Deploy FireboxV on VMware ESXi

This installation procedure describes how to deploy and configure a FireboxV virtual machine on a VMware vSphere ESXi host.

Installation Prerequisites

WatchGuard FireboxV VMware system requirements:

  • For information about VMware ESXi system requirements, go to the FireboxV System Requirements section of the Operating System Compatibility Matrix in Fireware Release Notes.

Hardware and System Resources

  • Each FireboxV virtual machine requires 5 GB of disk space.
  • Other system resources vary by FireboxV model

Some WatchGuard customers have successfully used vMotion to migrate an FireboxV virtual machine between ESXi hosts while theFireboxV virtual machine is powered on and passing traffic. However we recommend that you power down the FireboxV virtual machine, if possible, before you migrate it between ESXi hosts.

Before You Begin

To prepare for your installation, make sure you have:

  • FireboxV device serial number
    You receive the serial number when you purchase the FireboxV virtual device.
  • FireboxV feature key
    The feature key contains the device serial number and licensed features.
  • WatchGuard FireboxV Open Virtual Machine Format (OVF) template
    The file name is Fireboxv_<version>.ova, where <version> is the Fireware version.
  • WatchGuard System Manager (optional)
    The WSM version must be the same version or higher than the Fireware version

To get the feature key:

  1. Go to https://myproducts.watchguard.com/activate and activate the device serial number.
    The activation process creates a feature key for the Firebox.
  2. Copy the feature key to a local text file.

To download the installation file and other software to use with your Firebox:

  1. Go to software.watchguard.com and select FireboxV for VMware.
  2. Download the FireboxV .zip file.
  3. Download WatchGuard System Manager (optional).

Installation Overview

To complete initial installation:

  1. In the VMware vSphere Client, deploy the FireboxV virtual appliance to the ESXi host and power on the FireboxV virtual machine.
  2. Connect to the FireboxV virtual machine and run the Web Setup Wizard to set up a basic configuration.
  3. Allocate additional resources to the FireboxV virtual machine.

This guide describes how to run the Web Setup Wizard to create your initial configuration for a FireboxV virtual machine. If you have installed WatchGuard System Manager on a computer on the FireboxV trusted network, instead of the Web Setup Wizard, you can run the Quick Setup Wizard in WatchGuard System Manager to discover the virtual machine and set up the basic configuration.

To activate your Firebox in the Web Setup Wizard, you must have the Firebox serial number. You cannot use a serial number that ends with 000000000, which is the serial number for an unactivated device.

Network Considerations

When you create a FireboxV virtual appliance, it is initially configured with two active interfaces.

External interface

The external interface, Interface 0, is set up by default to request an IP address from a DHCP server. To connect to this interface for the initial device configuration, you must map this interface to a destination network that has a DHCP server.

Trusted interface

The trusted interface, Interface 1, has a default IP address of 10.0.1.1.

When you create the FireboxV virtual machine in the ESXi environment, before you run the Fireware Web Setup Wizard, you must map each of these interfaces to a destination network.

For the best network performance and stability, we recommend that you choose a vmxnet3 virtual network adapter for each Firebox interface. Do not use a e1000 virtual network adapter.

After you create the FireboxV virtual machine, you can enable and configure additional network interfaces. For additional interfaces to operate, you must configure the FireboxV virtual machine in the vSphere Web Client to add the number of network adapters you want to enable in the FireboxV device configuration.

You must configure the ESXi MAC addresses in increasing order by the ESXi interface number. This ensures that the Firebox interfaces correspond to the ESXi interfaces as follows:

FireboxV Interface ESXi Interface ESXi Interface MAC Address
eth0 1 22:22:22:22:22:20
eth1 2 22:22:22:22:22:21
eth2 3 22:22:22:22:22:22
eth3 4 22:22:22:22:22:23

Deploy the FireboxV Virtual Appliance

You can use the vSphere Client, vSphere Web Client, or vCenter Server to deploy the FireboxV virtual appliance (OVF template). The OVF template installs as a 64-bit virtual machine.

Different versions of VMware ESXi support different VMware clients. You can use any supported client to deploy the .ova file and assign required resources to the Firebox. For example, VMware 6.5 supports these clients:

  • VMware Host Client
  • vSphere Client - HTML5
  • vSphere Web Client
  • vSphere Appliance Management UI (VAMI) - HTML5
  • PSC Management UI - HTML5

The next procedures describe how to deploy a virtual machine on the ESXi Host Client.

For information about how to deploy a virtual machine and configure necessary resources for another VMware client , go to the documentation for that VMware client.

To use the VMware Host Client to deploy the FireboxV virtual machine:

  1. Connect to the VMware Host Client at https://<ESXi_Host>/UI.
    Replace <ESXi_Host> with the FQDN or IP address of your ESXi host.
  2. In the Navigator pane, select Host.
  3. In the right pane, select Actions > Create/Register VM.
    The New Virtual Machine wizard opens.
  4. Complete the steps in the New Virtual Machine wizard.

The wizard helps you to complete these steps:

Select creation type

Select Deploy a virtual machine from an OVF or OVA file.

Select OVF and VMDK files

  1. In the Enter a Name for the Virtual Machine text box, type a name for the virtual machine.
  2. In the Click to Select Files section, select the FireboxV .OVA file you downloaded from WatchGuard.

Select storage

Select a datastore with at least 5 GB available space.

License agreements

Review and accept the WatchGuard-End User License Agreement.

Deployment options

  • In the Network Mappings section, select the networks to map to Network 0 (eth0: External) and Network 1 (eth1:Trusted). eth0 is configured to use DHCP to get an IP address by default. Select a vmxnet3 network adapter for each interface.
  • In the Disk Provisioning section, we recommend you select Thick to allocate all storage immediately.

Additional settings

Do not configure additional network settings. You can use the Fireware Web Setup Wizard to configure the Firebox networks.

Ready to complete

Review settings and click Finish.

After you finish the wizard and deployment is complete, the FireboxV virtual machine shows in the Virtual Machines list. The virtual machine is powered on automatically.

FireboxV Factory Default Settings

When you power on a FireboxV virtual machine for the first time, before you run the setup wizard, it starts with these factory default settings:

  • There are two active interfaces: external and trusted.
  • The trusted interface has the IP address 10.0.1.1.
  • The external interface is configured to receive an IP address through DHCP.
  • The trusted interface is not configured to assign IP addresses with DHCP.
    This is different than the default setting for other Fireboxes.
  • Both the trusted and external interfaces accept management connections.
    This is different than the default setting for other Fireboxes.
  • The admin account passphrase is readwrite.
  • The serial number for an unactivated FireboxV device ends with 000000000.
    You assign the actual serial number during device activation.

To find the assigned external IP address:

  1. In the virtual machines list, click the FireboxV virtual machine.
  2. In the General Information > Networking section, look for the IP addresses.

Use the Web Setup Wizard to Create a Basic Configuration

The Fireware Web Setup Wizard is almost the same for FireboxV as it is for any other Firebox. One difference is that, for a FireboxV virtual machine, you can connect to either the trusted interface or the external interface to run the Web Setup Wizard. Another difference is that the virtual machine reboots after the wizard is complete, so that the virtual machine can restart with the new serial number.

If you do not complete all of the Web Setup Wizard steps within 15 minutes, the wizard does not save any of your settings. You must log in and start again.

The Web Setup Wizard includes a step to activate your FireboxV device. You must activate the Firebox with a feature key to get the serial number and to enable all licensed features.

To set up the basic configuration on a FireboxV virtual machine:

  1. Open a web browser and connect to Fireware Web UI on either the external or trusted interface.
  • Connect to the external interface — From any computer on the FireboxV external network, connect to:
    https://<External_IP_Address>:8080
    For <External_IP_Address>, use the IP address assigned to the external interface.
  • Connect to the trusted interface — From any computer on the FireboxV trusted network, connect to:
    https://10.0.1.1:8080
  1. Log in to Fireware Web UI with the default administrator account credentials.
  • Username — admin
  • Passphrase — readwrite
  1. Select New Configuration.
  2. Complete the steps in the Web Setup Wizard.

The Web Setup Wizard helps you to complete these steps:

Configure the External interface

Select and configure the method you want your device to use to set an external IP address. The choices are:

  • DHCP — Type the DHCP identification as supplied by your ISP.
  • PPPoE — Type the PPPoE information as supplied by your ISP.
  • Static — Type the static IP address and gateway IP address, as supplied by your ISP.

For more information about these methods, go to Configure an External Interface.

Configure DNS and WINS servers (Optional)

Configure the DNS and WINS server addresses you want the Firebox to use.

Configure the Trusted interface

Type the IP address of the trusted interface. (Optional) If you want the Firebox to assign IP addresses to computers that connect to the trusted network, you can enable the DHCP server and assign a range of IP addresses on the same subnet as the interface IP address.

Create passphrases for your device

Set new passphrases for the status (read-only) and admin (read/write) built-in user accounts.

Enable remote management (Optional)

Enable remote management if you want to manage this Firebox through the external interface.

Add device information

You can type a device name, location, and contact information to save management information for this device. By default, the device name is the model number of your Firebox. We recommend that you choose a unique name that you can use to easily identify this Firebox, especially if you use remote management. The location and contact information are optional.

Set the Time Zone

Select the time zone where the Firebox is located.

Add the feature key

Paste the text of the feature key into the setup wizard.

If you did not copy the feature key when you activated your Firebox serial number, you can get it on the Product Details page for your Firebox. For more information, go to About the Product Details Page.

Configure subscription services

The setup wizard shows a list of licensed services from the feature key. The setup wizard automatically enables the listed services with recommended settings. For WebBlocker, the setup wizard recommends content categories to block, and you can change these settings in the setup wizard.

Review the Configuration

After you review the configuration settings, the setup wizard saves the configuration to the Firebox.

After the Setup Wizard Finishes

After you complete the wizard, the FireboxV virtual machine reboots with the new serial number. The setup wizard creates a basic configuration that allows outbound TCP, UDP, and ping, traffic, and blocks all unrequested traffic from the external network. It also uses the interface IP addresses and administrative passphrases you specified. The wizard automatically enabled default policies and services with recommended settings. For details about the default policies and services, go to Setup Wizard Default Policies and Settings.

If you changed the IP address of the interface you used to connect to the Fireware Web Setup Wizard, you must use the new address to connect and manage the device.

Management Connections to FireboxV

For a FireboxV virtual machine, the default WatchGuard and WatchGuard Web UI policies allow management connections from any computer on the trusted, optional, or external networks. This is different from the default configuration for other WatchGuard devices, which do not allow management connections from the external network by default.

We strongly recommend that you do not allow management connections from the external network, and that you edit the WatchGuard and WatchGuard Web UI policies to remove the Any-External alias from the From list after you complete initial configuration.

To allow management from only a specific computer on the external network, you can add the address of that management computer to the From list in these policies.

You can use Fireware Web UI, WatchGuard System Manager, or the Fireware Command Line Interface (CLI) to change the configuration for your FireboxV virtual machine. You can connect to either the trusted or external interface from any computer on the same network.

For more information, go to:

If you need to reset a FireboxV device to factory-default settings, you can use the Fireware Command Line interface. For more information, go to Reset FireboxV to Factory-Default Settings.