Deploy Firebox Cloud on Microsoft Azure

Before you create a Firebox Cloud virtual machine, you must create a Microsoft Azure account. When you set up your account, you specify billing information and the credentials you use to connect to the Microsoft Azure portal. Firebox Cloud requires a storage account. You can create a storage account before you deploy Firebox Cloud, or you can create one as part of the deployment.

Identify your Firebox Cloud Software Plan and License Type

When you create a Firebox Cloud VM in Azure, you select one of these two software plans.

Firebox Cloud (BYOL)

With the Bring Your Own License (BYOL) software plan, you purchase a Firebox Cloud license for a specified size, Small, Medium, Large, or Extra Large. The Firebox Cloud license defines the maximum number of Azure CPU cores that the Firebox Cloud VM can use.

When you create a Firebox Cloud (BYOL) VM, you select a License Type. To deploy your VM with appropriate resources, select the License Type that matches your Firebox Cloud license size.

Firebox Cloud (PAYG)

With the Pay As You Go (PAYG) software plan, you do not purchase a Firebox Cloud license. The PAYG option includes a 30 day free trial.

For more information about license options and trials, go to Firebox Cloud License Options.

Supported Instance Types

Firebox Cloud supports these instance families:

  • Av2
  • Amv2
  • Dv3
  • Dv4
  • Dsv3
  • Dsv4
  • F
  • Fsv2

All Azure services that are part of the deployment are mandatory to run Firebox Cloud. To deploy your instance of Firebox Cloud on Azure, you must complete the following procedures.

For information about how to deploy load balancers with Firebox Cloud, go to Deploy Firebox Cloud with Azure Load Balancers.

Create a Key Pair for SSH Authentication

Before you create a Firebox Cloud instance, you must generate an SSH-2 RSA public key / private key pair. You can generate a new key pair when you configure your Firebox Cloud deployment, or you can use a tool such as puttygen, or ssh-keygen command in Linux to generate the key pair.

  • Use the public key when you deploy your Firebox Cloud instance.
  • Use the private key for ssh connections to the Fireware command line interface (CLI) for your Firebox Cloud instance.

To use the puttygen utility to generate an SSH-2 RSA key pair:

  1. Download and install the PuTTYgen utility available from www.putty.org.
  2. Start PuTTYgen.
  3. Click Generate.
  4. Move the mouse over the blank area to generate some randomness.
    PuTTYgen uses the mouse movements as input to generate the key pair.

Screen shot of the PuTTY Key Generator

  1. To save the generated public key to a file, click Save public key.
  2. (Optional) Specify a passphrase to protect the private key file.
  3. To save the generated private key to a file, click Save private key.

Save the private key in a secure location. You must provide the private key to connect to the Fireware command line interface.

Deploy Firebox Cloud

To create the Firebox Cloud instance:

  1. Log in to the Azure portal with your Microsoft Azure account credentials.
  2. Click Create a resource.
    The Azure Marketplace opens.
  3. In the Search services and marketplace text box, enter Firebox Cloud.
  4. Select WatchGuard Firebox Cloud.
    The WatchGuard Firebox Cloud license options opens.

Screen shot of the Firebox Cloud license options

  1. From the Plan drop-down list, select WatchGuard Firebox Cloud (BYOL) or WatchGuard Firebox Cloud (PAYG).
  2. Click Create.
    The VM configuration steps opens.

Screen shot of the Firebox Cloud template steps in Microsoft Azure

  1. On the Basics tab, specify basic information about your virtual machine.

Subscription

The name of the Azure subscription where the virtual machine and resources are stored. This is the account that Microsoft bills for VM use and storage.

Resource group

A resource group is a collection of resources that share the same lifecycle, permissions, and policies. All objects, such as networks and interfaces, and data for the Firebox Cloud instance will be associated with the resource group you specify. The resource group does not affect networking or connectivity from the Firebox to existing Azure resources.

Microsoft Azure does not support deployment of a managed application to a resource group with existing resources. You must create a new resource group or use an empty resource group.

Region

The Azure region for this Firebox Cloud instance.

Firebox Cloud VM Name

The name for the Firebox Cloud virtual machine in the Azure portal.

  1. Click Next.
    The Virtual Machines Settings configuration step opens if you are using the BYOL option, or the VM Size and Key Data section if you are using the PAYG option.

Screen shot of the Virtual Machines Settings page in Azure

  1. In the Virtual Machine Settings step, specify virtual machine configuration details.

Firebox Cloud License Type and VM Size — for Firebox Cloud (BYOL)

For a BYOL license, select the Firebox Cloud License Type. This is the Firebox Cloud license you purchased from WatchGuard or a WatchGuard reseller. Select Small, Medium, Large or Extra Large. After you select the License Type, an appropriate VM size is selected by default. To select a different size, click Change size. An Availability Set is created as part of the BYOL deployment.

Azure VM Tier and VM Size — for Firebox Cloud (PAYG)

For a PAYG license, select the Azure VM tier for the virtual machine. Select Free Tier Eligible or Standard. After you select the VM tier, an appropriate VM size is selected by default. To select a different size, click Change size.

SSH public key source

The public key for this Firebox. You can generate a new key pair, use an existing key stored in Azure, or use a tool such as puttygen, or ssh-keygen command in Linux to generate the key pair. You must use the private key associated with this public key to connect to the Firebox Cloud CLI.

SSH Key Type

The SSH key format. Firebox Cloud supports RSA SSH Format.

Key pair name

The name for the key pair.

Storage account

The name of the storage account to store boot diagnostic log files. The storage account you select must not be in another resource group in your subscription. Boot diagnostic log files contain information that can help WatchGuard support troubleshoot issues.

  1. Click Next.

Screen shot of the Network Settings page in the Firebox Cloud Azure Wizard

  1. In the Network Settings step, specify required network configuration information.

Virtual network

The virtual network to use for this Firebox Cloud. By default, a new available address space with a /16 netmask is selected. You can use the default virtual network, edit the default virtual network, or choose another existing virtual network.

External (Public) subnet

Review and configure the subnet to use for the External (Public) network. By default, a new external network 10.7.0.0/24 is selected.

Trusted (Private) subnet

Review and configure the subnet to use for the Trusted (Private) network. By default, a new trusted network 10.7.1.0/24 is selected.

External Network Security Group

A network security group contains security rules that allow or deny inbound network traffic to, or outbound traffic from, the virtual machine. If you select None, no external network security group is applied. If you select Management Only, an external network security group is applied which allows inbound traffic on TCP 8080, TCP 4118, TCP 4117 for Web UI, CLI, and WatchGuard System Manager connections to the Firebox. If you select Allow All, all inbound traffic to the Firebox is allowed.

Public IP address

Select or create a public IP address to use for your Firebox Cloud external interface. For a new public IP address, specify a name, and select the SKU type (Basic or Standard). If you select a Basic SKU type, select the IP address assignment type, Dynamic or Static. If you select a Standard SKU type, select the routing preference, Microsoft network or Internet. For more information, go to Routing Preference.

Inbound connections to a public IP address with the Standard SKU type fail until you create and associate a network security group and explicitly allow the desired inbound traffic. For more information, go to the article IP address types and allocation methods in Azure in the Microsoft Azure documentation.

To assign a secondary IP address, go to Assign multiple IP addresses to virtual machines using the Azure portal.

Domain name label

Specify the DNS label for the Firebox Cloud public IP address. It must be all lowercase letters and numbers.

  1. Click Next.
  2. In the Next: Review + Create step, review the information, and correct any errors.
  3. Click Create.
    The deployment begins.

After the deployment is completed, you can go to the resource group or pin the VM to the Microsoft Azure dashboard.

Find the Instance ID (VM ID)

After you deploy your Firebox Cloud instance, you must find the Instance ID, also known as the VM ID. You will need this to log in to the Fireware Web UI to run the Firebox Cloud Setup Wizard. You can find the instance ID in the name of the storage container for boot diagnostic logs.

To find the Firebox Cloud Instance ID:

  1. In the Azure left navigation menu, select Storage accounts.
  2. Click the name of the storage account associated with your Firebox Cloud instance.
  3. Expand the Data Storage section, and select Containers.
  4. To find the boot diagnostic container, click the container to view its details.
  5. On the container details page, in the Location field, the name of the boot diagnostic container is in the format:
    <bootdiagnostics>-<vmname>-<vmid>
    For example:
    bootdiagnostics-fbcloud-11111111-2222-3333-4444-f86331913a6d, where 1111111-2222-3333-4444-f86331913a6d, is the VMID.
  6. Copy the VMID at the end of the container name.

You must have this instance ID to run the Firebox Cloud Setup Wizard.

Activate your Firebox Cloud License

For Firebox Cloud with a BYOL license, you must activate the Firebox Cloud serial number at www.watchguard.com. Before you can activate Firebox Cloud, you must have the Firebox Cloud serial number you received from WatchGuard.

To activate your Firebox Cloud license:

  1. Go to www.watchguard.com.
  2. Click Support.
  3. Click Activate Products.
  4. Log in to your WatchGuard Customer or Partner account. If you do not have an account, you can create one.
  5. If necessary, navigate to the Support Center and select My WatchGuard > Activate Products.
  6. When prompted, provide your Firebox Cloud serial number.
  7. When activation is complete, copy the feature key and save it to a local file.

For more information about how to activate your Firebox Cloud license, go to Activate a Device or Service at WatchGuard.com.

Run the Firebox Cloud Setup Wizard

After you deploy Firebox Cloud, you can connect to Fireware Web UI through the public IP address to run the Firebox Cloud Setup Wizard. You use the wizard to set the administrative passphrases for Firebox Cloud.

To run the Firebox Cloud Setup Wizard:

  1. Connect to Fireware Web UI for your Firebox Cloud with the public IP address:
    https://<eth0_public_IP>:8080
  2. Log in with the default Administrator account user name and passphrase:
    • User name — admin
    • Passphrase — The Firebox Cloud Instance ID
      The Firebox Cloud Setup Wizard welcome page opens.
  3. Click Next.
    The setup wizard starts.
  4. Review and accept the End-User License Agreement. Click Next.

Screen shot of the Create passphrases step in the Web Setup Wizard

  1. Specify new passphrases for the built-in status and admin user accounts.
  2. Click Next.
    The configuration is saved to Firebox Cloud and the wizard is complete.

WatchGuard does not store any sensitive customer information in the Firebox Cloud configuration or on the Azure cloud-based platform.

Connect to Fireware Web UI

To connect to Fireware Web UI and administer Firebox Cloud:

  1. Open a web browser and go to the public IP address for your instance of Firebox Cloud at:
    https://<eth0_public_IP>:8080
  2. Log in with the admin user account. Make sure to specify the passphrase you set in the Firebox Cloud Setup Wizard.

By default, Firebox Cloud allows more than one user with Device Administrator credentials to log in at the same time. To prevent changes by more than one administrator at the same time, the configuration is locked by default. To unlock the configuration so you can make changes, click the Locked icon.

If you prefer to allow only one Device Administrator to log in at the same time, select System > Global Settings and clear the Enable more than one Device Administrator to log in at the same time check box.

Microsoft Azure automatically terminates your management connection to Firebox Cloud after 30 minutes of inactivity. To avoid unexpected disconnection of your management session, do not set the Management Session Idle Timeout in the Fireware Authentication > Settings page to a value higher than 30 minutes.

Add the Feature Key

If you have received or downloaded the Firebox Cloud feature key to a local file, in the Feature Key Wizard select Yes I have a local copy of the feature key and paste the feature key into the wizard.

If you activated a Firebox Cloud license at www.watchguard.com, your feature key is available directly from WatchGuard. You must add this feature key to the Firebox Cloud configuration to enable all functionality and configuration options on Firebox Cloud.

After you add the feature key, Firebox Cloud automatically reboots with a new serial number.

To add the feature key, from Fireware Web UI:

  1. Select System > Feature Key.
    The Feature Key Wizard page opens.

Screen shot of the Feature Key Wizard welcome page

  1. To unlock the configuration file, click the Locked icon.
  2. To download and install the feature key, click Next.
  3. On the Summary page, verify that your feature key was successfully installed.
    When your feature key has been installed, Feature Key Retrieval Success appears on the Summary page.

Screen shot of the Feature Key wizard Summary page

  1. Click Next.
    The wizard completes and Firebox Cloud reboots with a new serial number.

Next Steps

After you run the setup wizard and add the feature key you can use Fireware Web UI or Policy Manager to configure the settings for Firebox Cloud.

Enable Feature Key Synchronization

Enable Firebox Cloud to automatically check for feature key updates when services are about to expire.

To enable feature key synchronization, in Fireware Web UI:

  1. Select System > Feature Key.
  2. Select the Enable automatic feature key synchronization check box.
  3. Click Save.

To enable feature key synchronization, in Policy Manager:

  1. Connect to Firebox Cloud in WatchGuard System Manager.
  2. Open Policy Manager.
  3. Select System > Feature Keys.
  4. Select the Enable automatic feature key synchronization check box.
  5. Click Save.

Configure Firebox Cloud to Send Feedback to WatchGuard

To enable Firebox Cloud to send feedback, in Fireware Web UI:

  1. Select System > Global Settings.
  2. Select the Send advanced device feedback to WatchGuard check box.
  3. Select the Send threat telemetry to WatchGuard check box (Fireware v12.11 and higher).
  4. Select the Send Fault Reports to WatchGuard daily check box.

To enable Firebox Cloud to send feedback, in Policy Manager:

  1. Connect to Firebox Cloud in WatchGuard System Manager.
  2. Open Policy Manager.
  3. Select Setup > Global Settings.
  4. Select the Send advanced device feedback to WatchGuard check box.
  5. Select the Send threat telemetry to WatchGuard check box (Fireware v12.11 and higher).
  6. Select the Send Fault Reports to WatchGuard daily check box.

Configure Firewall Policies and Services

The default WatchGuard and WatchGuard Web UI policies allow management connections from any computer on the trusted, optional, or external networks.

We strongly recommend that you do not allow management connections from the external network, and that you edit the WatchGuard and WatchGuard Web UI policies to remove the Any-External alias from the From list after you complete initial configuration.

To allow management from only a specific computer on the external network, you can add the address of that management computer to the From list in these policies.

Configure other policies and services as you would for any other Firebox.

Firebox Cloud does not support every Fireware feature. For a summary of the differences between Firebox Cloud and other Firebox models, go to Firebox Cloud Feature Differences.