your virtual machine and add a CD/DVD drive device.
  5. Associate the CD/DVD drive you added with the .ISO file you uploaded to the data store.
  6. Power on the virtual machine from the mounted .ISO file (this is the CD/DVD drive you added). Wait for the Gateway to install and connect to FireCloud.
  7. In WatchGuard Cloud, click Test Connection to make sure that the FireCloud Gateway can connect to WatchGuard Cloud.
  8. Click Finish.
  9. After you deploy the FireCloud Gateway, the next step is to configure the private resources that you want to give remote users access to. For detailed steps to configure private resources, go to Add Private Resources in FireCloud.

Deploy a FireCloud Virtual Gateway on Proxmox

To deploy a FireCloud Virtual Gateway on Proxmox:

  1. Connect to ProxMox.
  2. Go to Datacenter > Storage.
  3. Select Local and click Edit.
    The Edit Directory window opens.
  4. From the Content drop-down list, select Disk Image and Import.
  5. Click OK.
  6. For your server, go to local > Import. This is local, not local-vm.
  7. Click Upload and select the Virtual Gateway file.
  8. In ProxMox, double-click the Virtual Gateway file.
  9. Click Import.
  10. For your server, go to local > ISO images. This is local, not local-vm.
  11. Click Upload and select the .ISO image for the Virtual Gateway.
  12. Select the Virtual Gateway and go to Hardware.
  13. Click Add > CD/DVD Drive.
    The Add window opens.
  14. Select Use CD/DVD disc image file (iso).
  15. From the Storage drop-down list, select local.
  16. From the ISO image drop-down list, select the Virtual Gateway .ISO file that you uploaded.
  17. Click Add.
  18. Power on the Virtual Gateway.

Upgrade and Redeploy an Installed Virtual Gateway

The Virtual Gateway automatically downloads and installs minor updates. For larger upgrades, you must manually make the updates.

The process to upgrade a Virtual Gateway is are the same as the steps to deploy a new Virtual Gateway after you have configured it in the FireCloud UI.

To upgrade a Virtual Gateway:

  1. Log in to WatchGuard Cloud.
  2. From the navigation menu, select Configure > FireCloud. If you have a Service Provider account, you must select an account from Account Manager.
  3. On the Configuration page, click the Private Resources widget.
  4. For the Gateway you want to upgrade, click Upgrade Gateway to vX.X.X. This option is only available when there is an update that requires you to manually upgrade the Gateway.
    A modal opens and new Gateway files are automatically downloaded.
  5. Close the Upgrade Gateway modal that opens.
  6. Get the downloaded Gateway files for the Virtual Gateway, then complete the steps necessary to deploy the Virtual Gateway for your chosen environment. This process is the same as a new Gateway deployment, but does not impact the Gateway configuration in FireCloud or the associated private resources.

To Configure a Virtual Gateway to Store Log Files

With the Virtual Gateway v1.4.8 or higher, you can configure the Gateway to store local log files for troubleshooting. To do this, you create a second hard disk and attach it to the Virtual Gateway. When the Gateway is powered back on after the disk is attached, it formats and copies log files to the disk.

You must power off the Virtual Gateway before you attach an additional virtual disk.

  1. Log in to the Hyper-V server.
  2. Open the Hyper-V console.
  3. Edit the virtual machine settings.
  4. Select IDE Controller 0.
  5. Select Hard Drive.
  6. Click Add.
  7. For Media, select Virtual hard disk and click New.
  8. For the disk format, select VHDX.
  9. Click Next.
  10. For disk type, select Dynamically expanding.
  11. Click Next.
  12. Name the virtual disk and choose a location to save it. In our example, we name the disk gateway_logs.vhdx.
  13. Click Next.
  14. For the configure disk selection, select Create a new blank virtual hard disk and enter a size of 1 GB.
  15. Click Next, then click Finish.
  16. Power on the Virtual Gateway.
  1. To edit the virtual machine settings, click Edit.
  2. Select Add hard disk > New standard hard disk.
  3. Configure the virtual disk settings.
    • Size — 256 MB
    • Disk Provisioning — Thin Provisioned
    • Controller Location — IDE controller 1, Master
    • Disk Mode — Independent - persistent
  4. Power on the Virtual Gateway.
  5. Log in to the Virtual Gateway root account.
  6. Install the util-linux package to get access to Virtual Gateway root account.
  7. Install the util-linux package to get access to tools such as lsblk and mount.
  8. Run the lsblk command to confirm the additional virtual disk (sdb) exists.
  9. To create an ext4 file system on the new disk, run the command mkfs.ext4 -E lazy_itable_init=1, lazy_journal_init=1 -m 0 /dev/sbd. These flags are used to keep the disk size small:
    • -E lazy_itable_init=1 — Does not zero out the inode table. This is faster, with less writes.
    • -E lazy_journal_init=1 — Does not zero out the journal.
    • -m 0 — Sets reserved block percentage to 0 percent.
  10. To mount the new disk, run the command mount /dev/sdb /mnt.
  11. To copy the Virtual Gateway logs to the additional disk, run these commands:
    cp /var/log/virtualgateway.log* /mnt

    ls -la /mnt
  12. Power off the Virtual Gateway.
  13. Download the additional disk image from the datastore. The disk image in the datastore should be named yourVMname_1.vmdk. This download includes two files yourVMname_1.vmdk and yourVMname_1-flat.vmdk. The yourVMname_1-flat.vmdk file is the actual disk image that contains the logs.
  14. Use the qemu-nbd command to mount the virtual disk image to view the Gateway log files.
  1. Connect to ProxMox.
  2. Go to Datacenter > proxmox > virtual gateway name.
  3. Select Hardware.
  4. Click Add > Hard Disk.
  5. Configure the settings:
    • Bus/Device — IDE 1
    • Storage — local
    • Disk Size — 1 GB
    • Format — QEMU image format
  6. Click Add.
  7. Power on the Virtual Gateway.

Related Topics

About FireCloud Gateways

Add Private Resources in FireCloud