FireCloud Release Notes

FireCloud is a managed cloud-based firewall-as a-service. FireCloud protects your remote users against Internet-based security threats.

For more information about new features, go to the What's New in FireCloud PowerPoint. For a full description of FireCloud features and functionality, see FireCloud Help.

Release Information Date
Latest FireCloud Update 15 April 2026
Release Notes Revision Date 15 April 2026
WatchGuard Connection Manager for Windows 1.3.9.938
WatchGuard Connection Manager for macOS 1.2.23.41
FireCloud Virtual Gateway 1.4.9

Latest Release

Release Date: 15 April 2026

New Features

FireCloud Port Selection

You can now configure FireCloud to use specific communication ports for the Connection Manager and the Gateways. You might do this if you cannot use the default ports. [SASE-5835]

Enhancements

  • The FireCloud Connection Manager for Windows v1.3.9.938 is now available. This version includes minor bug fixes and enhancements.
    • The installation log file is now correctly added stored in %programdata%\Panda Security\Panda Aether Agent\Logs. This enables the PSInfo tool to troubleshoot installation issues. [SASE-5127]
    • Minor bug fixes and enhancements. [SASE-4264, SASE-5341, SASE-5679, SASE-5976, SASE-6098, SASE-6165]
  • Resolved an issue that made FireCloud trials unavailable.

Previous Releases

Enhancements

  • You can now successfully connect to private resources on custom TCP and TCP/UDP port ranges. [SASE-6057]
  • Minor bug fixes and enhancements. [SASE-5929, SASE-6015, SASE-5126]

New Features

Use Fireboxes as FireCloud Gateways

You can now set up a Firebox as a FireCloud Gateway to give users access to local resources on the company network without a VPN. With a Firebox Gateway, FireCloud runs as a service that is already installed on the Firebox, so configuration is minimal, and you do not have to deploy the gateway the way you do with a FireCloud Virtual Gateway.

This feature requires Fireware v12.12 or v2026.2 or higher.

Move Resources Between Gateways

You can now easily move private resources from one FireCloud Gateway to another. This makes it easier to deploy a new Gateway or Gateway type, such as a Firebox Gateway. [SASE-5347]

Enhancements

  • When you add or edit an access rule and add groups from the WatchGuard Cloud Directory, the UI now shows all available groups. This resolves an issue that previously limited the UI to only show 20 groups. [SASE-5725]
  • The menu for individual private resources now includes the option to add the resource to an access rule. This option was previously only available when you selected multiple resources. [SASE-5944]
  • In the Usage Report, connection events for a specific user now display the time based on the local time for that user. [SASE-5788]
  • Minor bug fixes and enhancements. [SASE-5956, SASE-5127]

Enhancements

  • When you disable content scanning for Internet Access in a FireCloud access rule, content scanning now remains enabled for Private Access. [SASE-4812]
  • Resolved an issue that caused some links in the side navigation menu to not resolve properly and keep the UI on the Summary page. [SASE-5681]
  • Minor bug fixes and enhancements. [SASE-1053]

New Features

Move Resources Between Gateways (Beta)

You can now easily move private resources from one FireCloud Gateway to another. This makes it easier to deploy a new Gateway or Gateway type, such as a Firebox Gateway. To get started, visit our beta management site. [SASE-5347]

Enhancements

  • The FireCloud side navigation menu has been updated so that the navigation options are better organized and easier to use. [SASE-4214]
  • On the Authentication page, when you view the identity provider certificate for a SAML identity provider, FireCloud now shows the certificate ID. If your identity provider has multiple certificates, this makes it easier to identify which certificate is associated with FireCloud. [SASE-5527]
  • On the DNS Servers, Network Blocking, and Content Scanning pages, the Save and Cancel buttons no longer appear until you have made a configuration change. [SASE-4401, SASE-4400, SASE-4399]
  • Minor update to UI styles. [SASE-5660, SASE-5659, SASE-5658, SASE-5657, SASE-5656]
  • Minor bug fixes and enhancements. [SASE-5413, SASE-4287]

New Features

Use Fireboxes as FireCloud Gateways (Beta)

You can now set up a Firebox as a FireCloud Gateway to give users access to local resources on the company network without a VPN. With a Firebox Gateway, FireCloud runs as a service that is already installed on the Firebox, so configuration is minimal, and you do not have to deploy the gateway the way you do with a FireCloud Virtual Gateway.

This feature requires Fireware v12.12 or v2026.2 or higher.

Enhancements

  • Minor bug fixes and enhancements. [SASE-5459]

Enhancements

  • Resolved an issue that caused the Private Resources tile on the Traffic tab of the Usage Report to not display when you navigate between the Usage Report and the FireCloud Log Search pages. [SASE-5354]

Enhancements

  • When you add private resources, you can now specify port ranges. [SASE-5333]
  • Resolved an issue where connections to private resources failed if the FQDN was configured with capital letters. [SASE-5102]
  • Resolved an issue that caused the date range to revert from Last Month to Last 24 Hours when you navigate between the Usage Report and the FireCloud Log Search pages. [SASE-5379]
  • When you set the date range filter for the usage report to Yesterday, the report now displays correctly. [SASE-5240]

Enhancements

  • The FireCloud Connection Manager for macOS v1.2.23.41 is now available. This version supports passkey authentication for AuthPoint.
  • The FireCloud virtual gateway v1.4.9 is now available. This version includes minor improvements. [SASE-4242, SASE-4538]

Enhancements

  • Resolved an issue that caused an error when you attempt to load the FireCloud configuration page. [SASE-5103]
  • You can now successfully go from the Configure Device page to the Configure FireCloud page. [SASE-5271]
  • Minor bug fixes and improvements. [SASE-3898, SASE-4510, SASE-5101]

Enhancements

  • Minor bug fixes and improvements. [SASE-5357, SASE-5072, SASE-5169, SASE-5168, SASE-4819, SASE-5052]

Enhancements

  • Added a confirmation window when you change your identity provider from AuthPoint to Third-Party SAML. [SASE-5073]
  • Minor bug fixes and improvements. [SASE-5185, SASE-4547]

Enhancements

  • Resolved an issue that caused certain DNS servers, such as Google's 8.8.8.8, to prevent end-user access to private resources. [SASE-5128]
  • Minor bug fixes and improvements. [SASE-2871]

Enhancements

  • The WatchGuard Connection Manager for Windows v1.3.9.898 is now available.
    • Resolved an issue that caused the Connect option to be grayed out and not available. [SASE-4596]
    • When the Connection Manager disconnects from a tunnel, the corresponding config file is removed. [SASE-4458]
    • Minor bug fixes and improvements. [SASE-4536, SASE-4571, SASE-4621]

New Features

Store Log Files for the Virtual Gateway

With the Virtual Gateway v1.4.8 or higher, you can configure the Gateway to store local log files for troubleshooting. To do this, you create a second hard disk and attach it to the Virtual Gateway. When the Gateway is powered back on after the disk is attached, it formats and copies log files to the disk. For more information, go to About FireCloud Virtual Gateways. [SASE-4493]

Support for Dynamic SQL Port Ranges

When you add a private resource, you can now select preconfigured protocols and port ranges. For example, you can select Microsoft Dynamic SQL to allow all the entire range of ports (49512 - 65535). This makes it easier to configure traffic settings for private resources. [SASE-4544]

Enhancements

  • Minor bug fixes and improvements. [SASE-4798, SASE-4829]

New Features

Virtual Gateway Support for Proxmox

The FireCloud Virtual Gateway now officially supports Proxmox v8.4 and Proxmox v9.0. When you add a Virtual Gateway, you can now select Proxmox for your environment. [SASE-4473]

Enhancements

  • When you change from the AuthPoint identity provider to another identity provider option, the UI now notifies you that the change will delete your existing access rules. This gives you the chance to cancel your action if you no longer want to change identity providers. [SASE-4880]
  • When an account is subscribed to a FireCloud template with different DNS settings, FireCloud now refreshes the tunnels so that DNS changes are automatically applied. [SASE-4551, SASE-4726]
  • There is now a button to refresh the Usage Report. [SASE-2123]
  • Minor bug fixes and improvements. [SASE-4766, SASE-4767, SASE-4776, SASE-4821, SASE-4822, SASE-4823, SASE-4824]

Enhancements

  • The WatchGuard Connection Manager for macOS v1.2.23.37 is now available. The updated Connection Manager now supports connections to private resources for FireCloud Total Access. [SASE-3367]
  • Resolved an issue that caused the Connection Manager to fail to create a session with an error message that said "Invalid parameter: Message too long." [SASE-4803]
  • Resolved an issue that caused FireCloud template dashboards to not show any exceptions in the Exceptions widget when default HTTP decryption exceptions are disabled. [SASE-3712]
  • For the private resources list, the pagination drop-down now displays correctly when opened. [SASE-4554]
  • The Usage Report no longer shows the Private Resources widget when the account has an expired Total Access license. [SASE-4794]
  • Minor bug fixes and improvements. [SASE-4568, SASE-4768, SASE-4769, SASE-4770, SASE-4771, SASE-4772, SASE-4773, SASE-5024, SASE-4825, SASE-4934]

Enhancements

  • End-users no longer have to manually disconnect and reconnect to FireCloud for access rule template changes take effect. [SASE-4527, SASE-4528]
  • Updated the UI to indicate that the WatchGuard Cloud Directory supports MFA users for FireCloud. [SASE-4731]
  • Minor bug fixes and improvements. [SASE-4851, SASE-4409, SASE-4820, SASE-4850, SASE-4492]

New Features

WatchGuard Agent Plug-in for ConnectWise RMM v1.0

This first release of the WatchGuard Agent Plug-in for ConnectWise RMM enables Service Providers to deploy the WatchGuard Connection Manager.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Agent Plug-in for ConnectWise RMM.

Enhancements

  • Minor bug fixes and improvements. [SASE-4794, SASE-4792, SASE-4716, SASE-4682]

New Features

IP Based HTTPS Decryption Exceptions for FireCloud

Enable this beta feature to support IP addresses for FireCloud HTTPS decryption exceptions. Previously, you could only configure exceptions for HTTPS decryption based on an FQDN. [SASE-3739]

Support for MFA Users with the WatchGuard Cloud Directory

When you configure the WatchGuard Cloud Directory as your FireCloud identity provider, this now supports both MFA and non-MFA users. This enables you to more easily integrate FireCloud with AuthPoint and Zero Trust through the WatchGuard Cloud Directory. [AAAS-27864]

Enhancements

  • On the Private Resources page, there is now an option to expand and collapse all Gateway lists. [SASE-4442]
  • On the Private Resources page, there is now an option to sort Gateways by different options. [SASE-4443]
  • FireCloud now shows a warning message when you change the network settings for a Gateway. [SASE-4359, SASE-4464]
  • Minor bug fixes and improvements. [SASE-2944, SASE-4548, SASE-4579]

New Features

Passwordless Authentication for FireCloud

With this feature, FireCloud can support SAML identity providers that use methods such as biometrics (fingerprints, facial recognition) or hardware security keys to authenticate users in place of a password.

AuthPoint IDP Option

When you configure your FireCloud identity provider, there is now an AuthPoint option. The new AuthPoint options works the same as SAML, but with fewer settings to configure. This makes it faster and easier to set up FireCloud and AuthPoint. [SASE-2324]

New Features

FireCloud Total Access

A new FireCloud license, FireCloud Total Access, is now available. With Total Access, you can give FireCloud users access to local resources on the company network without a VPN. This extends the protection and usability of FireCloud for remote users. FireCloud Total Access includes all the existing features of FireCloud Internet Access, plus new features. [INIT-1173]

Enhancements

  • FireCloud now works with IMAPS connections. This resolves an issue that blocked incoming email messages while connected to FireCloud. [SASE-3706]

Enhancements

  • FireCloud now includes a default exception for wg.cloud.threatseeker.com. [SASE-4316]

New Features

FireCloud Support for Mac Computers

FireCloud Internet Access now supports Mac computers. To get started, download and install the WatchGuard Agent on your Mac computers.

Enhancements

  • On the Usage Report, the detailed report for blocked malware now displays the correct data. [SASE-4374]
  • The Connection Events graph now displays correctly. [SASE-3989]
  • The Connection Events graph now displays information when you hover over a section of the graph that represents the time frame a device is connected or disconnected. [SASE-2974]
  • Minor bug fixes and enhancements. [SASE-4278]

New Features

FireCloud Total Access (beta)

This beta introduces a new FireCloud license – Total Access. With Total Access, you can give FireCloud users access to local resources on the company network without a VPN. This extends the protection and usability of FireCloud for remote users. FireCloud Total Access includes all the existing features of FireCloud Internet Access, plus new features.

To get started, visit our beta management site. You’ll find detailed information about how to set up FireCloud Total Access and get started.

Enhancements

  • Updated the text on the Configure FireCloud page where you set up an identity provider. [SASE-3789]
  • Minor bug fixes and enhancements. [SASE-2586, SASE-3857, SASE-4058, SASE-4261]

New Features

FireCloud Egress IP Addresses

With this feature, you can view a list of the static IP addresses for the FireCloud points-of-presence. This information helps you to create firewall policies that restrict access to resources based on whether traffic comes from a FireCloud point-of-presence.

For more information, go to FireCloud Egress IP Addresses in FireCloud Help. [SASE-2467]

Enhancements

  • Minor bug fixes and enhancements. [SASE-3924]

Enhancements

  • Minor bug fixes and enhancements. [SASE-4090]

Enhancements

  • When you configure content filtering, the search bar for WebBlocker and Application Control is now in a more visible and easy to use location. [SASE-3811]
  • On the Usage Report, the tabs for the Blocked Threats graph are now above the graph instead of within the graph. [SASE-4113]
  • Minor bug fixes and enhancements. [SASE-4069]

Enhancements

  • On the Geolocation report, the Bytes value now displays correctly even with large values. [SASE-3719]

Enhancements

  • Minor bug fixes and enhancements. [SASE-4092]

Enhancements

  • Minor bug fixes and enhancements. [SASE-3911, SASE-3861]

Enhancements

  • On the Usage Report, the Connection Events graph for specific users now shows the total time that user is connected and disconnected. [SASE-2135]

Enhancements

  • On the Usage Report, the Blocked Applications and Destinations tiles now only show hits as a value. [SASE-3592]
  • When you edit a FireCloud template, you can now successfully clear the Apply to Subscribed Accounts check box for HTTPS Decryption Exceptions. [SASE-3639]
  • Resolved an issue that caused new FireCloud templates to display the blocked icon by default even though all services are enabled. [SASE-3632]
  • WatchGuard Cloud operators with ReadOnly permissions can now successfully navigate to the Client Download page and download the installer. [SASE-3644]
  • On the Log Search page, you can no longer add duplicate fields. [SASE-3189]
  • Resolved an issue that caused Log Search fields to default to the value of the previous field. [SASE-3190]
  • Minor bug fixes and enhancements. [SASE-3610, SASE-3347, SASE-3611, SASE-3349, SASE-2172]

New Features

Improve Language Localization Accuracy for Web Browsers

Some FireCloud users connect to a FireCloud Point of Presence with an egress IP address of a different country, which can cause browsers to show a different language than the user expects.

With this feature, you can configure FireCloud to include the XFF header to help websites display the correct language. The XFF header includes the public IP address of the end-user, and web browsers use this IP address for language localization. This enhances the accuracy of language localization for end-users and improves the FireCloud experience. [SASE-2468]

Enhancements

  • FireCloud log search now requires a value before you can run a search. [SASE-3165]
  • When you make changes to the content filtering settings in a FireCloud template, the audit logs now correctly include the text "Update Template" for clarity. [SASE-3193]
  • Minor bug fixes and enhancements. [SASE-3090, SASE-3228]

Enhancements

  • On the Usage Report page, the Devices Connected to FireCloud graph now displays the correct times for devices connected to FireCloud. [SASE-3369]
  • Minor bug fixes and enhancements. [SASE-3368]

Enhancements

  • In the Users tile of the Usage Report, the horizontal bars in the graph are now properly aligned. [SASE-3130]
  • When you delete a Log Search value, the Value text box label no longer disappears. [SASE-3187]
  • When you download a .CSV file for Log Search results, the download now waits until the search is complete. [SASE-3125]
  • For Log Search, you can now successfully add all security services and log message fields. [SASE-3191]
  • Minor Log Search improvements. [SASE-3188, SASE-2353]
  • Minor style changes to the appearance of buttons. [SASE-3098, SASE-2998]

New Features

FireCloud Always On Functionality

With this feature, FireCloud administrators can now configure access rules to control which end-users are allowed to manually disconnect from FireCloud (by default, access rules allow users to disconnect from FireCloud). This enables FireCloud administrators to make sure end-users are always protected. [SASE-1603]

Enhancements

  • Access rules are now shown on their own page. [SASE-3163]
  • When the Usage Report loads, the Devices Connected to FireCloud graph now shows an empty placeholder until the graph appears. [SASE-3236]
  • For the Usage Report, the Devices Connected to FireCloud graph now shows 20 minute intervals when the report time range is set to the last 24 hours. [SASE-3283]
  • On the FireCloud configuration overview, the Settings tile now shows the IP addresses custom DNS servers. [SASE-3151]
  • The Usage Report now shows the correct data based on the selected time range. [SASE-3294]
  • Minor bug fixes and improvements. [SASE-3285]

Enhancements

  • On the Usage Report page, the Protected Devices line graph has been changed to a bar graph that is called Devices Connected to FireCloud. [SASE-2895]
  • On the Usage Report page, the column header labels on the Devices tab have been changed. The Device Status column is now called FireCloud Connection, and the status values are Active and Inactive. When you view data for a single user, the Session Events section is now called FireCloud Connection Events. [SASE-2896]
  • On the Usage Report page, when a user disconnects from FireCloud, the device status now updates in real time. You do not have to refresh the page for the report to show the updated status. [SASE-2982]
  • Operators with read-only permissions for FireCloud can no longer complete the FireCloud setup wizard. [SASE-2940]
  • On the Log Search page, the cursor only displays as a hand when you hover over fields that are selectable. [SASE-2803]
  • For Service Providers, when you customize the columns on the Usage Report and then switch to view data for another account, the customized columns no longer persist in the Usage Report for the new account. [SASE-2802]
  • On the Log Search page, the example searches have been updated to be more useful. [SASE-2799]
  • On the Log Search page, you can now sort results by date and time. [SASE-2706]
  • On the Log Search page, when you view details for a specific log message, the window now has arrows so that you can click to view the next or previous log message. [SASE-2369, SASE-2322]
  • Minor style changes to the appearance of buttons. [SASE-3096, SASE-3088, SASE-3102, SASE-3117, SASE-3116, SASE-3115, SASE-3114, SASE-3113]
  • Minor bug fixes and improvements. [SASE-3100]

Enhancements

  • For the Usage Report page, the Customize Columns window no longer closes when you click outside of the window. [SASE-3085]
  • For the Usage Report, the Customize Columns window no longer gains a scrollbar when you change the order of the columns. [SASE-3084]
  • For the Usage Report, when you customize the columns in the list and then change the width of a column, the list now displays correctly. [SASE-3074]
  • For accounts that have an expired FireCloud trial, when you start a new trial or activate a license, the account now shows the correct license quantity. [SASE-2980]
  • For FireCloud audit logs, changes to template settings now include the text "Update Template" for clarity. [SASE-2726, SASE-2727, SASE-2728, SASE-2729]

Enhancements

  • The option to log out a user from the FireCloud Usage Report is no longer available for users that have no devices connected to FireCloud. [SASE-3034]
  • When you log out a specific user or device, the Usage Report no longer shows all devices as Not Protected. [SASE-3033]
  • When you log specific devices out of FireCloud from the Usage Report, the Logout Devices window no longer shows devices that are not protected. [SASE-3019]
  • When you log specific devices out of FireCloud from the Usage Report, the Logout Devices window no longer retains your selections after you cancel and close the window. [SASE-3036]
  • WatchGuard Cloud operators with the Analyst role can now successfully log out FireCloud users and devices from the Usage Report. [SASE-3083]
  • Minor bug fixes and improvements. [SASE-3103, SASE-3020]

Enhancements

  • The WatchGuard Connection Manager has been updated to version 1.3.9.769.
    • Resolved an issue that caused the Connection Manager to take more than 5 minutes to disconnect from FireCloud when in an unhealthy state. [SASE-2565]
    • Resolved memory leak issues. [SASE-2765]
    • The Connection Manager now correctly layers multiple windows on top of each other. This resolves an issue where the login window always appeared in front of other windows. [SASE-2891]
    • Updated text on the About page. [SASE-2808]
    • Minor bug fixes and enhancements. [SASE-2634, SASE-2742, SASE-2857, SASE-2924]

Enhancements

  • In the Access Rules page, you now enable security services on a new Internet Access tab. [SASE-2711, SASE-2712]
  • You can now customize which columns appear in the Usage Report. [SASE-2773]
  • In the Usage Report, you can now drill down to see log messages for specific blocked attacks, blocked malware, and zero-day malware. [SASE-2359]
  • The Usage Report for a specific user includes a new Back button. [SASE-2771]
  • The Traffic section of the Usage Report now sorts traffic by bytes by default. [SASE-2256]

Resolved Issues

  • The name of the .CSV file you download from the Log Search page now reflects the date and time of the log messages. [SASE-2722]
  • The Usage Report now retains the selected date range after you leave and return to the page. [SASE-2848]
  • When you change the Usage Report date range, the selected user no longer changes to All Users. [SASE-2804, SASE-2903]
  • Minor bug fixes and improvements. [SASE-2800, SASE-3013, SASE-3027]

Enhancements

  • For the Geolocation widget in the Usage Report, countries with no hits appear gray. [SASE-2270]
  • When you view the configuration details for a FireCloud template, the Content Filtering widget now displays the correct number of allows applications and content categories. [SASE-2316]
  • As a Service Provider, when you go to the Configure FireCloud Overview page and enter the search term "never", search now returns results. [SASE-2810]
  • Filters that you apply to the Usage Report now work correctly. [SASE-2660]
  • The Usage Report now correctly shows connected devices when you select a specific user. [SASE-2775]
  • As a Service Provider, when you go to the FireCloud Client Download page and then select a different managed account from Account Manager, the Copy Installer URL now updates immediately. This resolves an issue where the installer URL from the initial managed account persisted until the page finished loading. [SASE-2936]
  • When you add an exception with an MD5SUM, the value is no longer case-sensitive. [SASE-2597]
  • For FireCloud audit logs, changes to templates now include the text "Update Template" for clarity. [SASE-2730]
  • Configuring FireCloud Geolocation actions can no longer block other WatchGuard products and services. [SASE-2897]
  • Minor bug fixes and improvements. [SASE-2390, SASE-2870]

Enhancements

  • FireCloud audit log improvements. [SASE-2821, SASE-2822]
  • Minor bug fixes and improvements.

New Features

FireCloud Internet Access

A new WatchGuard product, FireCloud Internet Access, is now available. FireCloud is a managed cloud-based firewall-as a-service. FireCloud protects your remote users against Internet-based security threats.

With FireCloud, you can configure these security settings to protect your users:

Content Scanning

Scanning engines protect against spyware, viruses, malicious applications, spam email, and data leakage.

Network Blocking

You can use FireCloud to monitor and block common security threats, such as botnets, spyware, SQL injections, cross-site scripting, and buffer overflows.

Geolocation

Geolocation is a security service that enables FireCloud to detect the geographic locations of connections to and from your protected devices. In FireCloud, you can enable and configure Geolocation to block access to and from specific locations.

Content Filtering

Content filtering uses the WebBlocker and Application Control security services to block specific content categories and applications.

You configure FireCloud in the WatchGuard Cloud platform, and end-users connect to the service with the WatchGuard Connection Manager. When end-users are connected to FireCloud, FireCloud protects them from threats so that they can safely use their computer and browse the Internet.

To get started, go to Quick Start — Set Up FireCloud and explore the FireCloud help documentation.