Troubleshoot Firebox Connections to WatchGuard Cloud

Applies To: Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

When you enable WatchGuard Cloud on a Firebox, the Firebox connects to WatchGuard Cloud to register. Firebox registration happens only once, to associate the Firebox with your WatchGuard Cloud account. After successful registration, the Firebox sends log messages and device status to WatchGuard Cloud.

This topic describes how to troubleshoot issues with Firebox registration and connections to WatchGuard Cloud.

See the Firebox Connection Status

You can verify the Firebox connection status in the Device Summary. For more information, go to About the Device Summary Page.

The connection status indicates whether the Firebox is connected to your WatchGuard Cloud account. It can be one of these values:

Never Connected — The device has never connected to WatchGuard Cloud.

Connected — The device is connected to WatchGuard Cloud.

Not Connected — The device is not connected to WatchGuard Cloud.

Inactive — The device is inactive. For more information, go to Inactive Devices and Data Retention.

If the device status is not Connected, the Firebox is not connected to WatchGuard Cloud. To troubleshoot the issue you must connect to the Firebox and get more information. For more information, go to WatchGuard Cloud Status on the Firebox.

The expected status of cluster members depends on the cluster type:

Active/Passive FireCluster

Only the cluster master connects to WatchGuard Cloud. The status of the cluster master is Connected. The status of the backup master is Never Connected or Not Connected.

Active/Active FireCluster (Locally-managed FireClusters only)

Both cluster members connect to WatchGuard Cloud. The status of both members is Connected. To determine which Firebox serial number corresponds to the cluster master or backup master, connect to Fireware Web UI and select System Status > FireCluster. Or, in WatchGuard System Manager, connect to the cluster and expand the Cluster section.

Troubleshoot Registration Errors

When you enable WatchGuard Cloud, your Firebox connects to WatchGuard Cloud on HTTPS port 443 to register. To register to your WatchGuard Cloud account, the Firebox sends the WatchGuard Cloud Verification Code. A problem with the connection or the Verification Code can cause a registration error.

If your Firebox has a TPM (Trusted Platform Module) chip, and runs Fireware v12.5.3 or higher, the Firebox uses TPM to register with WatchGuard Cloud.

For an active/passive locally-managed FireCluster, you must always paste the verification code into the Firebox configuration, regardless of Firebox model.

If the Firebox could not register to your WatchGuard Cloud account:

• WatchGuard Cloud status on the Firebox is Failed Registration.
• Firebox status in WatchGuard Cloud is Never Connected.

To resolve a Firebox registration failure:

• Make sure your Firebox is powered on and can make outbound connections on HTTPS port 443.
• You have 30 days to connect your device to WatchGuard Cloud.
• If your Firebox requires a Verification Code, make sure the Verification Code on the Firebox matches the code generated in WatchGuard Cloud. Each Verification Code is for a specific Firebox, and expires after 30 days. To make sure that the Verification Code matches, you can regenerate the Verification Code and paste it into the Firebox configuration. For more information, go to Regenerate the Firebox Verification Code.

WARNING: If you remove a Firebox that runs Fireware v12.4 or lower from WatchGuard Cloud, you must upgrade the Firebox to Fireware v12.4.1 or higher before you can add a new Verification Code to the Firebox.

If you cannot find where to paste the Verification Code on the Firebox:

• The Verification Code is not required.
• In Fireware v12.5.3 or higher, the Verification Code is required only for:
  • Firebox T70
  • Firebox M4600, M5600
  • Active/passive FireCluster (all Firebox models)

In Fireware v12.5.2 and lower, all Firebox models require the Verification Code. If your Firebox was manufactured with Fireware v12.5.2 or lower, WatchGuard Cloud always requires you to copy the Verification Code.

If you upgrade the Firebox to Fireware v12.5.3 or higher, and your Firebox does not require the Verification Code, there is no text box to paste it in Fireware Web UI or Policy Manager, and you do not have to paste the code to complete registration.

Troubleshoot Connection Errors

After the Firebox is registered, it connects to WatchGuard Cloud to send log messages and device status. The port the Firebox uses to connect to WatchGuard Cloud after registration depends on the Fireware version:

• In Fireware v12.0.x – v12.2.x it connects on TCP port 8883
• In Fireware v12.3 or higher it connects on TCP port 443

WatchGuard Cloud connection status displays in the Front Panel in Firebox System Manager and Fireware Web UI.

If the Firebox is registered but cannot connect to WatchGuard Cloud:

• WatchGuard Cloud status on the Firebox is Connection Failed.
• Firebox status in WatchGuard Cloud Device Summary is Offline.

If the Firebox connection failed:

• If your Firebox runs Fireware v12.0.x – v12.2.x, make sure any intermediate firewalls do not block outbound connections on TCP port 8883. Or, upgrade the Firebox to Fireware v12.3 or higher so that it uses TCP port 443 to connect.
• Make sure that the Firebox can resolve the FQDN of the WatchGuard Cloud server. Tip! Use the DNS Lookup Diagnostic task on the Firebox to verify that the Firebox can resolve the WatchGuard Cloud server FQDN that shows in the Firebox Status Report.
• Check the WatchGuard Cloud Status section of the Status Report on the Firebox for more detailed information to help you troubleshoot the issue.
• If your Firebox has a TPM chip and did not connect within 10 minutes, click Connect.

Review WatchGuard Cloud Status in the Firebox Status Report

You can review information that is useful for troubleshooting in the Status Report on the Firebox.

To review the Firebox Status Report:

1. Connect to the Firebox with Firebox System Manager.
2. Select the Status Report tab.
   WatchGuard Cloud status information shows in the WatchGuard Cloud Status section.

WatchGuard Cloud Status for a Firebox that is connected to WatchGuard Cloud with logging enabled

The WatchGuard Cloud Status section includes this information:

registration_status

Indicates whether the Firebox successfully registered with WatchGuard Cloud. It can have one of these values:

• 0 — Not registered
• 1 — Registration in progress
• 2 — Registration successful
• 3 — Registration failed

enabled

Indicates whether WatchGuard Cloud is enabled on the Firebox. It can have one of these values:

• 0 — Not enabled
• 1 — Enabled

connected

Indicates whether the Firebox is connected to WatchGuard Cloud. It can have one of these values:

• 0 — Not connected
• 1 — Connected

token_required

The token_required status indicates whether the Firebox has a TPM chip. If the Firebox does not have a TPM chip, or is a member of an active/passive FireCluster, it requires a Verification Code to register.

• 0 — Firebox has a TPM chip
• 1 — Firebox does not have a TPM chip

server

The FQDN and port of the WatchGuard Cloud server.

api_endpoint

The FQDN of the Firebox API endpoint.

logging_enabled

Indicates whether logging is enabled for this device in WatchGuard Cloud. It can have one of these values:

• 0 — Disabled
• 1 — Enabled

management_enabled

Indicates whether Firebox management from WatchGuard Cloud is enabled. The value is always 0 (Disabled). Firebox management from WatchGuard Cloud is not yet supported.

Related Topics

About WatchGuard Cloud