Related Topics
Firebox Cloud Feature Differences
Because Firebox Cloud is optimized to protect servers in a virtual private cloud, some setup requirements, configuration options, and available features are different from other Firebox models. This section summarizes the differences between Firebox Cloud and other Fireboxes.
Administration
You use Fireware Web UI to administer a Firebox Cloud instance. You can use WatchGuard Dimension to monitor the traffic and security status of the networks your Firebox protects. You can use Dimension Command to manage a Firebox Cloud instance that runs Fireware v11.12.4 or higher.
Licensing and Services
All supported features and services are included with Firebox Cloud. Firebox Cloud supports these WatchGuard subscription services:
- Application Control
- WebBlocker
- Gateway AV
- APT Blocker
- Intrusion Prevention Service (IPS)
- Reputation Enabled Defense
- Geolocation
- Botnet Detection
- Data Loss Prevention
- Threat Detection and Response (TDR)
- Access Portal (requires Fireware v12.1 or higher)
For Firebox Cloud with a BYOL license, you must activate a license key for Firebox Cloud on the WatchGuard website, and add the feature key to your instance of Firebox Cloud. For more information, see Deploy Firebox Cloud on AWS or Deploy Firebox Cloud on Microsoft Azure.
For Firebox Cloud with an Hourly license, the Threat Detection and Response service does not include Host Sensor licenses.
Network Interfaces
Firebox Cloud supports two to eight interfaces. It supports one external interface (eth0), and up to seven private interfaces (eth1–eth7). All Firebox Cloud interfaces use DHCP to request an IP address.
For Firebox Cloud on AWS, you assign an Elastic IP (EIP) address to the external interface. For Firebox Cloud on Azure, you can configure the external interface with a dynamic or static IP address. The internal IP addresses are assigned based on the private networks assigned to your Firebox Cloud instance.
Firebox Cloud supports a secondary network IP address on the external interface in Fireware v12.1 and higher.
Because you must configure all network interface IP addresses and settings in AWS or Azure, you cannot configure the network interfaces in Fireware Web UI. The Network > Interfaces configuration page is not visible in Fireware Web UI for Firebox Cloud.
Default Firebox Configuration
When you launch an instance of Firebox Cloud, it automatically starts with a default configuration. For Firebox Cloud with a BYOL license, you must get a feature key to enable configuration of all features.
The Firebox Cloud Setup Wizard runs the first time you connect to Fireware Web UI. In the wizard you accept the End User License Agreement and choose new passphrases.
After you run the setup wizard, the default configuration for Firebox Cloud is different from other Firebox models in these ways:
- All interfaces use DHCP to obtain an IPv4 primary IP addresses
- Firebox Cloud allows more than one Device Administrator to connect at the same time
- You can connect to any interface for administration with Fireware Web UI
- The default policies allow management connections and pings to Firebox Cloud, but do not allow outbound traffic from private subnets through Firebox Cloud
- Licensed subscription services are not configured by default
Fireware Features
Firebox Cloud supports most policy and security features available on other Firebox models. It supports a subset of networking features appropriate for the AWS environment. For supported features, the available configuration settings are the same as for any other Firebox. Most features and options that are not supported for Firebox Cloud do not appear in Fireware Web UI.
Networking features not supported:
- Drop-in mode and Bridge mode
- DHCP server and DHCP relay (all interfaces are DHCP clients)
- PPPoE
- IPv6
- Multi-WAN (includes sticky connections and policy-based routing)
- ARP entries
- Link Aggregation
- VLANs
- FireCluster
- Bridge interfaces
Policies and Security Services not supported:
- Explicit-proxy and Proxy Auto-Configuration (PAC) files
- Quotas
- spamBlocker and Quarantine Server
- Network Discovery
- Mobile Security
Authentication features not supported:
- Hotspot
- Single Sign-On (SSO)
System Administration features not supported:
- Management by WatchGuard Management Server or Policy Manager
- Logon disclaimer for device management connections
- USB drive for backup and restore
Other features not supported:
- Gateway Wireless Controller
- Mobile VPN with SSL Bridge VPN Traffic option
Features you cannot configure from Fireware Web UI:
- Change the logging settings for default packet handling options
- Edit the name of an existing policy
- Add a custom address to a policy
- Use a host name (DNS lookup) to add an IP address to a policy
- Add or edit a secondary PPPoE interface
In Fireware Web UI, it is possible to configure some features, such as IPv6 routes, that are not supported for Firebox Cloud. This does not enable the unsupported feature, but does no harm.
VM Information in Fireware Web UI
For Firebox Cloud, some pages in Fireware Web UI include information about the Firebox Cloud virtual machine.
The Front Panel Dashboard
For Firebox Cloud, the Front Panel dashboard page includes this information about the Firebox Cloud instance:
- Instance ID — The virtual machine identifier
- Instance Type — The type of AWS or Azure virtual machine instance
- Availability Zone — The AWS Availability Zone or Azure region where the Firebox Cloud virtual machine is deployed
The VM Information System Status Page
The System Status > VM Information page includes more details about the Firebox Cloud virtual machine.
The VM Information page for Firebox Cloud for AWS includes this information:
- Instance ID — The virtual machine identifier
- Instance Type — The type of AWS virtual machine instance
- Availability Zone — The AWS Availability Zone
- Public Hostname — The public host name of the Firebox Cloud virtual machine
- Public IPv4 Address — The public IPv4 address for the external interface
- Security Group — The AWS security group
- Public Key — The public key for this Firebox Cloud virtual machine
The VM Information page for Firebox Cloud for Azure includes this information:
- VM ID — The virtual machine ID. This is the same as the Instance ID on the Front Panel.
- VM Size — The Azure VM size. This is the same as the Instance Type on the Front Panel.
- Location — The Azure region. This is the same as the Availability Zone on the Front Panel.
- Public Hostname — The host name for the Firebox Cloud instance external interface
- Public IPv4 Address — The public IPv4 address for the external interface
The Interfaces Dashboard
The Interfaces Dashboard page includes information about the status of virtual network interfaces associated with each Firebox Cloud interface. The content shown in the Detail tab varies slightly for Firebox Cloud on AWS or Azure.
For Firebox Cloud on AWS, the Interfaces Dashboard page includes this information:
- Interface ID — The elastic network interface (eni) ID
- Public Hostname — The public DNS host name for the external interface
- Public IPv4 address — The public IPv4 address for the external interface
- Local Hostname — The private DNS host name for the network interface
- Device Number — The interface number
- VPC ID — The ID of the VPC where the instance of Firebox Cloud is deployed
- Link Status — The link status of each interface (Up or Down)
- DNS Servers — The list of DNS servers that generate the public IPv4 address
For Firebox Cloud on Azure, the Interfaces Dashboard page includes this information:
- Public IPv4 address — The public IPv4 address for the external interface
- Local IPv4 address — The private IPv4 address for the external interface
- Device Number — The interface number
- Link Status — The link status of each interface (Up or Down)
- DNS Servers — The list of DNS servers that generate the public IPv4 address