Firebox Feature Comparison — Locally-Managed and Cloud-Managed

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

WatchGuard Cloud provides a single user interface where you can monitor and configure all your WatchGuard products and services, and a multi-tier architecture that makes it easy to manage inventory across your accounts.

When you can add a Firebox or FireCluster to WatchGuard Cloud, you can do so as either a locally-managed or cloud-managed device.

Both locally-managed and cloud-managed devices in WatchGuard Cloud can use monitoring and reporting features, perform system actions such as upgrades and reboots, and send incident data to ThreatSync — the difference is where you manage the device configuration and the configuration features that are available.

Cloud-Managed Device

You manage the Firebox configuration in WatchGuard Cloud. For more information, see Manage the Firebox Configuration in WatchGuard Cloud Help.

Cloud-managed Fireboxes are automatically added to WatchGuard Cloud for visibility and reporting, so you can monitor live status and see log messages and reports.

MSPs can create Firebox configuration templates and use them to quickly apply configuration settings to multiple devices across multiple managed accounts.

You can manage authentication domains and certificates at the account level and share them across devices.

Locally-Managed Device

You manage the Firebox configuration in WSM, Fireware Web UI, or the Command Line Interface. For more information, see Fireware Help.

You can add the locally-managed Firebox to WatchGuard Cloud for visibility and reporting.

We strongly recommend that you add all locally-managed Fireboxes to WatchGuard Cloud for visibility and reporting, so you can monitor live status, see log messages and reports, easily upgrade firmware, and benefit from platform features such as ThreatSync.

The Firebox features that you can configure depend on the tool you use to manage your device. To determine whether to use local management or cloud management, review the information in these sections:

• Firebox Features Supported by Different Management Tools
• WatchGuard Cloud Features Supported by Fireboxes

For information on how to move a device from local management to cloud management, see Change a Locally-Managed Firebox to Cloud Management.

Firebox Features Supported by Different Management Tools

Several management tools are available to configure your Firebox. However, different management tools support different Firebox features.

This table compares the Firebox features you can configure with different management tools:

Product Feature	WatchGuard Cloud (Cloud-Managed Firebox)	WatchGuard System Manager Tools (Locally-Managed Firebox)	Fireware Web UI (Locally-Managed Firebox)
Firewall Policy
First Run/Last Run Policies	Supported	Not Supported	Not Supported
Traffic Types Combined in One Firewall Policy	Supported	Not Supported	Not Supported
Safeguarding Reports	Supported	Not Supported	Not Supported
Port/Protocol and Source/Destination Firewall Rules	Supported	Supported	Supported
Predefined Packet Filter Service List	Supported	Supported	Supported
Zero-Touch Deployment/RapidDeploy	Supported	Supported	Supported
Scheduled Policies	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Browser SafeSearch	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Google for Business	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
YouTube Enforcement Level	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Policy Tags and Categories	Not Supported	Supported	Supported
Explicit Proxy	Not Supported	Supported	Supported
Logging and Notification
WatchGuard Cloud	Supported	Supported	Supported
Syslog	Supported	Supported	Supported
Dimension	Supported	Supported	Supported
Syslog/Dimension Configuration in Templates	Supported	Supported	Not Supported
SNMP	Supported	Supported	Supported
NetFlow	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
TLS Decryption and Inspection
Inspect by URL Category	Supported	Supported	Supported
Manage TLS Exception List	Supported	Supported	Supported
Import Certificate	Supported	Supported	Supported
PFS Cipher Setting	Supported By Default Cloud-managed Fireboxes use secure PFS cipher settings automatically. You do not have to configure this feature.	Supported	Supported
Inbound Inspection	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
SSL Offloading	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Enforce TLS Versions	Not Supported	Supported	Supported
Third-party Integrations & API Support
API for Device Information	Supported	Not Supported	Not Supported
API for Account Creation	Supported	Not Supported	Not Supported
API for Blocked Sites/IP Address	Supported	Supported	Supported
API for Exceptions	Supported	Supported	Supported
Connectwise	Supported	Supported	Supported
Autotask	Supported	Supported	Supported
Tigerpaw	Not Planned No plans to support this feature on cloud-managed devices.	Supported	Supported
FireCluster Configuration
Active/Passive	Supported	Supported	Not Supported
View Cluster Status	Supported	Supported	Supported
Alerts and Log Messages on Failover	Supported	Supported	Supported
Cluster Diagnostics	Supported	Supported	Supported
Upgrade Cluster Firmware	Supported	Supported	Supported
Active/Active	Not Planned No plans to support this feature on cloud-managed devices. If you need more than one Firebox to handle the load of your network, we recommend that you deploy appropriately sized Firebox models and use an Active/Passive cluster for redundancy, or use load balancing architecture with more than two Fireboxes.	Supported	Not Supported
Multi-Firebox Management
Templates for Firewall Rules	Supported	Supported	Not Supported
Template Inheritance	Supported	Supported	Not Supported
One to Many Mapping	Supported	Supported	Not Supported
Many to One Mapping	Supported	Supported	Not Supported
Firmware Upgrades	Supported	Supported	Not Supported
Alias in Templates	Supported	Supported	Not Supported
Role-based Access Control	Supported	Supported	Not Supported
Networking
DHCP Server and Options	Supported	Supported	Supported
DNS Settings for DHCP	Supported	Supported	Supported
Dynamic DNS	Supported	Supported	Supported
IPv6	Supported	Supported	Supported
Integrated Wi-Fi Configuration on Wireless Firebox Models	Supported	Supported	Supported
Multi-WAN	Supported	Supported	Supported
Dynamic Routing	Supported	Supported	Supported
Dynamic NAT	Supported	Supported	Supported
Static NAT	Supported	Supported	Supported
1-to-1 NAT	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Server Load Balancing	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Link Aggregation	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Intra-network Traffic Inspection	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
USB Modem Support	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Use Wireless as External Interface on -W Models	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Hotspot/Guest Access	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Gateway Wireless Controller (GWC)	Not Planned No plans to support this feature on cloud-managed devices. All access points that support Gateway Wireless Controller are end-of-sale.	Supported	Supported
Firebox Wireless Rogue Access Point Detection	Not Planned No plans to support this feature on cloud-managed devices. All access points that support Gateway Wireless Controller are end-of-sale.	Supported	Supported
SD-WAN
Dynamic Path - Jitter, Packet Loss, Latency	Supported	Supported	Supported
Link Monitoring - Ping, DNS, TCP	Supported	Supported	Supported
Failback - Immediate, Gradual, No Failback	Supported	Supported	Supported
Load Sharing (Round-Robin)	Supported	Supported	Supported
Traffic Management
Guarantee/Restrict Bandwidth	Supported	Supported	Supported
Apply to All Policies, Per Policy, Per IP Address	Supported	Supported	Supported
Forward / Reverse	Supported	Supported	Supported
Apply to Applications and Application Categories	Supported	Supported	Supported
QoS
QoS Marking	Supported	Supported	Supported
Traffic Priority	Supported	Supported	Supported
Quotas	Not Supported	Supported	Supported
Mobile VPN
Mobile VPN with IKEv2	Supported	Supported	Supported
Mobile VPN with SSL	Supported	Supported	Supported
Network Access Enforcement (Endpoint)	Supported	Supported	Supported
Custom Networks for Mobile VPN with SSL	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Mobile VPN with L2TP	Not Planned No plans to support this feature on cloud-managed devices. We recommend that you configure Mobile VPN with IKEv2, which offers a more secure solution than L2TP.	Supported	Supported
Mobile VPN with IPSec	Not Planned No plans to support this feature on cloud-managed devices. We recommend that you configure Mobile VPN with IKEv2 on cloud-managed devices.	Supported	Supported
Branch Office VPN
Firebox to Firebox - IKEv2 Routed	Supported	Supported	Supported
Firebox to Third-Party - IKEv2 Routed	Supported	Supported	Supported
DF Bit and MTU per VPN	Supported	Supported	Supported
1-to-1 NAT through BOVPN	Supported	Supported	Supported
Policy-Based VPNs	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
BOVPN Over SSL	Not Planned No plans to support this feature on cloud-managed devices.	Supported	Supported
Firebox to Third-Party - IPSec	Not Planned No plans to support this feature on cloud-managed devices.	Supported	Supported
Domain User as Endpoint ID for BOVPNs to Third-Party Endpoints	Not Supported	Supported	Supported
Security Services
Intrusion Prevention Service (IPS)	Supported	Supported	Supported
- IPS Signature Exceptions	Supported	Supported	Supported
- Signature Updates through Proxy Server	Not Supported	Supported	Supported
Application Control	Supported	Supported	Supported
WebBlocker	Supported	Supported	Supported
- URL Filtering by Policy	Supported	Supported	Supported
- Alarm by Category	Supported	Supported	Supported
- Warn	Supported	Supported	Supported
- On-Premises WebBlocker Server	Not Planned No plans to support this feature on cloud-managed devices. Cloud-managed Fireboxes use the WebBlocker Cloud Server automatically.	Supported	Supported
- Password Override	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
spamBlocker	Supported	Supported	Supported
Gateway AntiVirus	Supported	Supported	Supported
Geolocation	Supported	Supported	Supported
Botnet Protection	Supported	Supported	Supported
APT Blocker	Supported	Supported	Supported
- Select Server Region	Not Planned No plans to support this feature on cloud-managed devices. Cloud-managed Fireboxes send APT Blocker requests to the nearest cloud-based server.	Supported	Supported
DNSWatch	Supported	Supported	Supported
IntelligentAV	Supported	Supported	Supported
Visibility in WatchGuard Cloud	Supported	Supported	Supported
EDR Core	Supported	Supported	Supported
ThreatSync	Supported	Supported	Supported
Blocked Ports	Supported	Supported	Supported
Blocked Sites	Supported	Supported	Supported
Remove Auto-Blocked Ports	Not Supported	Supported	Supported
Remove Auto-Blocked Sites	Not Supported	Supported	Supported
Access Portal	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported
Network Discovery	Platform Feature ThreatSync+ NDR can discover devices on your network.	Not Supported	Supported
Default Threat Protection
Default Packet Handling	Supported	Supported	Supported
Authentication
Authentication Domains	Supported	Not Supported	Not Supported
Firebox Database	Supported	Supported	Supported
RADIUS	Supported	Supported	Supported
Active Directory	Supported	Supported	Supported
SSO	Supported	Supported	Supported
AuthPoint Integration (no RADIUS)	Supported	Supported	Supported
Terminal Services	Not Supported	Supported	Supported
Block Failed Logins	Supported	Supported	Supported
General Settings
NTP Servers	Supported	Supported	Supported
Device Feedback	Supported	Supported	Supported
Fault Reports	Supported	Supported	Supported
Certificate Management
Proxy Authority Certificates	Supported	Supported	Supported
VPN Certificates	Supported	Supported	Supported
Certificate Signing Requests	Supported	Supported	Supported
Web Server Certificates	Supported	Supported	Supported
Troubleshooting Tools
Interface Status	Supported	Supported	Supported
Ping	Supported	Supported	Supported
TCP Dump	Supported	Supported	Supported
nslookup	Supported	Supported	Supported
Download Support.TGZ File	Supported	Supported	Supported
Scheduled Reboots	Planned Cloud-managed Fireboxes will support this feature in a future release.	Supported	Supported

For information on the Firebox security features available with a Standard Support, Basic Security Suite, or Total Security Suite license, go to Security Services on WatchGuard.com.

WatchGuard Cloud Features Supported by Fireboxes

You can add both locally-managed and cloud-managed devices to WatchGuard Cloud.

This table shows the WatchGuard Cloud features supported by locally-managed and cloud-managed Fireboxes that you add to WatchGuard Cloud:

WatchGuard Cloud Features	Cloud-Managed	Locally-Managed
Manage Firebox configuration settings, such as policies, security services, VPNs, and more.	Supported	Not Supported
Manage FireCluster configurations	Supported	Not Supported
Configure shared device settings in templates	Supported	Not Supported
Schedule and deploy changes to device settings	Supported	Not Supported
Revert to a previously deployed configuration	Supported	Not Supported
Initiate FireCluster system actions (upgrade firmware, reboot, and failover)	Supported	Supported
Monitor live status (network status, routes, VPNs, users, FireCluster, etc.)	Supported	Supported
View log messages and reports	Supported	Supported
Upgrade firmware	Supported	Supported
Reboot the Firebox	Supported	Supported
Send incident data to ThreatSync	Supported	Supported
Send network traffic data to ThreatSync+ NDR	Supported	Supported
Manage Firebox backups	Not Supported	Supported

Related Topics

About WatchGuard Cloud

Features and Benefits of Firebox Management in WatchGuard Cloud (KB article)

Get Started — Add a Device to WatchGuard Cloud

Change a Locally-Managed Firebox to Cloud Management

Upgrade Firmware in WatchGuard Cloud

Reboot a Firebox

Manage Firebox Backup Images in WatchGuard Cloud

Live Status Reporting for Fireboxes and FireClusters

About Firebox Security Services Settings

About FireCluster in WatchGuard Cloud