Firebox Cloud

Deployment Guide

Firebox Cloud for AWS and Microsoft Azure

About This Guide
The Firebox Cloud Deployment Guide is a guide for deployment of a WatchGuard Firebox Cloud virtual
security appliance. For the most recent product documentation, see the Fireware Help on the
WatchGuard website at https://www.watchguard.com/wgrd-help/documentation/overview.
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
Guide revised: 11/26/2024

Copyright, Trademark, and Patent Information

Copyright © 1998–2024 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade
names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at https://www.watchguard.com/wgrd-help/documentation/overview.

About WatchGuard Address

For 25 years, WatchGuard has pioneered cutting-edge 255 S. King St.
cybersecurity technology and delivered it as easy-to-deploy Suite 1100
and easy-to-manage solutions. With industry-leading Seattle, WA 98104
network and endpoint security, secure Wi-Fi, multi-factor
authentication, and network intelligence products and Support
services, WatchGuard enables more than 250,000 small and
midsize enterprises from around the globe to protect their www.watchguard.com/support
most important assets including over 10 million endpoints. U.S. and Canada +877.232.3531
In a world where the cybersecurity landscape is constantly All Other Countries +1.206.521.3575
evolving, and new threats emerge each day, WatchGuard
makes enterprise-grade cybersecurity technology Sales
accessible for every company. WatchGuard is
headquartered in Seattle, Washington, with offices U.S. and Canada +1.800.734.9905
throughout North America, Europe, Asia Pacific, and Latin All Other Countries +1.206.613.0895
America.

For additional information, promotions and updates, follow

WatchGuard on Twitter, @WatchGuard on Facebook, or on
the LinkedIn Company page. Also, visit our InfoSec blog,
Secplicity, for real-time information about the latest threats
and how to cope with them at www.secplicity.org.

2 Firebox Cloud Deployment Guide

 Contents
Introduction to Firebox Cloud 7

About Firebox Cloud 7

Firebox Cloud Use Cases 8

Protect Virtual Servers 8

Branch Office VPN 8

Mobile VPN Gateway 8

About Microsoft Azure 9

About AWS 10

Firebox Cloud System Requirements 11

Firebox Cloud License Options 12

License Types 12

Licensed Security Services 13

Deploy Firebox Cloud on Microsoft Azure 16

Identify your Firebox Cloud Software Plan and License Type 16

Supported Instance Types 16

Create a Key Pair for SSH Authentication 17

Deploy Firebox Cloud 19

Find the Instance ID (VM ID) 25

Activate your Firebox Cloud License 25

Run the Firebox Cloud Setup Wizard 26

Connect to Fireware Web UI 27

Add the Feature Key 28

Next Steps 29

Enable Feature Key Synchronization 29

Configure Firebox Cloud to Send Feedback to WatchGuard 29

Configure Firewall Policies and Services 30

Firebox Cloud Deployment Guide 3

 Deploy Firebox Cloud on AWS 31

AWS Regions and Availability Zones 31

Supported Instance Types 32

Before You Begin 32

AWS Identity and Access Management (IAM) 33

Deployment Overview 33

Allocate or Associate an Elastic IP Address 35

Allocate an Elastic IP Address 35

Associate an Elastic IP Address 35

Create a VPC with Public and Private Subnets 36

Create an Instance of Firebox Cloud 36

Disable Source/Destination Checks 43

Assign an Elastic IP Address to the External Interface 43

Configure the Default Route 44

Verify the Instance Status 45

Find the Instance ID (VM ID) 46

Activate your Firebox Cloud License (BYOL Only) 46

Run the Firebox Cloud Setup Wizard 47

Connect to Fireware Web UI 48

Add the Feature Key (BYOL Only) 49

Next Steps 50

Enable Feature Key Synchronization 50

Configure Firebox Cloud to Send Feedback to WatchGuard 50

Configure Firewall Policies and Services 51

Troubleshooting 51

Firebox Cloud Feature Differences 52

Administration 52

Licensing and Services 52

Firebox Cloud Deployment Guide 4

 Network Interfaces 52

Default Firebox Configuration 53

Fireware Features 53

View Firebox Cloud VM Information 56

VM Information in Fireware Web UI 56

The Front Panel Dashboard 56

The VM Information System Status Page 56

The Interfaces Dashboard 57

VM Information in Firebox System Manager 58

Use Firebox Cloud to Protect a Web Server 60

Step 1 — Launch an Instance of Firebox Cloud 60

Step 2 — Add A Static NAT Action 61

Step 3 — Add HTTP and HTTPS Proxy Policies 62

Add an HTTP-Proxy Policy 62

Add an HTTPS-Proxy Policy 63

Import a Proxy Server Certificate 65

Step 4 — Enable Subscription Services 66

Enable Gateway AntiVirus 66

Enable Intrusion Prevention Service (IPS) 66

Enable Botnet Detection 66

Enable Data Loss Prevention 67

Configure Geolocation 67

Enable Logging for Firebox Cloud 68

Configure Logging to WatchGuard Cloud 68

Configure Logging to Dimension 68

Open the Configuration File for a Firebox Cloud Instance 70

Download and Open the Configuration File 70

Download and Open the Diagnostic Log Message File 71

Firebox Cloud Deployment Guide 5

 Changes that Require a Firebox Cloud Reboot 72

Administer Firebox Cloud with the CLI 73

Reset the Firebox to Factory-Default Settings 73

Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed) 74

Before You Begin 74

Add a Firebox Cloud Device to WatchGuard Cloud 75

Upload the Payload and Connect the Firebox 80

Verify the Firebox Cloud Status 83

Additional Resources 84

Help Center and Technical Documentation 84

Technical Support 84

Troubleshooting 84

Monitor Your Firebox 84

Manage Users and Roles on Your Firebox 84

Firebox Upgrade, Downgrade, and Migration 84

Firebox Backup and Restore 84

Firebox Cloud Deployment Guide 6

 Introduction to Firebox Cloud
The WatchGuard® Firebox security platform delivers unparalleled unified threat management, superior
performance, ease of use, and value for your growing network. Fireware OS and WatchGuard security
services give you fully integrated protection from spyware, viruses, worms, trojans, web-based exploits,
and blended threats. From firewall and VPN protection, to secure remote access, WatchGuard devices
support a broad range of network environments.

About Firebox Cloud

Firebox Cloud brings the proven features and services of the Firebox to the Amazon Web Services
(AWS) and Microsoft Azure cloud computing platforms. Firebox Cloud uses the same powerful
Fireware OS and most of the same subscription services available on other Firebox models. You can
use Firebox Cloud to protect servers deployed on your private cloud, and you can use it as a secure VPN
endpoint for connections to resources on your virtual network.

For greater visibility into the status of traffic and security on your virtual network, you can use
WatchGuard Dimension to monitor Firebox Cloud. The Firebox Cloud BYOL license also includes a
license for WatchGuard Cloud. After you activate a WatchGuard Cloud BYOL license, you can add the
Firebox Cloud instance to your WatchGuard Cloud account. For information about how you can manage
your Firebox Cloud instance as a cloud-managed device in WatchGuard Cloud, go to Add Firebox Cloud
to WatchGuard Cloud (Cloud-Managed).

Firebox Cloud is available for AWS and Microsoft Azure cloud computing platforms.

Firebox Cloud Deployment Guide 7

Introduction to Firebox Cloud

Firebox Cloud Use Cases

You can use Firebox Cloud to protect any virtual network on AWS or Azure. These use cases describe
some of the ways you can use Firebox Cloud to add security to your virtual network.

Protect Virtual Servers

To provide protection to one or more virtual servers that are accessible from the Internet, you can install
a Firebox Cloud instance. Your instance of Firebox Cloud is then the gateway for inbound connections
to your servers from the internet. You configure policies and security services on your instance of
Firebox Cloud to control traffic to your virtual servers.

For a summary of how to configure policies and services on Firebox Cloud for inbound connections to a
protected web server, go to Use Firebox Cloud to Protect a Web Server.

Branch Office VPN

You can configure your Firebox Cloud as a branch office VPN (BOVPN) gateway endpoint so you can
maintain a secure VPN connection between your virtual network resources and other networks
protected by a Firebox or compatible VPN gateway endpoint. You can also configure your Firebox Cloud
as a BOVPN over TLS Server or Client. Firebox Cloud supports all the same VPN features as other
Firebox models.

Mobile VPN Gateway

You can also enable Firebox Cloud to accept VPN connections from SSL, IPSec, IKEv2, and L2TP mobile
VPN clients, and configure policies to control user and group access to your protected AWS network
resources.

8 Firebox Cloud Deployment Guide

 Introduction to Firebox Cloud

About Microsoft Azure

Microsoft Azure is Microsoft's cloud computing platform that provides data management, compute,
networking and performance services at a variable cost based on the resources you use. If you are new
to Azure, you must understand the Azure terms and concepts in this section before you deploy Firebox
Cloud.
Virtual Network (Vnet)
An Azure Virtual Network is a logically isolated private virtual network environment in the Azure
cloud. Firebox Cloud, and the virtual servers it protects, are all virtual machines that you deploy in
a Virtual Network.
Virtual Machine Image (VHD)
A VHD file is a virtual hard disk image that contains a VM image. Firebox Cloud is distributed as
a VHD file that you can use to deploy one or more Firebox Cloud instances.
Storage Account
Microsoft Azure Storage is a Microsoft-managed cloud service that provides storage. The
Firebox Cloud VHD is stored in a container in your Storage Account.
Resource
A manageable item available through Azure. For example, a virtual machine, storage account,
and virtual machine are each resources.
Resource Group
A group of Azure resources that you manage as a group. When you add a storage account, you
specify the resource group it belongs to. Each resource can belong to only one group.
Template
An Azure template is a JSON file that defines the resources and settings required to deploy an
application. To deploy Firebox Cloud, you fill out the required settings and specify required
resources defined in the Firebox Cloud template.
VM ID (Instance ID)
The VM ID, or instance ID, is a unique identifier associated with an Azure virtual machine
instance. The Instance ID is the default admin passphrase you use to connect to Firebox Cloud
to run the setup wizard.
Regions and Availability Zones
Microsoft Azure has several regions around the world. Each region contains several Availability
Zones. You must specify the region when you deploy a Firebox Cloud instance.

Firebox Cloud Deployment Guide 9

Introduction to Firebox Cloud

About AWS
Amazon Web Services (AWS) is a flexible, on-demand, cloud services platform that provides compute
power, networking, database storage, and other services at a variable cost based on the resources you
use. If you are new to AWS, you must understand the AWS terms and concepts in this section before
you deploy Firebox Cloud.
Amazon Virtual Private Cloud (VPC)
An Amazon VPC is a logically isolated private virtual network environment in the AWS cloud.
Firebox Cloud, and the virtual servers it protects, are all virtual machines that you deploy in a
VPC.
Amazon Elastic Compute Cloud (EC2)
Amazon EC2 is a virtual server hosting service that provides scalable computing capacity in the
AWS cloud
Amazon Machine Image (AMI)
An AMI is a virtual machine template that you use to deploy a virtual server in AWS. Firebox
Cloud is delivered as an .AMI file that you use to deploy Firebox Cloud in your AWS VPC.
EC2 Instance
To launch one or more EC2 instances, you use an .AMI file. Each instance is a copy of the .AMI
that runs as a virtual server. When you launch a new instance, you select the instance type, which
determines the amount of CPU, storage, and network capabilities assigned to the instance.
Firebox Cloud runs as an EC2 instance in your Amazon VPC. Each instance has a unique
Instance ID.
Elastic IP Address (EIP)
An Elastic IP address is a static public IP address that you can assign to an EC2 instance. First,
you allocate an Elastic IP address to a VPC, and then you associate it with an EC2 instance in the
VPC. For Firebox Cloud, you allocate an Elastic IP address for the external interface.
Security Group
The security group is a virtual firewall that controls which inbound and outbound traffic is
allowed to reach the associated instances. In the security group, you define rules that control
what traffic to allow. When you launch an instance, you must specify at least one security group.
AWS Regions and Availability Zones
AWS has multiple AWS Regions. Each region contains several Availability Zones. A VPC can
contain subnets in different Availability Zones.

10 Firebox Cloud Deployment Guide

 Firebox Cloud System Requirements

Firebox Cloud System Requirements

Firebox Cloud can run on Amazon Web Services (AWS) and Microsoft Azure cloud computing
platforms.

Firebox Cloud CPU and memory requirements:

n Minimum CPU cores: 2
n Minimum total memory: 2048 MB
n Recommended minimum total memory: 4096 MB

4096 MB is required to enable Access Portal and IntelligentAV, and to use the Full
signature set for IPS/Application Control.

WatchGuard recommends an instance that has at least 1024 MB of memory for each CPU core. For
example, if the instance has four CPU cores, we recommend a minimum total memory of 4096 MB.
Refer to the AWS and Azure documentation to identify instances that meet these requirements.

For Firebox Cloud with BYOL license, the Firebox Cloud model determines the
maximum number of CPU cores. For more information, go to Firebox Cloud
License Options.

For a BYOL license, Azure automatically selects an instance size based on the
License Type you select.

Firebox Cloud Deployment Guide 11

 Firebox Cloud License Options

Firebox Cloud License Options

Firebox Cloud is available in both the Microsoft Azure Marketplace and AWS Marketplace with two
license options.

License Types
Bring Your Own License (BYOL)
With this license option, you pay Microsoft or Amazon for the virtual machine instance and
resources it uses. You then purchase a license for Firebox Cloud separately from an authorized
WatchGuard reseller. For Firebox Cloud with a BYOL license, you must activate a license key for
Firebox Cloud on the WatchGuard website. Then, add the feature key to your Firebox Cloud
instance, which enables you to configure all the licensed features. This feature key is unique to
that instance and has an expiration date. You can purchase a renewal from an authorized
WatchGuard reseller.
After you activate the BYOL license, you can add the Firebox Cloud instance to your WatchGuard
Cloud account.
For more information, go to Add a Firebox to WatchGuard Cloud.
For information about how you can manage your Firebox Cloud instance as a cloud-managed
device in WatchGuard Cloud, go to Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed).
For information about feature keys, go to About Feature Keys.

The feature key is valid only for the instance ID you specify when you activate the
license. If you want to move your Firebox Cloud license to a different instance of
Firebox Cloud, you must contact WatchGuard customer care to help you activate
the license for a different instance ID.

You can purchase a Firebox Cloud for one of four models. The models are based on the
maximum number of CPUs that Firebox Cloud uses. The maximum throughput of Firebox Cloud
depends on both the Firebox Cloud model, and the VM size.
For Firebox Cloud with a BYOL, the model determines the maximum supported throughput rates.

Firebox Cloud Deployment Guide 12

Firebox Cloud License Options

Firebox Cloud Maximum AWS vCPUs or Azure

Model CPU Cores VPN (Gbps)

Small 2 0.4

Medium 4 1.5

Large 8 3

Extra Large Unrestricted Unrestricted

If you deploy Firebox Cloud on a virtual machine with more CPUs than the Firebox Cloud model
supports, Firebox Cloud uses only the supported maximum number of CPUs.
For details about the BYOL option for AWS, go to WatchGuard Firebox Cloud (BYOL). Cost can
vary based on resources used, and by region.
Hourly / Pay As You Go (PAYG)
With this license option, the cost of the license for Firebox Cloud and all security services is
included in the price charged by Amazon or Microsoft. This provides a perpetual license with no
fixed expiration date. There is no need to purchase, activate, or renew a separate license from
WatchGuard.
Both the Azure Firebox Cloud and AWS (PAYG) option includes a 30 day free trial. For the 30 day
trial period, there are no hourly software charges but Azure and AWS infrastructure charges still
apply. After the 30 day trial expires, the instance converts to a paid subscription.
For details about the PAYG option and associated costs for Azure, go to WatchGuard
Subscription Costs for Azure PAYG.
For details about the Hourly AWS option and associated costs, go to WatchGuard Firebox Cloud
(Hourly).

To switch a Firebox Cloud instance from one license type to another, you must
deploy a new instance and move the configuration to the new instance. For
information about how to move a Firebox configuration, go to Move a
Configuration to a New Firebox.

Licensed Security Services

Firebox Cloud supports these WatchGuard security services:
n Access Portal (requires Fireware v12.1 or higher)
n Application Control
n APT Blocker
n Botnet Detection

13 Firebox Cloud Deployment Guide

 Firebox Cloud License Options

n Data Loss Prevention

n DNSWatch (supported with a BYOL license only)
n Gateway AntiVirus / Intelligent AntiVirus
n Geolocation
n IntelligentAV (supported for BYOL licenses and PAYG instances, and requires 4GB of memory)
n Intrusion Prevention Service (IPS)
n Reputation Enabled Defense
n spamBlocker and Quarantine Server (requires Fireware v12.2 or higher)
n WatchGuard Cloud Visibility (supported with a BYOL license only)
n WebBlocker

Firebox Cloud with an Hourly / Pay As You Go license does not support
WatchGuard Cloud or DNSWatch.

Firebox Cloud Deployment Guide 14

Firebox Cloud Deployment Guide 15
 Deploy Firebox Cloud on Microsoft Azure

Deploy Firebox Cloud on Microsoft Azure

Before you create a Firebox Cloud virtual machine, you must create a Microsoft Azure account. When
you set up your account, you specify billing information and the credentials you use to connect to the
Microsoft Azure portal. Firebox Cloud requires a storage account. You can create a storage account
before you deploy Firebox Cloud, or you can create one as part of the deployment.

Identify your Firebox Cloud Software Plan and License Type

When you create a Firebox Cloud VM in Azure, you select one of these two software plans.
Firebox Cloud (BYOL)
With the Bring Your Own License (BYOL) software plan, you purchase a Firebox Cloud license for
a specified size, Small, Medium, Large, or Extra Large. The Firebox Cloud license defines the
maximum number of Azure CPU cores that the Firebox Cloud VM can use.
When you create a Firebox Cloud (BYOL) VM, you select a License Type. To deploy your VM with
appropriate resources, select the License Type that matches your Firebox Cloud license size.
Firebox Cloud (PAYG)
With the Pay As You Go (PAYG) software plan, you do not purchase a Firebox Cloud license. The
PAYG option includes a 30 day free trial.

For more information about license options and trials, go to Firebox Cloud License Options.

Supported Instance Types

Firebox Cloud supports these instance families:
n Av2
n Amv2
n Dv3
n Dv4
n Dsv3
n Dsv4
n F
n Fsv2

All Azure services that are part of the deployment are mandatory to run Firebox Cloud. To deploy your
instance of Firebox Cloud on Azure, you must complete the following procedures.

Firebox Cloud Deployment Guide 16

Deploy Firebox Cloud on Microsoft Azure

For information about how to deploy load balancers with Firebox Cloud, go to
Deploy Firebox Cloud with Azure Load Balancers.

Create a Key Pair for SSH Authentication

Before you create a Firebox Cloud instance, you must generate an SSH-2 RSA public key / private key
pair. You can generate a new key pair when you configure your Firebox Cloud deployment, or you can
use a tool such as puttygen, or ssh-keygen command in Linux to generate the key pair.
n Use the public key when you deploy your Firebox Cloud instance.
n Use the private key for ssh connections to the Fireware command line interface (CLI) for your
Firebox Cloud instance.

17 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on Microsoft Azure

To use the puttygen utility to generate an SSH-2 RSA key pair:

1. Download and install the PuTTYgen utility available from www.putty.org.
2. Start PuTTYgen.
3. Click Generate.
4. Move the mouse over the blank area to generate some randomness.
PuTTYgen uses the mouse movements as input to generate the key pair.

5. To save the generated public key to a file, click Save public key.
6. (Optional) Specify a passphrase to protect the private key file.
7. To save the generated private key to a file, click Save private key.

Save the private key in a secure location. You must provide the private key to
connect to the Fireware command line interface.

Firebox Cloud Deployment Guide 18

Deploy Firebox Cloud on Microsoft Azure

Deploy Firebox Cloud

To create the Firebox Cloud instance:
1. Log in to the Azure portal with your Microsoft Azure account credentials.
2. Click Create a resource.
The Azure Marketplace opens.
3. In the Search services and marketplace text box, enter Firebox Cloud.
4. Select WatchGuard Firebox Cloud.
The WatchGuard Firebox Cloud license options opens.

5. From the Plan drop-down list, select WatchGuard Firebox Cloud (BYOL) or WatchGuard Firebox
Cloud (PAYG).
6. Click Create.
The VM configuration steps opens.

19 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on Microsoft Azure

7. On the Basics tab, specify basic information about your virtual machine.

Subscription
The name of the Azure subscription where the virtual machine and resources are stored.
This is the account that Microsoft bills for VM use and storage.

Resource group
A resource group is a collection of resources that share the same lifecycle, permissions, and
policies. All objects, such as networks and interfaces, and data for the Firebox Cloud
instance will be associated with the resource group you specify. The resource group does
not affect networking or connectivity from the Firebox to existing Azure resources.

Microsoft Azure does not support deployment of a managed application to a

resource group with existing resources. You must create a new resource group or
use an empty resource group.

Region
The Azure region for this Firebox Cloud instance.

Firebox Cloud VM Name

The name for the Firebox Cloud virtual machine in the Azure portal.

Firebox Cloud Deployment Guide 20

Deploy Firebox Cloud on Microsoft Azure

8. Click Next.
The Virtual Machines Settings configuration step opens if you are using the BYOL option, or the VM Size and Key Data section
if you are using the PAYG option.

9. In the Virtual Machine Settings step, specify virtual machine configuration details.

Firebox Cloud License Type and VM Size — for Firebox Cloud (BYOL)
For a BYOL license, select the Firebox Cloud License Type. This is the Firebox Cloud license
you purchased from WatchGuard or a WatchGuard reseller. Select Small, Medium, Large or
Extra Large. After you select the License Type, an appropriate VM size is selected by default.
To select a different size, click Change size. An Availability Set is created as part of the
BYOL deployment.

Azure VM Tier and VM Size — for Firebox Cloud (PAYG)

For a PAYG license, select the Azure VM tier for the virtual machine. Select Free Tier Eligible
or Standard. After you select the VM tier, an appropriate VM size is selected by default. To
select a different size, click Change size.

SSH public key source

The public key for this Firebox. You can generate a new key pair, use an existing key stored
in Azure, or use a tool such as puttygen, or ssh-keygen command in Linux to generate the
key pair. You must use the private key associated with this public key to connect to the
Firebox Cloud CLI.

SSH Key Type

The SSH key format. Firebox Cloud supports RSA SSH Format.

21 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on Microsoft Azure

Key pair name

The name for the key pair.

Storage account
The name of the storage account to store boot diagnostic log files. The storage account you
select must not be in another resource group in your subscription. Boot diagnostic log files
contain information that can help WatchGuard support troubleshoot issues.
10. Click Next.

11. In the Network Settings step, specify required network configuration information.

Virtual network
The virtual network to use for this Firebox Cloud. By default, a new available address space
with a /16 netmask is selected. You can use the default virtual network, edit the default
virtual network, or choose another existing virtual network.

Firebox Cloud Deployment Guide 22

Deploy Firebox Cloud on Microsoft Azure

External (Public) subnet

Review and configure the subnet to use for the External (Public) network. By default, a new
external network 10.7.0.0/24 is selected.

Trusted (Private) subnet

Review and configure the subnet to use for the Trusted (Private) network. By default, a new
trusted network 10.7.1.0/24 is selected.

External Network Security Group

A network security group contains security rules that allow or deny inbound network traffic
to, or outbound traffic from, the virtual machine. If you select None, no external network
security group is applied. If you select Management Only, an external network security group
is applied which allows inbound traffic on TCP 8080, TCP 4118, TCP 4117 for Web UI, CLI,
and WatchGuard System Manager connections to the Firebox. If you select Allow All, all
inbound traffic to the Firebox is allowed.

Public IP address
Select or create a public IP address to use for your Firebox Cloud external interface. For a
new public IP address, specify a name, and select the SKU type (Basic or Standard). If you
select a Basic SKU type, select the IP address assignment type, Dynamic or Static. If you
select a Standard SKU type, select the routing preference, Microsoft network or Internet. For
more information, go to Routing Preference.

Inbound connections to a public IP address with the Standard SKU type fail until
you create and associate a network security group and explicitly allow the desired
inbound traffic. For more information, go to the article IP address types and
allocation methods in Azure in the Microsoft Azure documentation.

To assign a secondary IP address, go to Assign multiple IP addresses to virtual

machines using the Azure portal.

Domain name label

Specify the DNS label for the Firebox Cloud public IP address. It must be all lowercase
letters and numbers.
12. Click Next.
13. In the Next: Review + Create step, review the information, and correct any errors.
14. Click Create.
The deployment begins.

23 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on Microsoft Azure

After the deployment is completed, you can go to the resource group or pin the VM to the Microsoft
Azure dashboard.

Firebox Cloud Deployment Guide 24

Deploy Firebox Cloud on Microsoft Azure

Find the Instance ID (VM ID)

After you deploy your Firebox Cloud instance, you must find the Instance ID, also known as the VM ID.
You will need this to log in to the Fireware Web UI to run the Firebox Cloud Setup Wizard. You can find
the instance ID in the name of the storage container for boot diagnostic logs.

To find the Firebox Cloud Instance ID:

1. In the Azure left navigation menu, select Storage accounts.
2. Click the name of the storage account associated with your Firebox Cloud instance.
3. Expand the Data Storage section, and select Containers.
4. To find the boot diagnostic container, click the container to view its details.
5. On the container details page, in the Location field, the name of the boot diagnostic container is in
the format:
<bootdiagnostics>-<vmname>-<vmid>
For example:
bootdiagnostics-fbcloud-11111111-2222-3333-4444-f86331913a6d, where 1111111-2222-3333-
4444-f86331913a6d, is the VMID.
6. Copy the VMID at the end of the container name.

You must have this instance ID to run the Firebox Cloud Setup Wizard.

Activate your Firebox Cloud License

For Firebox Cloud with a BYOL license, you must activate the Firebox Cloud serial number at
www.watchguard.com. Before you can activate Firebox Cloud, you must have the Firebox Cloud serial
number you received from WatchGuard.

To activate your Firebox Cloud license:

1. Go to www.watchguard.com.
2. Click Support.
3. Click Activate Products.
4. Log in to your WatchGuard Customer or Partner account. If you do not have an account, you can
create one.
5. If necessary, navigate to the Support Center and select My WatchGuard > Activate Products.
6. When prompted, provide your Firebox Cloud serial number.
7. When activation is complete, copy the feature key and save it to a local file.

For more information about how to activate your Firebox Cloud license, go to Activate a WatchGuard
Device or Feature.

25 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on Microsoft Azure

Run the Firebox Cloud Setup Wizard

After you deploy Firebox Cloud, you can connect to Fireware Web UI through the public IP address to
run the Firebox Cloud Setup Wizard. You use the wizard to set the administrative passphrases for
Firebox Cloud.

To run the Firebox Cloud Setup Wizard:

1. Connect to Fireware Web UI for your Firebox Cloud with the public IP address:
https://<eth0_public_IP>:8080
2. Log in with the default Administrator account user name and passphrase:
n User name — admin

n Passphrase — The Firebox Cloud Instance ID

The Firebox Cloud Setup Wizard welcome page opens.
3. Click Next.
The setup wizard starts.
4. Review and accept the End-User License Agreement. Click Next.

5. Specify new passphrases for the built-in status and admin user accounts.
6. Click Next.
The configuration is saved to Firebox Cloud and the wizard is complete.

WatchGuard does not store any sensitive customer information in the Firebox
Cloud configuration or on the Azure cloud-based platform.

Firebox Cloud Deployment Guide 26

Deploy Firebox Cloud on Microsoft Azure

Connect to Fireware Web UI

To connect to Fireware Web UI and administer Firebox Cloud:
1. Open a web browser and go to the public IP address for your instance of Firebox Cloud at:
https://<eth0_public_IP>:8080
2. Log in with the admin user account. Make sure to specify the passphrase you set in the Firebox
Cloud Setup Wizard.

By default, Firebox Cloud allows more than one user with Device Administrator credentials to log in at
the same time. To prevent changes by more than one administrator at the same time, the configuration

is locked by default. To unlock the configuration so you can make changes, click .

If you prefer to allow only one Device Administrator to log in at the same time, select System > Global
Settings and clear the Enable more than one Device Administrator to log in at the same time check
box.

Microsoft Azure automatically terminates your management connection to

Firebox Cloud after 30 minutes of inactivity. To avoid unexpected disconnection of
your management session, do not set the Management Session Idle Timeout in
the Fireware Authentication > Settings page to a value higher than 30 minutes.

27 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on Microsoft Azure

Add the Feature Key

If you have received or downloaded the Firebox Cloud feature key to a local file, in the Feature Key
Wizard select Yes I have a local copy of the feature key and paste the feature key into the wizard.

If you activated a Firebox Cloud license at www.watchguard.com, your feature key is available directly
from WatchGuard. You must add this feature key to the Firebox Cloud configuration to enable all
functionality and configuration options on Firebox Cloud.

After you add the feature key, Firebox Cloud automatically reboots with a new
serial number.

To add the feature key, from Fireware Web UI:

1. Select System > Feature Key.
The Feature Key Wizard page opens.

2. To unlock the configuration file, click .

3. To download and install the feature key, click Next.
4. On the Summary page, verify that your feature key was successfully installed.
When your feature key has been installed, Feature Key Retrieval Success appears on the Summary page.

Firebox Cloud Deployment Guide 28

Deploy Firebox Cloud on Microsoft Azure

5. Click Next.
The wizard completes and Firebox Cloud reboots with a new serial number.

Next Steps
After you run the setup wizard and add the feature key you can use Fireware Web UI or Policy Manager
to configure the settings for Firebox Cloud.

Enable Feature Key Synchronization

Enable Firebox Cloud to automatically check for feature key updates when services are about to expire.

To enable feature key synchronization, in Fireware Web UI:

1. Select System > Feature Key.
2. Select the Enable automatic feature key synchronization check box.
3. Click Save.

To enable feature key synchronization, in Policy Manager:

1. Connect to Firebox Cloud in WatchGuard System Manager.
2. Open Policy Manager.
3. Select System > Feature Keys.
4. Select the Enable automatic feature key synchronization check box.
5. Click Save.

Configure Firebox Cloud to Send Feedback to WatchGuard

To enable Firebox Cloud to send feedback, in Fireware Web UI:
1. Select System > Global Settings.
2. Select the Send advanced device feedback to WatchGuard check box.
3. Select the Send threat telemetry to WatchGuard check box (Fireware v12.11 and higher).
4. Select the Send Fault Reports to WatchGuard daily check box.

To enable Firebox Cloud to send feedback, in Policy Manager:

1. Connect to Firebox Cloud in WatchGuard System Manager.
2. Open Policy Manager.

29 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on Microsoft Azure

3. Select Setup > Global Settings.

4. Select the Send advanced device feedback to WatchGuard check box.
5. Select the Send threat telemetry to WatchGuard check box (Fireware v12.11 and higher).
6. Select the Send Fault Reports to WatchGuard daily check box.

Configure Firewall Policies and Services

The default WatchGuard and WatchGuard Web UI policies allow management connections from any
computer on the trusted, optional, or external networks.

We strongly recommend that you do not allow management connections from

the external network, and that you edit the WatchGuard and WatchGuard Web UI
policies to remove the Any-External alias from the From list after you complete
initial configuration.

To allow management from only a specific computer on the external network, you can add the address
of that management computer to the From list in these policies.

Configure other policies and services as you would for any other Firebox.

Firebox Cloud does not support every Fireware feature. For a summary of the
differences between Firebox Cloud and other Firebox models, go to Firebox Cloud
Feature Differences.

Firebox Cloud Deployment Guide 30

 Deploy Firebox Cloud on AWS
WatchGuard Firebox Cloud brings the proven protection of Firebox UTM appliances to public cloud
environments and enables organizations to extend their security perimeter to protect business critical
assets in Amazon Web Services. Under the AWS Shared Responsibility Model, security in the cloud falls
to the customer. For this reason, it is crucial that administrators take every step possible to defend their
data and deflect cyber criminals. Firebox Cloud can quickly and easily be deployed to protect a Virtual
Private Cloud (VPC) from attacks such as Botnets, cross-site scripting, SQL injection attempts, and
other intrusion vectors.

AWS Regions and Availability Zones

AWS has multiple AWS Regions. Each region contains several Availability Zones. A VPC can contain
subnets in different Availability Zones.

Regions available in AWS:

n Africa (Cape Town) — af-south-1
n Asia Pacific (Hong Kong) — ap-east-1
n Asia Pacific (Tokyo) — ap-northeast-1
n Asia Pacific (Seoul) — ap-northeast-2
n Asia Pacific (Osaka) — ap-northeast-3
n Asia Pacific (Mumbai) — ap-south-1
n Asia Pacific (Singapore) — ap-southeast-1
n Asia Pacific (Sydney) — ap-southeast-2
n Asia Pacific (Jakarta) — ap-southeast-3
n AWS GovCloud (US-East) — us-gov-east-1
n AWS GovCloud (US-West) — us-gov-west-1
n Canada (Central) — ca-central-1
n Europe (Frankfurt) — eu-central-1
n Europe (Ireland) — eu-west-1
n Europe (London) — eu-west-2
n Europe (Milan) — eu-south-1
n Europe (Paris) — eu-west-3
n Europe (Stockholm) — eu-north-1
n Middle East (Bahrain) — me-south-1
n South America (São Paulo) — sa-east-1
n US East (N. Virginia) — us-east-1
n US East (Ohio) — us-east-2

Firebox Cloud Deployment Guide 31

Deploy Firebox Cloud on AWS

n US West (N. California) — us-west-1

n US West (Oregon) — us-west-2

If you deploy a Firebox Cloud instance with the following instructions, each virtual
machine instance is available in a single region and single availability zone.

AWS accounts have default quotas, or limits, for each AWS service. For
information, go to AWS Service Quotas.

Supported Instance Types

Firebox Cloud supports these instance sizes and families:
n M5
n C4
n C5

We strongly recommend you deploy your instance with C5 or M5 instance types.

For detailed information about supported EC2 instance types for Firebox Cloud (BYOL) and Firebox
Cloud (Hourly) specific to selected regions, go to the Firebox Cloud product information in the
AWS Marketplace.

For information about how to deploy load balancers with Firebox Cloud, go to
Deploy Firebox Cloud with AWS Load Balancers.

Before You Begin

Deployment of Firebox Cloud on AWS requires familiarity with AWS. We recommend you have
familiarity with networking, cloud networking, and network security.

For more information about how to get started with AWS, go to:
http://docs.aws.amazon.com/gettingstarted/latest/awsgsg-intro/gsg-aws-intro.html

32 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

For information about the AWS Management Console, go to:

http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html

AWS Identity and Access Management (IAM)

Before you can use Firebox Cloud, you must create an AWS account. When you set up your AWS
account, you specify billing information and the security credentials you use to connect to the AWS
Management Console.

AWS IAM is a web service that enables you to securely control access to AWS resources. You use
IAM to control who is authenticated and authorized to use resources. When you first create your AWS
account, you begin with a root user, which is a single sign-in identity that has complete access to all
AWS services and resources in the account. Because of this access, we recommend you do not use the
root user for your Firebox Cloud deployment or operations. The root user should only be used to create
your first IAM user.

To enable an IAM user to launch an instance with an IAM role or to attach or replace an IAM role for an
existing instance, you must grant the user permission to use the following API actions:
n iam:PassRole
n ec2:AssociateIamInstanceProfile
n ec2:ReplaceIamInstanceProfileAssociation

For more information about roles for Amazon EC2, go to IAM Roles for Amazon EC2.

For more information about policies and permissions, go to Policies and Permissions in IAM.

Deployment Overview
This diagram shows a basic Firebox Cloud deployment on AWS.

Firebox Cloud Deployment Guide 33

Deploy Firebox Cloud on AWS

All AWS services that are part of the deployment are mandatory to run Firebox Cloud. To deploy your
instance of Firebox Cloud on AWS, you must complete these procedures:
Allocate an Elastic IP address
Allocate an Elastic IP address from Amazon's pool of public IPv4 addresses, or from a custom
IP address you brought to your AWS account.
Create a Virtual Private Cloud (VPC)
Use the VPC Wizard to create a VPC with public and private subnets.
Create an instance of Firebox Cloud
Launch an EC2 instance for Firebox Cloud with these properties:
n VPC Configuration — VPC with Public and Private Subnets
n AMI — WatchGuard Firebox Cloud
n Instance Type — If you select Firebox Cloud with a BYOL license, make sure to select the
instance type that has the same number of vCPUs as the Firebox Cloud license you purchased
n Network — A VPC with public and private subnets
n Interfaces — Eth0 must use a public subnet; Eth1 must use a private subnet
n Storage — Keep the default size
n Security Group — Allow all inbound traffic

34 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

Disable the Source/Destination checks for Firebox Cloud

For your Firebox Cloud to function as a NAT device for your VPC, you must disable the
source/destination check for the instance of Firebox Cloud.
Assign an Elastic IP address to the instance of Firebox Cloud
Assign an Elastic IP (EIP) address to the eth0 interface for your instance of Firebox Cloud.
Configure the default route for the private network
Change the routing for the private subnet so that it uses the instance of Firebox Cloud as the
default gateway.
Check instance status
Check the state of the instance of Firebox Cloud to verify that it has powered up, that it has a
public IP address and DNS server assigned, and the correct security group is configured.

Each of these procedures is described in detail in the next sections. Deployment will take approximately
20 minutes.

Allocate or Associate an Elastic IP Address

Before you create a VPC, you must allocate or associate an elastic IP to the external interface. You can
either select an existing elastic IP, or allocate an elastic IP from Amazon's pool of IPv4 addresses.

Allocate an Elastic IP Address

To allocate an elastic IP:
1. Log in to the AWS Management Console at aws.amazon.com.
2. From the top navigation bar, select Services > Compute > EC2.
The EC2 Dashboard page opens.
3. In the Network & Security section, select Elastic IPs.
4. Click Allocate Elastic IP address.
The Allocate Elastic IP address page opens with Amazon's pool of IPv4 addresses selected.
5. Click Allocate and record your allocated elastic IP address.

Associate an Elastic IP Address

To associate an existing elastic IP address:
1. Log in to the AWS Management Console at aws.amazon.com.
2. From the top navigation bar, select Services > Compute > EC2.
The EC2 Dashboard page opens.
3. In the Network & Security section, select Elastic IPs.
4. Select the check box next to the elastic IP address you want to associate.
5. Select the Actions drop-down list. Click Associate Elastic IP address.
The Associate Elastic IP address page opens.
6. In the Resource type section, select Network interface.

Firebox Cloud Deployment Guide 35

Deploy Firebox Cloud on AWS

7. In the Network interface drop-down list, select a network interface.

8. In the Private IP address drop-down list, select a private IP address.
9. Click Associate.

Create a VPC with Public and Private Subnets

If you do not already have a VPC with public and private subnets, you must create one.

To use the VPC Wizard to create a VPC:

1. Log in to the AWS Management Console at aws.amazon.com.
2. From the top navigation bar, select Services > Networking & Content Delivery > VPC.
The VPC Dashboard page opens.
3. Click Create VPC.
4. In the VPC settings section, select VPC and more.

5. In the Name tag auto-generation section, you can edit the name tag of individual resources, or
auto-generate the name tags. Clear the Auto-generate check box to edit the name tags of your VPC
and subnets.
6. In the IPV6 CIDR block section, select Amazon-provided IPv6 CIDR block for the VPC.
7. Configure the Availability Zone for each subnet. Make sure that the public subnet and private
subnet are in the same zone.
8. (Optional). If you use two or more availability zones, you can customize the order of the availability
zones. For more information, go to Regions and Zones.
9. Configure at least one public and one private subnet for each Availability Zone the VPC is in. You
can use the default public and private subnets or select other subnets. AWS requires that each
subnet must include enough space for a least 16 IP addresses.
10. Configure the NAT gateways, VPC endpoints, and DNS options.
11. Click Create VPC.
The wizard creates the VPC.

Create an Instance of Firebox Cloud

From the EC2 dashboard, you can create an EC2 instance for Firebox Cloud.

To launch an instance of Firebox Cloud:

36 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

1. Log in to the AWS Management Console at aws.amazon.com.

2. From the top navigation bar, select Services > Compute > EC2.
The EC2 Dashboard page opens.
3. From the navigation menu, in the Instances section, click Instances.
4. Click Launch instances.

5. In the Name text box, enter a name for your instance.

6. In the Application and OS Images (Amazon Machine Image) search text box, enter Firebox and
select the AWS Marketplace AMIs tab.

Firebox Cloud Deployment Guide 37

Deploy Firebox Cloud on AWS

7. Select WatchGuard Firebox Cloud Hourly or BYOL.

8. Click Continue if you already have a license, or Subscribe on instance launch or Subscribe now if
you do not have a subscription.
9. In the Instance type section, select the AWS instance type from the drop-down list or from the
Compare instance types page. If you selected Firebox Cloud with a BYOL license, select an
instance that has the number of vCPUs your Firebox Cloud license supports.
n For information about the maximum number of vCPUs supported for each Firebox Cloud

model, go to Firebox Cloud License Options.

n For information about supported EC2 instance types for Firebox Cloud (BYOL) and Firebox
Cloud (Hourly), go to the Firebox Cloud product information in the AWS Marketplace.

38 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

10. In the Key pair (login) section, select or create a key pair for SSH authentication. The key pair is
needed only for ssh connections to the Fireware command line interface (CLI) for Firebox Cloud.
You do not need the key pair to connect to Fireware Web UI. If you proceed without a key pair, you
can log in to Fireware Web UI, but you cannot connect to the CLI from outside of the VPC.
a. To use an existing key pair, select a key pair from the drop-down list.
b. To create a new key pair, select Create new key pair.
The Create key pair dialog box opens.
c. In the Key pair name text box, type a name for the new key pair.
d. In the Key pair type section, make sure that RSA is selected. Firebox Cloud supports RSA
SSH Format.
e. Click Create key pair.
The .PEM file that contains the private key is downloaded.
f. Save the private key to a location that is secure and accessible. You cannot download the
private key file again.

Firebox Cloud Deployment Guide 39

Deploy Firebox Cloud on AWS

Save the private key file in a secure location. You must provide the private key to
connect to the Fireware command line interface.

11. In the Network settings section, click Edit.

a. From the VPC drop-down list, select your VPC.
b. From the Subnet drop-down list, select the public subnet to use for eth0.
c. From the Auto-assign public IP drop-down list, select Disable.
d. In the Firewall (security groups) section, select Create security group. By default, the
instance uses a security group that functions as a basic firewall. Because Firebox Cloud is a
firewall, you must add a new security group that allows all traffic, and assign that security
group to this EC2 instance.
e. Edit the Security group name and Description.
f. In the Inbound Security Groups Rules section, configure an existing security group rule or
add a new security group rule. Make sure that the security group rule selected allows all
traffic. From the Type drop-down list, select All traffic.

12. To add a second interface, expand the Advanced network configuration section.
n Description — Type a description for the new network interface.

n Subnet — The subnet in which to create the new network interface. For the primary network
interface (eth0), this is the subnet used to launch the instance. If you enter an existing
network interface for eth0, the instance is launched in the subnet where the network
interface is located.
n Security groups — The security group in your VPC to associate with the network interface.
n Primary IP — A private IPv4 address from the range of your subnet. Leave blank to allow
Amazon EC2 to select a private IPv4 address.
n Secondary IP — One or more additional private IPv4 addresses from the range of your
subnet. Select Manually assign and enter an IP address or select Automatically assign to
allow Amazon EC2 select an IP address, and enter a value to indicate the number of IP
addresses to add.

40 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

n IPv6 IPs — An IPv6 address from the range of the subnet. Select Manually assign and enter
an IP address or select Automatically assign to allow Amazon EC2 select an IP address, and
enter a value to indicate the number of IP addresses to add.
n IPv4 Prefixes — The IPv4 prefixes for the network interface.
n IPv6 Prefixes — The IPv6 prefixes for the network interface.
n Delete on termination — Select Yes or No to delete the network interface when the instance
is deleted.
n Interface type — Select ENA and EFA, or EFA-only.
o If you select ENA and EFA, the network interface is created with an EFA device for low-

latency, high-throughput communication, and an ENA device for IP networking.

o If you select EFA-only, the network interface is created with an EFA device only. It does
not support IP networking.
n ENA Express — If you enable ENA Express, you enable supported instances to communicate
with AWS Scalable Reliable Datagram (SRD) technology. SRD is a high performance network
transport protocol that uses dynamic routing to increase throughput and minimize tail
latency. ENA Express enables you to communicate between two EC2 instances in the same
Availability Zone.

Available network configuration options depend on your instance type.

Firebox Cloud Deployment Guide 41

Deploy Firebox Cloud on AWS

13. In the Configure Storage section, use the default storage size.
14. Review the Summary side panel. Click Launch instance.

42 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

Disable Source/Destination Checks

By default, each EC2 instance completes source/destination checks. For the networks on your VPC to
successfully use your instance of Firebox Cloud for NAT, you must disable the source/destination
check for the network interfaces assigned to the instance of Firebox Cloud.

To disable source/destination checks for the public interface:

1. From the EC2 Management Console, select Instances > Instances.
2. Select the check box next to the instance of Firebox Cloud.
3. Select Actions > Networking > Change source/destination check.
The Source / destination check dialog box opens.
4. Select the Stop check box.
5. Click Save.

Assign an Elastic IP Address to the External Interface

You must assign an Elastic IP (EIP) address to the eth0 interface for the instance of Firebox Cloud. To
make sure you assign it to the correct interface, find and copy the eth0 interface ID for your instance of
Firebox Cloud.

To find the eth0 interface ID for your instance of Firebox Cloud:

1. From the EC2 Dashboard, select Instances.
2. Select the instance of Firebox Cloud.
The instance details appear.
3. Select the Networking tab.

Firebox Cloud Deployment Guide 43

Deploy Firebox Cloud on AWS

4. In the Network interfaces section, copy the Interface ID from the Primary network interface.
The Interface ID copied confirmation is displayed.

To associate the Elastic IP address with the eth0 interface:

1. From the EC2 Management Console, select Network & Security > Elastic IPs.
2. Select an available Elastic IP address.
3. Select Actions > Associate Elastic IP Address.
The Associate Elastic IP Address page opens.

4. In the Resource type settings, select Network interface.

5. In the Network Interface text box, paste the Interface ID for eth0.
6. Click Associate.

You can now use the EIP address to connect to Fireware Web UI for your instance of Firebox Cloud.

To connect to Fireware Web UI, open a web browser and go to https://<eth0_EIP>:8080.

Configure the Default Route

To enable Firebox Cloud to control outbound traffic from the private network connected to eth1, you
must change the route table for the private subnet so that it uses Firebox Cloud as the default gateway.

To find the network interface ID of the private network:

44 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

1. On the EC2 dashboard, select Network & Security > Network Interfaces.
2. Find the private network interface for your instance ID. It is the interface that does not have a public
IP address assigned.
3. Copy the network interface ID.

To edit the route table:

1. Select Services > VPC.
2. In the Virtual Private Cloud section, select Route tables.
3. To find the interface for the private network, select each route table for your VPC one at a time.
The route table details appear, with the interface information for each route table.
4. To view the routes for each network, select the Routes tab.
5. On the Routes tab for the private network, click Edit routes.

6. In the Target text box, paste the Interface ID over the NAT Gateway ID.
The route status changes from Black Hole to Active.

7. Click Save routes.

Verify the Instance Status

After you finish all the steps to deploy your instance of Firebox Cloud, review the instance details on the
EC2 Instances page to verify that:
n Public IP address and Public DNS server are assigned
n The security group to allow all traffic is assigned

Firebox Cloud Deployment Guide 45

Deploy Firebox Cloud on AWS

If you delete the Firebox Cloud VM, make sure you delete the associated resources
to avoid additional charges.

Find the Instance ID (VM ID)

After you deploy your Firebox Cloud instance, you must find the Instance ID, also known as the VM ID.
You will need this log in to the Fireware Web UI to run the Firebox Cloud Setup Wizard.

To find the Firebox Cloud Instance ID:

1. From the EC2 Management Console, select Instances > Instances.
2. Open your instance.
3. Copy the Instance ID.

You must have this instance ID to run the Firebox Cloud Setup Wizard.

Activate your Firebox Cloud License (BYOL Only)

For Firebox Cloud with a BYOL license, you must activate the Firebox Cloud serial number at
www.watchguard.com. Before you can activate Firebox Cloud, you must have the Firebox Cloud serial
number you received from WatchGuard.

To activate your Firebox Cloud license:

1. Go to www.watchguard.com.
2. Click Support.
3. Click Activate Products.
4. Log in to your WatchGuard Customer or Partner account. If you do not have an account, you can
create one.
5. If necessary, navigate to the Support Center and select My WatchGuard > Activate Products.
6. When prompted, provide your Firebox Cloud serial number.
7. When activation is complete, copy the feature key and save it to a local file.

46 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

Run the Firebox Cloud Setup Wizard

After you deploy Firebox Cloud, you can connect to Fireware Web UI through the public IP address to
run the Firebox Cloud Setup Wizard. You use the wizard to set the administrative passphrases for
Firebox Cloud.

To run the Firebox Cloud Setup Wizard:

1. Connect to Fireware Web UI for your Firebox Cloud with the public IP address:
https://<eth0_public_IP>:8080
2. Log in with the default Administrator account user name and passphrase:
n User name — admin

n Passphrase — The Firebox Cloud Instance ID

The Firebox Cloud Setup Wizard welcome page opens.
3. Click Next.
The setup wizard starts.
4. Review and accept the End-User License Agreement. Click Next.

5. Specify new passphrases for the built-in status and admin user accounts.
6. Click Next.
The configuration is saved to Firebox Cloud and the wizard is complete.

WatchGuard does not store any sensitive customer information in the Firebox
Cloud configuration or on the AWS cloud-based platform.

Firebox Cloud Deployment Guide 47

Deploy Firebox Cloud on AWS

Connect to Fireware Web UI

To connect to Fireware Web UI and administer Firebox Cloud:
1. Open a web browser and go to the public IP address for your instance of Firebox Cloud at:
https://<eth0_public_IP>:8080
2. Log in with the admin user account. Make sure to specify the passphrase you set in the Firebox
Cloud Setup Wizard.

By default, Firebox Cloud allows more than one user with Device Administrator credentials to log in at
the same time. To prevent changes by more than one administrator at the same time, the configuration

is locked by default. To unlock the configuration so you can make changes, click .

If you prefer to allow only one Device Administrator to log in at the same time, select System > Global
Settings and clear the Enable more than one Device Administrator to log in at the same time check
box.

48 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

Add the Feature Key (BYOL Only)

If you activated a Firebox Cloud license at www.watchguard.com, your feature key is available directly
from WatchGuard. You must add this feature key to the Firebox Cloud configuration to enable all
functionality and configuration options on Firebox Cloud.

After you add the feature key, Firebox Cloud automatically reboots with a new
serial number.

To add the feature key, from Fireware Web UI:

1. Select System > Feature Key.
The Feature Key Wizard page opens.

2. To unlock the configuration file, click .

3. To download and install the feature key, click Next.
4. On the Summary page, verify that your feature key was successfully installed.
When your feature key has been installed, Feature Key Retrieval Success appears on the Summary page.

Firebox Cloud Deployment Guide 49

Deploy Firebox Cloud on AWS

5. Click Next.
The wizard completes and Firebox Cloud reboots with a new serial number.

Next Steps
After you run the setup wizard and add the feature key you can use Fireware Web UI or Policy Manager
to configure the settings for Firebox Cloud.

Enable Feature Key Synchronization

Enable Firebox Cloud to automatically check for feature key updates when services are about to expire.

To enable feature key synchronization, in Fireware Web UI:

1. Select System > Feature Key.
2. Select the Enable automatic feature key synchronization check box.
3. Click Save.

To enable feature key synchronization, in Policy Manager:

1. Connect to Firebox Cloud in WatchGuard System Manager.
2. Open Policy Manager.
3. Select System > Feature Keys.
4. Select the Enable automatic feature key synchronization check box.
5. Click Save.

Configure Firebox Cloud to Send Feedback to WatchGuard

To enable Firebox Cloud to send feedback, in Fireware Web UI:
1. Select System > Global Settings.
2. Select the Send advanced device feedback to WatchGuard check box.
3. Select the Send threat telemetry to WatchGuard check box (Fireware v12.11 and higher).
4. Select the Send Fault Reports to WatchGuard daily check box.

To enable Firebox Cloud to send feedback, in Policy Manager:

1. Connect to Firebox Cloud in WatchGuard System Manager.
2. Open Policy Manager.

50 Firebox Cloud Deployment Guide

 Deploy Firebox Cloud on AWS

3. Select Setup > Global Settings.

4. Select the Send advanced device feedback to WatchGuard check box.
5. Select the Send threat telemetry to WatchGuard check box (Fireware v12.11 and higher).
6. Select the Send Fault Reports to WatchGuard daily check box.

Configure Firewall Policies and Services

The default WatchGuard and WatchGuard Web UI policies allow management connections from any
computer on the trusted, optional, or external networks.

We strongly recommend that you do not allow management connections from

the external network, and that you edit the WatchGuard and WatchGuard Web UI
policies to remove the Any-External alias from the From list after you complete
initial configuration.

To allow management from only a specific computer on the external network, you can add the address
of that management computer to the From list in these policies.

Configure other policies and services as you would for any other Firebox.

Firebox Cloud does not support every Fireware feature. For a summary of the
differences between Firebox Cloud and other Firebox models, go to Firebox Cloud
Feature Differences.

Troubleshooting
If you experience issues with your Firebox Cloud deployment on AWS, check to make sure that you have
followed the procedures in the Deployment Overview section:
n Allocate an Elastic IP address
n Create a Virtual Private Cloud (VPC)
n Create an instance of Firebox Cloud
n Disable the Source/Destination checks for Firebox Cloud
n Configure the default route for the private network
n Check the instance status. With instance status monitoring, you can check if Amazon EC2 has
detected any problems with the health of your instance and set up an Amazon CloudWatch alarm.
For more information, go to Status checks for your instances.

Firebox Cloud Deployment Guide 51

 Firebox Cloud Feature Differences
Because Firebox Cloud is optimized to protect servers in a virtual private cloud, some setup
requirements, configuration options, and available features are different from other Firebox models.
This section summarizes the differences between Firebox Cloud and other Fireboxes.

Administration
You use Fireware Web UI, WatchGuard System Manager, Dimension Command, or WatchGuard Cloud to
manage a Firebox Cloud instance. You can use WatchGuard Cloud or WatchGuard Dimension to
monitor the traffic and security status of the networks your Firebox protects.

To add a Firebox Cloud instance to WatchGuard Cloud, the Firebox Cloud instance must have a BYOL
license.

To manage Firebox Cloud from Policy Manager or a WatchGuard Management Server you must install
WatchGuard System Manager v12.2 or higher.

Licensing and Services

For Firebox Cloud with a BYOL license, you must activate a license key for Firebox Cloud on the
WatchGuard website, and add the feature key to your instance of Firebox Cloud. For more information,
go to Deploy Firebox Cloud on AWS or Deploy Firebox Cloud on Microsoft Azure.

Most supported features and services are included with Firebox Cloud. Some security services are
supported only for Firebox Cloud with a BYOL license. For information about license options and
supported services, go to Firebox Cloud License Options.

Network Interfaces
Firebox Cloud supports two to eight interfaces. It supports one external interface (eth0), and up to
seven private interfaces (eth1–eth7). All Firebox Cloud interfaces use DHCP to request an IP address.
Because you must configure all network interface IP addresses and settings in AWS or Azure, you
cannot configure the network interfaces in Fireware Web UI. The Network > Interfaces configuration
page is not visible in Fireware Web UI for Firebox Cloud.

For Firebox Cloud on AWS, you assign an Elastic IP (EIP) address to the external interface. For Firebox
Cloud on Azure, you can configure the external interface with a dynamic or static IP address. The
internal IP addresses are assigned based on the private networks assigned to your Firebox Cloud
instance in AWS or Azure.

Firebox Cloud supports one or more secondary IP addresses on the external interface.

For more information about multiple IP addresses in AWS, go to Multiple IP Addresses for your EC2
instances.

Firebox Cloud Deployment Guide 52

Firebox Cloud Feature Differences

For more information about on to assign multiple IP addresses in Azure, go to Assign Multiple IP
Addresses to Virtual Machines Using the Azure Portal.

Default Firebox Configuration

When you launch an instance of Firebox Cloud, it automatically starts with a default configuration. For
Firebox Cloud with a BYOL license, you must get a feature key to enable configuration of all features.

The Firebox Cloud Setup Wizard runs the first time you connect to Fireware Web UI. In the wizard you
accept the End User License Agreement and choose new passphrases.

After you run the setup wizard, the default configuration for Firebox Cloud is different from other
Firebox models in these ways:
n All interfaces use DHCP to obtain an IPv4 primary IP addresses
n Firebox Cloud allows more than one Device Administrator to connect at the same time
n You can connect to any interface for administration with Fireware Web UI
n The default policies allow management connections and pings to Firebox Cloud, but do not allow
outbound traffic from private subnets through Firebox Cloud
n Licensed subscription services are not configured by default

The default WatchGuard and WatchGuard Web UI policies allow management connections from any
computer on the trusted, optional, or external networks.

We strongly recommend that you do not allow management connections from

the external network, and that you edit the WatchGuard and WatchGuard Web UI
policies to remove the Any-External alias from the From list after you complete
initial configuration.

To allow management from only a specific computer on the external network, you can add the address
of that management computer to the From list in these policies.

Fireware Features
Firebox Cloud supports most policy and security features available on other Firebox models. It supports
a subset of networking features appropriate for the AWS environment. For supported features, the
available configuration settings are the same as for any other Firebox. Most features and options that
are not supported for Firebox Cloud do not appear in Fireware Web UI.

Networking features not supported:

n Drop-in mode and Bridge mode
n DHCP server and DHCP relay (all interfaces are DHCP clients)
n PPPoE

53 Firebox Cloud Deployment Guide

 Firebox Cloud Feature Differences

n IPv6
n Multi-WAN (includes sticky connections and policy-based routing)
n ARP entries
n Link Aggregation
n VLANs
n FireCluster
n Bridge interfaces
n DNS forwarding and conditional DNS forwarding

Policies and Security Services not supported:

n Explicit-proxy and Proxy Auto-Configuration (PAC) files
n Quotas
n DNSWatch (supported with a BYOL license only)
n Network Discovery
n Mobile Security

Authentication features not supported:

n Hotspot

Firebox Cloud supports Single Sign-On (SSO) in Fireware v12.2 or higher.

System Administration features not supported:

n Logon disclaimer for device management connections
n USB drive for backup and restore

Other features not supported:

n Gateway Wireless Controller
n Mobile VPN with SSL Bridge VPN Traffic option
n SD-WAN

Features you cannot configure from Fireware Web UI:

n Change the logging settings for default packet handling options
n Edit the name of an existing policy
n Add a custom address to a policy
n Use a host name (DNS lookup) to add an IP address to a policy
n Add or edit a secondary PPPoE interface

Firebox Cloud Deployment Guide 54

Firebox Cloud Feature Differences

It is possible to configure some features, such as IPv6 routes, that are not
supported for Firebox Cloud. This does not enable the unsupported feature, but
does no harm.

55 Firebox Cloud Deployment Guide

 View Firebox Cloud VM Information

View Firebox Cloud VM Information

You can view information about the Firebox Cloud virtual machine in Fireware Web UI and Firebox
System Manager.

VM Information in Fireware Web UI

For Firebox Cloud, some pages in Fireware Web UI include information about the Firebox Cloud virtual
machine and virtual interfaces.

The Front Panel Dashboard

For Firebox Cloud, the Front Panel dashboard page includes this information about the Firebox Cloud
instance:
n Instance ID — The virtual machine identifier
n Instance Type — The type of AWS or Azure virtual machine instance
n Availability Zone — The AWS Availability Zone or Azure region where the Firebox Cloud virtual
machine is deployed

The VM Information System Status Page

The System Status > VM Information page includes more details about the Firebox Cloud virtual
machine.

The VM Information for Firebox Cloud for AWS includes:

n Instance ID — The virtual machine identifier
n Instance Type — The type of AWS virtual machine instance
n Availability Zone — The AWS Availability Zone
n Public Hostname — The public host name of the Firebox Cloud virtual machine
n Public IPv4 Address — The public IPv4 address for the external interface
n Security Group — The AWS security group
n Public Key — The public key for this Firebox Cloud virtual machine

The VM Information for Firebox Cloud for Azure includes:

n VM ID — The virtual machine ID. This is the same as the Instance ID on the Front Panel.
n VM Size — The Azure VM size. This is the same as the Instance Type on the Front Panel.
n Location — The Azure region. This is the same as the Availability Zone on the Front Panel.
n Public Hostname — The host name for the Firebox Cloud instance external interface
n Public IPv4 Address — The public IPv4 address for the external interface

Firebox Cloud Deployment Guide 56

View Firebox Cloud VM Information

The Interfaces Dashboard

The Interfaces Dashboard page includes information about the status of virtual network interfaces
associated with each Firebox Cloud interface. The content shown in the Detail tab varies slightly for
Firebox Cloud on AWS or Azure.

For Firebox Cloud on AWS, the Interfaces Dashboard page includes this information:
n Interface ID — The elastic network interface (eni) ID
n Public Hostname — The public DNS host name for the external interface
n Public IPv4 address — The public IPv4 address for the external interface
n Local Hostname — The private DNS host name for the network interface
n Device Number — The interface number
n VPC ID — The ID of the VPC where the instance of Firebox Cloud is deployed
n Link Status — The link status of each interface (Up or Down)
n DNS Servers — The list of DNS servers that generate the public IPv4 address

The Interfaces Dashboard for a Firebox Cloud instance on AWS

57 Firebox Cloud Deployment Guide

 View Firebox Cloud VM Information

For Firebox Cloud on Azure, the Interfaces Dashboard page includes this information:
n Public IPv4 address — The public IPv4 address for the external interface
n Local IPv4 address — The private IPv4 address for the external interface
n Device Number — The interface number
n Link Status — The link status of each interface (Up or Down)
n DNS Servers — The list of DNS servers that generate the public IPv4 address

The Interfaces Dashboard for a Firebox Cloud instance on Azure

You can also view some information about the virtual machine in Firebox System Manager, as
described in the next section.

VM Information in Firebox System Manager

To use Firebox System Manager to monitor Firebox Cloud, you must install WatchGuard System
Manager v12.2 or higher. When you use Firebox System Manager to manage Firebox Cloud, the
VM Information tab shows information about the Firebox Cloud virtual machine.

The VM Information for Firebox Cloud for AWS includes:

n Instance ID — The virtual machine identifier
n Instance Type — The type of AWS virtual machine instance
n Availability Zone — The AWS Availability Zone

Firebox Cloud Deployment Guide 58

View Firebox Cloud VM Information

n Public Hostname — The public host name of the Firebox Cloud virtual machine
n Public IPv4 Address — The public IPv4 address for the external interface
n Security Group — The AWS security group
n Public Key — The public key for this Firebox Cloud virtual machine

The VM Information for Firebox Cloud for Azure includes:

n VM ID — The virtual machine ID. This is the same as the Instance ID on the Front Panel.
n VM Size — The Azure VM size. This is the same as the Instance Type on the Front Panel.
n Location — The Azure region. This is the same as the Availability Zone on the Front Panel.
n Public Hostname — The host name for the Firebox Cloud instance external interface
n Public IPv4 Address — The public IPv4 address for the external interface

59 Firebox Cloud Deployment Guide

 Use Firebox Cloud to Protect a Web Server

Use Firebox Cloud to Protect a Web Server

You can configure the proxy policies and subscription services in your Firebox Cloud configuration file
to protect a web server on the virtual network connected to your Firebox Cloud instance.

For more information about Firebox Cloud features, go to:

n Introduction to Firebox Cloud
n Firebox Cloud Feature Differences

Step 1 — Launch an Instance of Firebox Cloud

To protect a web server with Firebox Cloud, you must launch an instance of Firebox Cloud in the same
virtual network as the web server you want to protect. You must assign a public IP address to eth0 of
the Firebox Cloud instance. This is the public IP address of Firebox Cloud. The web server to protect
must be on the private subnet of the virtual network where you deploy the instance of Firebox Cloud.

For detailed steps to launch and configure a Firebox Cloud instance on AWS or Azure, go to:
n Deploy Firebox Cloud on AWS
n Deploy Firebox Cloud on Microsoft Azure

After you deploy the instance of Firebox Cloud, connect to it with Fireware Web UI at the public
IP address of the Firebox external interface:

https://<eth0_public_IP>:8080

After you have connected to Fireware Web UI for your instance of Firebox Cloud, you can configure your
Firebox Cloud.

Firebox Cloud Deployment Guide 60

Use Firebox Cloud to Protect a Web Server

Step 2 — Add A Static NAT Action

Add a static NAT action for traffic from the external interface to the internal IP address of the web
server. You can then use the static NAT action in policies that allow traffic to your web server.

To add a static NAT action, from Fireware Web UI:

1. Select Firewall > SNAT.
2. Add a static NAT action that allows traffic from the external interface to the private IP address of
the web server. In Fireware v12.2 or higher, you can also specify an FQDN in the static NAT action.

3. Click Save.

61 Firebox Cloud Deployment Guide

 Use Firebox Cloud to Protect a Web Server

Step 3 — Add HTTP and HTTPS Proxy Policies

After you add the static NAT action, to allow HTTP and HTTPS traffic to the web server, you can add
proxy policies that use the new static NAT action. You also clone the predefined proxy actions for each
policy and create user-defined proxy actions that you can edit.

Add an HTTP-Proxy Policy

To allow HTTP traffic through Firebox Cloud to the web server over port 80, you must add an HTTP-
proxy policy to the Firebox Cloud configuration.

To add the HTTP-Proxy policy, from Fireware Web UI:

1. Select Firewall > Firewall Policies.
2. Click Add Policy.
3. Select Proxies.
4. Select the HTTP-proxy and the HTTP-Server.Standard proxy action.
5. Click Add Policy.
By default, the policy allows traffic from Any-External to Any-Trusted.
6. From the policy To list, remove Any-Trusted, then click Add.
7. From the Member type drop-down list, select Static NAT and select the static NAT action you
added. Click OK.
The static NAT action is added to the policy.

Firebox Cloud Deployment Guide 62

Use Firebox Cloud to Protect a Web Server

To select a user-defined proxy action for HTTP traffic:

1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select Clone the current proxy action.
A user-defined proxy action based on the predefined proxy action is created and assigned to the policy. The cloned proxy
action has a number appended to the name. For example, HTTP-Server.Standard.1.
3. Click Save.

Add an HTTPS-Proxy Policy

To allow secure web traffic (HTTPS) to your web server, you must also add an HTTPS-proxy policy that
allows HTTPS connections to the server over port 443. In the proxy configuration, you clone the
predefined HTTPS proxy action and enable inspection of HTTPS content.

To add the HTTPS-proxy policy, from Fireware Web UI:

1. Select Firewall > Firewall Policies.
2. Click Add Policy.
3. Select Proxies.
4. Select the HTTPS-proxy and the HTTPS-Server.Standard proxy action.
5. Click Add Policy.
By default, the policy allows traffic from Any-External to Any-Trusted.
6. From the To list, remove Any-Trusted, then click Add.
7. From the Member type drop-down list, select Static NAT and select the static NAT action you
added. Click OK.
The static NAT action is added to the policy.

63 Firebox Cloud Deployment Guide

 Use Firebox Cloud to Protect a Web Server

To select a user-defined proxy action and enable inspection of HTTPS content:

1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select Clone the current proxy action.
A user-defined proxy action based on the predefined proxy action is created and assigned to the policy. The cloned proxy
action has a number appended to the name. For example, HTTPS-Server.Standard.1.

3. In the HTTPS Proxy Action Settings section, select the Content Inspection tab.
4. Select the Enable Content Inspection check box.
5. From the Proxy Action drop-down list, select the user-defined HTTP proxy action you created when
you cloned the HTTP proxy action in the HTTP-Proxy policy. For example, select HTTP-
Server.Standard.1.
6. Click Save.

Firebox Cloud Deployment Guide 64

Use Firebox Cloud to Protect a Web Server

Import a Proxy Server Certificate

If you enable inspection of HTTPS content, the HTTPS proxy intercepts the HTTPS request and starts a
new connection to the destination HTTPS server on behalf of the client. The HTTPS proxy in your
Firebox Cloud configuration sends a self-signed certificate to the client that originated the connection.
To avoid certificate errors in the web browser for users that connect to the server with HTTPS, you must
get the proxy server certificate and key pair from the web server and import it to Firebox Cloud as a
proxy server certificate.

To import the certificate, from Fireware Web UI:

1. Select System > Certificates.
2. Select Import Certificate.
3. For the Certificate Function, select Proxy Server.
4. Import the certificate file from your web server.
5. Save the configuration.

For more information, go to Manage Device Certificates (Web UI) in Fireware Help.

65 Firebox Cloud Deployment Guide

 Use Firebox Cloud to Protect a Web Server

Step 4 — Enable Subscription Services

Firebox Cloud includes activated subscription services you can use to control network traffic. Follow
the instructions in these procedures to enable subscription services for the HTTP and HTTPS proxy
policies.

Enable Gateway AntiVirus

Gateway AntiVirus works with the SMTP, POP3, HTTP, FTP, and TCP-UDP proxies. When a new virus is
identified, the features that make the virus unique are recorded. These recorded features are known as
the signature. Gateway AntiVirus uses these signatures to find viruses when content is scanned by the
proxy.

To enable Gateway AntiVirus in the user-defined HTTP-proxy action assigned to your HTTP-proxy policy,
from Fireware Web UI:
1. Select Subscription Services > Gateway AV.
The Gateway AntiVirus Activation Wizard starts automatically if Gateway AntiVirus is not already enabled.
2. Complete the wizard.

Enable Intrusion Prevention Service (IPS)

Intrusion Prevention Service (IPS) provides real-time protection from threats, such as spyware, SQL
injections, cross-site scripting, and buffer overflows.

To enable IPS, from Fireware Web UI:

1. Select Subscription Services > IPS.
2. Select the Enable Intrusion Prevention check box.
3. Make sure that IPS is enabled in the HTTP-proxy and HTTPS-proxy policies you added.

Enable Botnet Detection

The Botnet Detection subscription service uses a feed of known botnet site IP addresses gathered by
Reputation Enabled Defense (RED). These known botnet sites are added to the Blocked Sites List that
enables Firebox Cloud to block these sites at the packet level.

To enable Botnet Detection, from Fireware Web UI:

1. Select Subscription Services > Botnet Detection.
2. Select the Block traffic from suspected botnet sites check box.
3. Click Save.

Firebox Cloud Deployment Guide 66

Use Firebox Cloud to Protect a Web Server

Enable Data Loss Prevention

The Data Loss Prevention (DLP) service enables you to detect, monitor, and prevent accidental
unauthorized transmission of confidential information outside your network or across network
boundaries. You can use the built-in PCI Audit or HIPAA Audit sensors, or create your own sensor.

For example, to enable Data Loss Prevention for PCI compliance, from Fireware Web UI:
1. Select Subscription Services > Data Loss Prevention.
2. Select the Enable Data Loss Prevention check box.
3. Select the Policies tab.
4. Configure the HTTP-proxy and HTTPS-proxy to use the PCI Audit Sensor.
5. Click Save.

The default Data Loss Prevention sensors monitor and send log messages when they detect data that
matches the rules enabled in the sensor. To change the action for the sensor, you can clone the sensor
and then edit the settings in the new sensor.

Configure Geolocation
The Geolocation subscription service uses a database of IP addresses and countries to identify the
geographic location of connections through the Firebox. Geolocation is enabled by default. You can
configure Geolocation to block connections to or from specific regions.

WARNING: If your internal network configuration includes IP addresses outside

the reserved private IP address ranges defined in RFC 1918, RFC 5737, or RFC
3330, make sure to look up the geolocation of the IP addresses in your network
before you block a country.

To look up the geolocation of an IP address, from Fireware Web UI:

1. Select Dashboard > Geolocation > Lookup.
2. Specify the IP address to look up.

To select the countries to block, from Fireware Web UI:

1. Select Subscription Services > Geolocation.
2. Select the Enable Geolocation check box.
3. Select countries to block on a map or from a list.
4. If there are sites you want to allow in the blocked countries, configure exceptions.
5. Save the configuration.

For more information about how to select countries and configure exceptions, go to Configure
Geolocation in Fireware Help.

67 Firebox Cloud Deployment Guide

 Enable Logging for Firebox Cloud
You can enable Firebox Cloud to send log messages to WatchGuard Cloud or WatchGuard Dimension™.
Both WatchGuard Cloud and Dimension are virtual visibility and management solutions you can use to
view Firebox log data in real-time, track it across your network, view the source and destination of the
traffic, view log message details of the traffic, monitor threats to your network, and view reports of the
traffic.

Configure Logging to WatchGuard Cloud

To enable Firebox Cloud to send log messages to WatchGuard Cloud, you can add your Firebox Cloud
to WatchGuard Cloud. When you enable WatchGuard Cloud, the Firebox sends log messages to
WatchGuard Cloud in addition to any other log servers you configure. After you activate a Firebox Cloud
license at www.watchguard.com, you can add the Firebox Cloud instance to your WatchGuard Cloud
account.

For more information, go to Add a Firebox to WatchGuard Cloud.

For information about how you can manage your Firebox Cloud instance as a cloud-managed device in
WatchGuard Cloud, go to Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed).

Firebox Cloud is not supported for WatchGuard Cloud with a PAYG license.

Configure Logging to Dimension

If you have an instance of Dimension, you can configure Firebox Cloud to send log messages to
Dimension.

To configure Firebox Cloud to send log messages to your instance of Dimension:

1. Select System > Logging.
2. Select the Send log messages to these WatchGuard Log Servers check box.
3. In the Log Servers list, add the IP address of your instance of Dimension.
If your instance of Dimension is behind another Firebox, specify the external IP address of the
Firebox that protects your instance of Dimension.
4. Type and confirm the Authentication Key for your instance of Dimension.
5. Click Save.

If your instance of Dimension is behind another Firebox, make sure that the configuration file of the
Firebox that protects Dimension includes a WG-Logging policy to allow traffic from the external
interface to a static NAT action that translates the public IP address of the Firebox to the private IP
address of Dimension.

Firebox Cloud Deployment Guide 68

Enable Logging for Firebox Cloud

For more information about Dimension, go to these Video Tutorials:

n Dimension Kernel Upgrade in Hyper-V (11 minutes)
n Dimension Kernel Upgrade in VMware ESXi (11 minutes)

For more information about how to configure the logging settings, go to Fireware Help.

69 Firebox Cloud Deployment Guide

 Open the Configuration File for a Firebox Cloud Instance

Open the Configuration File for a Firebox Cloud Instance

From Fireware Web UI, you can download your Firebox Cloud configuration to a compressed file. This
can be useful if you want to open the configuration file in Policy Manager but cannot connect to the
Firebox from Policy Manager.

Before you can open a configuration file in offline mode, you must download the configuration file from
your Firebox.

From Fireware Web UI, there are two methods to download the configuration file for your Firebox Cloud
instance:
n Download the configuration file, config.xml
n Download the diagnostic log message file, support.tgz

Download and Open the Configuration File

You download the configuration file, config.xml, in a compressed (.GZ) file format. Before you can open
the configuration file with Policy Manager, you must use a utility such as Winzip or 7-Zip to extract the
contents of the .GZ file to a location on your computer.

After you extract the files, you can open the configuration file from Policy Manager for this Firebox
Cloud instance.

To download and open the configuration file, from Fireware Web UI:
1. Select System > Configuration File.
The Configuration File page opens.
2. Click Download the Configuration File.
The browser downloads the .GZ file.
3. Open the compressed file and extract the contents.

To open a Firebox Cloud configuration file with Policy Manager, you must
extract the vmhost.json file and the config.xml file into the same folder. Both
files are necessary to open the configuration file in Policy Manager.

4. In Policy Manager, with an existing configuration file open, select File > Open > Configuration File.

Firebox Cloud Deployment Guide 70

Open the Configuration File for a Firebox Cloud Instance

Download and Open the Diagnostic Log Message File

The diagnostic log message file, support.tgz, includes the configuration file for your Firebox Cloud
instance. Before you download the diagnostic log message file, make sure that diagnostic logging is
enabled on your device. For more information about how to enable diagnostic logging, go to Set the
Diagnostic Log Level.

To download the diagnostic log message file support.tgz, from Fireware Web UI:

1. Select System Status > Diagnostics.

2. Click Download a Support Log File.
The browser downloads the file.

The configuration file, config.xml, is located inside the compressed diagnostic log
file, support.tgz. The default location is \support\config\config.xml.gz.

To open the configuration file:

1. Extract the config.xml file from config.xml.gz.
2. Copy vmhost.json from \support\networking\vmhost.json to the \support\config folder.
3. Rename vmhost.json to config_vmhost.json.
4. In Policy Manager, with an existing configuration file open, select File > Open > Configuration File.

71 Firebox Cloud Deployment Guide

 Changes that Require a Firebox Cloud Reboot

Changes that Require a Firebox Cloud Reboot

If you change the configuration of the network interfaces assigned to your Firebox Cloud instance in
AWS or Azure, a reboot might be required for the Firebox to recognize the change. You can restart
Firebox Cloud from the AWS console, or from Fireware Web UI.

If you add interfaces to a Firebox Cloud instance, you must reboot Firebox Cloud
twice for new interfaces to receive IP addresses.

The types of changes that require a reboot depend on the version of Fireware.
Fireware v12.4 and Higher
In Fireware v12.4 and higher, you must reboot the Firebox after you add or remove a network
interface.
If you make changes to an interface that Firebox Cloud already uses, a reboot is not required.
Firebox Cloud detects the change within five minutes after you save the change in AWS or Azure.
Fireware v12.3.x and Lower
In Fireware v12.3.x and lower, you must reboot the Firebox after you:
n Add or remove a network interface
n Change interface configuration
n Manually assign an elastic IP address to an interface

To restart Firebox Cloud from Fireware Web UI:

1. Connect to Fireware Web UI.
2. On the Front Panel page, click Reboot.

If you added an interface, repeat these steps to restart Firebox Cloud a second time.

Firebox Cloud Deployment Guide 72

Administer Firebox Cloud with the CLI

Administer Firebox Cloud with the CLI

For most Firebox Cloud administration tasks, we recommend that you use Fireware Web UI. You can
also use the Fireware command line interface (CLI) to administer your instance of Firebox Cloud. To
connect to the Fireware CLI you must have a terminal client that supports SSH2 and public key
authentication.

WARNING: If you did not specify a key pair when you launched your instance of
Firebox Cloud, you cannot connect to Firebox Cloud with the Fireware CLI.

To connect to your Firebox Cloud with the Fireware CLI, use an SSH terminal client and specify these
settings:
n User name — The Device Administrator user name that you use to log in to Fireware Web UI
n Private key — The private key file for your instance of Firebox Cloud
n Address — The public IP address of Eth0 for your instance of Firebox Cloud
n Port — 4118

For information about how to use the CLI to manage Fireware, go to the Fireware Command Line
Interface Reference.

Reset the Firebox to Factory-Default Settings

If you want to run the Web Setup Wizard again for a Firebox Cloud instance, you can use the CLI to reset
the virtual machine to factory default settings.

To reset the Firebox to factory-default settings:

1. Log in to the CLI with the admin account.
2. Run the command restore factory-default.

When you reset a Firebox Cloud instance with a BYOL license to factory-default
settings, this also resets the Firebox serial number. To restore the serial number,
you must add the device feature key to the Firebox configuration.

73 Firebox Cloud Deployment Guide

 Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

Add Firebox Cloud to WatchGuard Cloud (Cloud-

Managed)
Applies To: Cloud-managed Fireboxes1

The Firebox Cloud Bring Your Own License (BYOL) also includes a license for WatchGuard Cloud. After
you activate a Firebox Cloud BYOL license, you can add the Firebox Cloud instance to your WatchGuard
Cloud account.

Firebox Cloud is available for Amazon Web Services (AWS) and Microsoft Azure cloud computing
platforms.

To manage Firebox Cloud from WatchGuard Cloud, you must add Firebox Cloud as a cloud-managed
device and then upload a payload to your Firebox Cloud instance.

Because Firebox Cloud is optimized to protect servers in a virtual private cloud,

some setup requirements, configuration options, and available features are
different from other Firebox models. For more information, go to Firebox Cloud
Feature Differences.

Before You Begin

Before you add a Firebox Cloud instance to WatchGuard Cloud, make sure that:
n You have purchased a Firebox Cloud BYOL license.
n You have deployed the AWS or Azure instance.
n You have your Instance ID, also known as the VM ID. You need this to activate your license, and to
log in to Fireware Web UI to run the Firebox Cloud Setup Wizard.
n You have activated the Firebox Cloud instance in your WatchGuard account.
n The Firebox Cloud instance is allocated to a Subscriber account (Service Providers only). For more
information, go to Firebox Allocation.

Your operator role determines what you can see and do in WatchGuard Cloud.
Your role must have the Devices permissions to view or configure this feature.
For more information, go to Manage WatchGuard Cloud Operators and Roles.

1This topic applies to Fireboxes you configure in WatchGuard Cloud.

Firebox Cloud Deployment Guide 74

Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

To add a Firebox Cloud instance as cloud-managed, it must meet these requirements:

Runs Fireware v12.7.1 or higher

For a Firebox Cloud instance to successfully connect to WatchGuard Cloud as cloud-managed, it

must run Fireware v12.7.1 or higher.

The version of Fireware originally manufactured on the device appears in the Device Information
section of the Product Details page in the WatchGuard website.

If your Firebox uses a lower version of Fireware, you must first set up the Firebox as a locally-
managed device and upgrade it to Fireware to v12.7.1 or higher before you can add it as a cloud-
managed device. For information about Fireware upgrade methods, go to Firebox Upgrade,
Downgrade, and Migration.

Uses factory-default settings

If you previously configured the Firebox Cloud instance as locally-managed, you must reset it to
factory-default settings before it can connect to WatchGuard Cloud as a cloud-managed device. For
the steps to reset your Firebox Cloud instance, go to Changes that Require a Firebox Cloud Reboot.

Add a Firebox Cloud Device to WatchGuard Cloud

When you add a Firebox Cloud instance to WatchGuard Cloud as a cloud-managed device, you
configure the device name, time zone, and device passwords. Network settings are configured by
Microsoft AWS or Microsoft Azure.

To add Firebox Cloud to WatchGuard Cloud as a cloud-managed device:

1. Log in to your WatchGuard Cloud account.
2. For Service Provider accounts, from Account Manager, select My Account.
3. Select Manage > Devices or Configure > Devices.
4. Click Add Device.
A list of activated Fireboxes opens.

5. Click the Name of the Firebox you want to add or click .

A confirmation dialog box opens.
6. Click Add Device.
The Add Device to WatchGuard Cloud page opens.

75 Firebox Cloud Deployment Guide

 Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

7. Select Cloud Management.

8. Click Next.
9. Configure Firebox system settings:
n Name — The name to identify the Firebox in WatchGuard Cloud.

n Time Zone — The time zone of the location where the Firebox is installed.
n Device Folder — Select the folder that you want to add your device to. Device Folders help
you to view status and summarized data for groups of devices.
If you only have one root folder, the folder list does not appear.

Firebox Cloud Deployment Guide 76

Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

10. Click Next.

11. Set Firebox device passwords for connections to Fireware Web UI on the Firebox. Device
passwords must be 8-32 characters long, and must contain uppercase and lowercase letters, at
least one number, and at least one symbol.

The admin password you specify here is used to encrypt the payload. You must
use the same admin password when you upload the payload in the Firebox Cloud
Web Setup Wizard.

77 Firebox Cloud Deployment Guide

 Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

Caution: To keep your device secure, make sure you do not use the default
passphrases for the admin account (readwrite) and status account (readonly).
We recommend you specify unique passphrases for each Firebox you manage
and change them frequently.

For a cloud-managed Firebox, you can use Fireware Web UI to recover the Firebox
connection to WatchGuard Cloud. You cannot use Fireware Web UI to modify the
Firebox configuration.

12. Click Next.

13. Click Download Payload.
A dialog box opens for you to save the payload file to your default download folder in your browser. The package has a TGZ
extension. For example, package_FVE1028C0754 .

Firebox Cloud Deployment Guide 78

Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

Record the location where you saved the payload file. In the next section, you will
upload the payload in the Fireware Web UI to connect your Firebox Cloud instance
to WatchGuard Cloud.

79 Firebox Cloud Deployment Guide

 Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

Your device is now added to WatchGuard Cloud, but not yet connected. You must now upload the
payload to your Firebox Cloud instance in the Fireware Web UI.

Upload the Payload and Connect the Firebox

Before you can manage Firebox Cloud in WatchGuard Cloud, you must upload the payload you
downloaded from WatchGuard Cloud.

The payload includes:

n Verification code
n Admin and status passwords
n Initial configuration
n Feature key

To upload the payload and connect your Firebox Cloud instance to WatchGuard Cloud:

Firebox Cloud Deployment Guide 80

Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

1. Open a web browser and go to https://<eth0_public_IP>:8080.

2. Log in with the default administrator account user name and password:
n Username — admin

n Password — the Firebox Cloud Instance ID

3. Select Enable cloud management.

4. Click Next.
5. Accept the terms of the License Agreement.

81 Firebox Cloud Deployment Guide

 Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

6. Click Next.
7. Upload the payload.
a. Type the admin password you created in the Add Device Wizard in WatchGuard Cloud. This
password is used to decrypt the payload.
b. Click Browse, navigate to the location where you saved the payload, and select the payload
file.

8. Click Next.
The payload file uploads and applies changes to the Firebox. When the process finishes, you see a message.

Firebox Cloud Deployment Guide 82

Add Firebox Cloud to WatchGuard Cloud (Cloud-Managed)

Verify the Firebox Cloud Status

After you upload the payload and connect Firebox Cloud in the Fireware Web UI, log in to WatchGuard
Cloud to verify the connection status and other summary information on the Device Settings page and
the Deployment History page.

Because AWS or Azure controls the networking information for Firebox Cloud, the
Networking and Live Status Monitoring sections in WatchGuard Cloud do not
show the same level of detail as physical Fireboxes or FireboxV.

For more information, go to:

n WatchGuard Cloud Device Summary
n Monitor Live Status for Cloud-Managed Fireboxes

83 Firebox Cloud Deployment Guide

 Additional Resources

Additional Resources
This guide described how to set up a Firebox Cloud on AWS or Microsoft Azure. After you launch and
successfully connect to your instance of Firebox Cloud, use these resources to learn more about how to
configure the supported features and services.

Help Center and Technical Documentation

n
Fireware Help — From Fireware Web UI, click for context-sensitive help, or go to WatchGuard
Help Center.
n Complete Fireware documentation — For the complete set of documentation for Fireware and
related software go to the WatchGuard Technical Documentation page.

Technical Support
n If you require assistance with your Firebox Cloud instance, including how to handle fault conditions,
go to Support Information.
n For information about Support tiers and targeted response times, go to Compare Support Levels.

Troubleshooting
n Fireware Help — For Fireware troubleshooting documentation, go to Troubleshooting.

Monitor Your Firebox

n Fireware Help — For more information about how to monitor your Firebox Cloud instance, go to
Monitor your Firebox.

Manage Users and Roles on Your Firebox

n Fireware Help — For Firebox users and roles information, go to Manage Users and Roles on Your
Firebox.

Firebox Upgrade, Downgrade, and Migration

n Fireware Help — For Firebox upgrade, downgrade, and migration information, go to Firebox
Upgrade, Downgrade, and Migration.

Firebox Backup and Restore

n Fireware Help — For Firebox backup and restore information, go to Firebox Backup and Restore.

Firebox Cloud Deployment Guide 84