Move a Configuration to a New Firebox

Each time you save a configuration update to the Firebox, Policy Manager automatically saves the configuration file to your management computer. If the original Firebox is inoperable, look for the latest configuration file saved on your management computer. By default, Policy Manager saves configuration files in the Documents\My WatchGuard\configs directory.

If you open a configuration file from a location other than Documents\My WatchGuard\configs, Policy Manager uses that location as the new default save location.

If you can connect to the original Firebox, you can use Policy Manager to save the current device configuration to a local XML file. For more information, go to Save the Configuration File.

If you can connect to the original device with Fireware Web UI, you can manually save the current configuration to an XML file.

To download the configuration file, from Fireware Web UI:

1. Select System > Configuration File.
2. Click Download the Configuration File.

For more information, go to Manage the Firebox Configuration File.

A Firebox that starts with factory-default settings automatically connects to WatchGuard to download its feature key.

To download the feature key to the new Firebox:

1. Connect Firebox interface 0 to a network with Internet access and DHCP.
2. Start the Firebox with factory-default settings.
   The Firebox connects to WatchGuard to download the feature key.

For steps to reset a Firebox to factory-default settings, go to Reset a Firebox.

If the download fails, the Firebox automatically continues to try to download the feature key if the Firebox has an active Internet connection.

You can manually download the feature key from the WatchGuard account where you activated the Firebox. You must use this method to get the feature key for FireboxV virtual devices. It can be useful to manually download the feature key for any Firebox model in case the Firebox cannot connect to automatically download the feature key.

To get the feature key for your device:

1. Open a web browser and go to https://myproducts.watchguard.com/manage-products.
2. Log in to your WatchGuard account.
   
3. On the Manage Products page, in the Network Security section, click View Products.
4. Select a friendly name to open details for that device or product.

5. Click Get Feature Key.
   
6. Click Copy.
7. Save the feature key to a local text file.

For more information, go to About the Product Details Page.

To use this method, you must have WatchGuard System Manager installed on a Windows management computer. In WatchGuard System Manager, you use Policy Manager to update the configuration file from the original Firebox, and save it to the new Firebox.

To connect to the new Firebox:

1. Connect interface 0 to a network with a DHCP Server and Internet access.
2. Power on the Firebox with factory-default settings.
3. Connect your management computer to interface 1.
   If the Firebox can connect to the Internet through interface 0, it automatically connects to WatchGuard to download its feature key.

Next, use Policy Manager to update the configuration file from the original device with the new feature key.

If the original and new Fireboxes run different Fireware versions, you must also update the OS Compatibility setting in the configuration file to the OS version that the new Firebox uses.

To edit the configuration file, in Policy Manager:

1. Select File > Open > Configuration File.
2. Select the XML configuration file you saved from the original Firebox.
3. Click Open.
4. To update the feature key, select Setup > Feature Keys.
   The Firebox Feature Key dialog box opens.
5. To download the feature key from the new Firebox, click Download.
   The Get Firebox Feature Keys dialog box opens.

6. In the IP Address or Name text box, type the IP address of Firebox interface 1. For a Firebox with factory-default settings, the IP address is 10.0.1.1.
7. In the Passphrase text box, type the passphrase for the status user account. For a Firebox with factory-default settings, the passphrase is readonly.
8. Click OK.
   Policy Manager connects to the new Firebox and downloads the feature key. This is the feature key that the Firebox downloaded when it started with factory-default settings. In the Firebox Feature Keys dialog box, the Summary and Features sections show information from the feature key.

9. If you cannot connect to the device to get the feature key, or if the device does not have a feature key, you can manually add the feature key you downloaded from the Product Details page. To manually update the feature key:
   1. Click Import.
   2. Paste the feature key text or click Browse and select the text file you saved it to.
   3. Click OK.
10. After you download or manually update the feature key, click OK.
    Policy Manager updates the Firebox model in the device configuration to match the model in the feature key.
11. To verify or update the device name and time zone:
    1. Select Setup > System.
       The Device Configuration dialog box opens. The Firebox Model information matches the model in the feature key of the new Firebox. The name is still the same as the original Firebox.

    

    2. Update the Name and Time Zone, as needed.
    3. Click OK.
12. Select Network > Configuration and review the network interface configuration. For information about issues that might occur when you migrate a configuration to a Firebox model with fewer interfaces than your original Firebox, go to Verify Configured Interfaces.
13. If the new Firebox runs a different version of Fireware, select Setup > OS Compatibility and from the For Fireware version drop-down list, select the Fireware version that the new Firebox uses. For more information, go to OS Compatibility.
    
14. If you use third-party certificates, go to Additional Migration Steps.
15. To save the configuration to the new Firebox:
    1. Select File > Save > To Firebox.
    2. In the IP Address or Name text box, type the IP address of Firebox interface 1. For a Firebox with factory-default settings, the IP address is 10.0.1.1.
    3. In the Administrator Passphrase text box, type the passphrase for the admin user account. For a Firebox with factory-default settings, the passphrase is readwrite.
    4. Click OK.
    5. If Policy Manager asks you whether to continue with the save, click Yes.

After you save the configuration to the Firebox, edit the administrative user accounts to change the passphrases to more secure settings. For more information, go to Manage Users and Roles on Your Firebox.

If your new Firebox has removable interface modules, the number of configurable interfaces that appear in Policy Manager depends on the interface modules installed on the Firebox. After you save the configuration to the new Firebox, you must open the configuration file from the new Firebox to update the interface list.

In Fireware v12.2 and higher, you can use Fireware Web UI to download the configuration file from the original Firebox, and then upload it to the new Firebox.

To use Fireware Web UI to migrate the configuration, the original and new Firebox must have the same number of interfaces. If the Fireboxes have different numbers of interfaces, follow the steps to use Policy Manager to migrate the configuration.

To prepare the new Firebox:

1. Use the Web Setup Wizard to configure the new Firebox with a new, temporary basic configuration. For more information, go to Run the Web Setup Wizard.
2. If the version of Fireware on the device is lower than v12.2, or is lower than the version installed on the original Firebox, upgrade to the latest Fireware version. In Fireware Web UI, select System > Upgrade OS. For more information, go to Upgrade Fireware or WatchGuard System Manager.

To migrate the configuration from the original Firebox, from Firebox Web UI:

1. Select System > Configuration File.
   The Configuration File page opens.

2. Click Choose File or Browse and select the configuration file to upload.
   The button name depends on the browser you use.
   
3. Click Restore.
   The Firebox configuration is updated to the settings from the configuration file.

For more information, go to Manage the Firebox Configuration File.

After you save a configuration file that changes the IP address of the Firebox interface that your computer is connected to, before you can connect to the Firebox, you must make sure your computer has an IP address on the same network as the updated interface IP address.

By default, all certificates are different on the new Firebox. If you use the default certificates, network clients do not automatically trust the certificate on the new Firebox.

If the original Firebox used a third-party certificate, and you want to use the third-party certificate on the new Firebox:

1. On the new Firebox, select the default certificate option in the settings for Firebox features that use a third-party certificate. You must complete this step before you can save the configuration on the new Firebox. For example, you might use a third-party certificate for inbound HTTPS content inspection, BOVPN, Mobile VPN with IKEv2, and Mobile VPN with L2TP.

• To configure HTTPS content inspection certificates, go to Use Certificates with Outbound HTTPS Proxy Content Inspection.
• To configure BOVPN certificates, go to Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.
• To configure Mobile VPN with IKEv2 certificates, go to Edit the Mobile VPN with IKEv2 Configuration.
• To configure Mobile VPN with L2TP certificates, go to Certificates for Mobile VPN with L2TP Tunnel Authentication.
• If you use the Firebox web server certificate:
  1. In Fireware v12.2.1 or higher, select Setup > Certificates and then select the Firebox Web Server Certificate tab.
     In Fireware v12.2 or lower, select Setup > Authentication > Web Server Certificate.
  2. Make sure that Default certificate signed by the Firebox is selected.
  3. If you have a third-party certificate, the option Third party certificate is selected. You must select Default certificate signed by the Firebox instead.

2. After you save the configuration on the new Firebox, import the third-party certificate after you migrate the configuration. For information about how to import a certificate, go to Manage Device Certificates (Web UI), and Manage Device Certificates (WSM).
3. Apply the certificate to features as required. For example, if you used the third-party certificate for inbound HTTPS content inspection on the old Firebox, you can select to use the imported third-party certificate for HTTPS content inspection on your new Firebox. You might also have to do this in the BOVPN, IKEv2 mobile VPN, and L2TP mobile VPN configurations.

For general information about how the Firebox uses certificates, go to About Certificates.

If you use Mobile VPN with IKEv2, and you use the default Firebox IKEv2 certificate, you must do one of the following:

• Distribute an updated VPN client profile to all VPN client devices, which will distribute the new default Firebox IKEv2 certificate to clients. For more information, go to Configure Client Devices for Mobile VPN with IKEv2.
• Distribute only the new default Firebox IKEv2 certificate to all VPN client devices (if you do not want to distribute an updated VPN profile to clients).

If the original Firebox used a third-party certificate and you update the new Firebox to use the same third-party certificate, it is not necessary to distribute an updated VPN client profile. The existing VPN clients can connect after you update the new Firebox to use the third-party certificate.

The first time the WatchGuard Mobile VPN with SSL client connects to the new Firebox, users must respond to a prompt to trust the certificate.

For devices that use the OpenVPN client to connect with Mobile VPN with SSL, users must import a new VPN client profile and delete the old VPN client profile. For more information, go to Use Mobile VPN with SSL with an OpenVPN Client.