Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
WatchGuard Cloud provides a single user interface where you can monitor and configure all your WatchGuard products and services, and a multi-tier architecture that makes it easy to manage inventory across your accounts.
When you can add a Firebox or FireCluster to WatchGuard Cloud, you can do so as either a locally-managed or cloud-managed device.
Both locally-managed and cloud-managed devices in WatchGuard Cloud can use monitoring and reporting features, perform system actions such as upgrades and reboots, and send incident data to ThreatSync — the difference is where you manage the device configuration and the configuration features that are available.
Cloud-Managed Device
You manage the Firebox configuration in WatchGuard Cloud. For more information, see Manage the Firebox Configuration in WatchGuard Cloud Help.
Cloud-managed Fireboxes are automatically added to WatchGuard Cloud for visibility and reporting, so you can monitor live status and see log messages and reports.
MSPs can create Firebox configuration templates and use them to quickly apply configuration settings to multiple devices across multiple managed accounts.
You can manage authentication domains and certificates at the account level and share them across devices.
Locally-Managed Device
You manage the Firebox configuration in WSM, Fireware Web UI, or the Command Line Interface. For more information, go to Fireware Help.
You can add the locally-managed Firebox to WatchGuard Cloud for visibility and reporting.
We strongly recommend that you add all locally-managed Fireboxes to WatchGuard Cloud for visibility and reporting, so you can monitor live status, see log messages and reports, easily upgrade firmware, and benefit from platform features such as ThreatSync.
The Firebox features that you can configure depend on the tool you use to manage your device. To determine whether to use local management or cloud management, review the information in these sections:
- Firebox Features Supported by Different Management Tools
- WatchGuard Cloud Features Supported by Fireboxes
For information on how to move a device from local management to cloud management, see Change a Locally-Managed Firebox to Cloud Management.
Firebox Features Supported by Different Management Tools
Several management tools are available to configure your Firebox. However, different management tools support different Firebox features.
This table compares the Firebox features you can configure with different management tools:
| Product Feature | WatchGuard Cloud (Cloud-Managed Firebox) |
WatchGuard System Manager Tools (Locally-Managed Firebox) |
Fireware Web UI (Locally-Managed Firebox) |
|---|---|---|---|
| Firewall Policy | |||
| First Run/Last Run Policies | Supported | Not Supported | Not Supported |
| Traffic Types Combined in One Firewall Policy | Supported | Not Supported | Not Supported |
| Safeguarding Reports | Supported | Not Supported | Not Supported |
| Port/Protocol and Source/Destination Firewall Rules | Supported | Supported | Supported |
| Predefined Packet Filter Service List | Supported | Supported | Supported |
| Zero-Touch Deployment/RapidDeploy | Supported | Supported | Supported |
| Scheduled Policies | Planned | Supported | Supported |
| Browser SafeSearch | Planned | Supported | Supported |
| Google for Business | Planned | Supported | Supported |
| YouTube Enforcement Level | Planned | Supported | Supported |
| Policy Tags and Categories | Not Supported | Supported | Supported |
| Explicit Proxy | Not Supported | Supported | Supported |
| Logging and Notification | |||
| WatchGuard Cloud | Supported | Supported | Supported |
| Syslog | Supported | Supported | Supported |
| Dimension | Supported | Supported | Supported |
| Syslog/Dimension Configuration in Templates | Supported | Supported | Not Supported |
| SNMP | Supported | Supported | Supported |
| NetFlow | Planned | Supported | Supported |
| TLS Decryption and Inspection | |||
| Inspect by URL Category | Supported | Supported | Supported |
| Manage TLS Exception List | Supported | Supported | Supported |
| Import Certificate | Supported | Supported | Supported |
| PFS Cipher Setting | Supported By Default | Supported | Supported |
| Inbound Inspection | Planned | Supported | Supported |
| SSL Offloading | Planned | Supported | Supported |
| Enforce TLS Versions | Not Supported | Supported | Supported |
| Third-party Integrations & API Support | |||
| API for Device Information | Supported | Not Supported | Not Supported |
| API for Account Creation | Supported | Not Supported | Not Supported |
| API for Blocked Sites/IP Address | Supported | Supported | Supported |
| API for Exceptions | Supported | Supported | Supported |
| Connectwise | Supported | Supported | Supported |
| Autotask | Supported | Supported | Supported |
| Tigerpaw | Not Planned | Supported | Supported |
| FireCluster Configuration | |||
| Active/Passive | Supported | Supported | Not Supported |
| View Cluster Status | Supported | Supported | Supported |
| Alerts and Log Messages on Failover | Supported | Supported | Supported |
| Cluster Diagnostics | Supported | Supported | Supported |
| Upgrade Cluster Firmware | Supported | Supported | Supported |
| Active/Active | Not Planned | Supported | Not Supported |
| Multi-Firebox Management | |||
| Templates for Firewall Rules | Supported | Supported | Not Supported |
| Template Inheritance | Supported | Supported | Not Supported |
| One to Many Mapping | Supported | Supported | Not Supported |
| Many to One Mapping | Supported | Supported | Not Supported |
| Firmware Upgrades | Supported | Supported | Not Supported |
| Alias in Templates | Supported | Supported | Not Supported |
| Role-based Access Control | Supported | Supported | Not Supported |
| Networking | |||
| DHCP Server and Options | Supported | Supported | Supported |
| DNS Settings for DHCP | Supported | Supported | Supported |
| Dynamic DNS | Supported | Supported | Supported |
| IPv6 | Supported | Supported | Supported |
| Integrated Wi-Fi Configuration on Wireless Firebox Models | Supported | Supported | Supported |
| Multi-WAN | Supported | Supported | Supported |
| Dynamic Routing | Supported | Supported | Supported |
| Dynamic NAT | Supported | Supported | Supported |
| Static NAT | Supported | Supported | Supported |
| 1-to-1 NAT | Planned | Supported | Supported |
| Server Load Balancing | Planned | Supported | Supported |
| Link Aggregation | Planned | Supported | Supported |
| Intra-network Traffic Inspection | Planned | Supported | Supported |
| USB Modem Support | Planned | Supported | Supported |
| Use Wireless as External Interface on -W Models | Planned | Supported | Supported |
| Captive Portal | Supported | Supported | Supported |
| Gateway Wireless Controller (GWC) | Not Planned | Supported | Supported |
| Firebox Wireless Rogue Access Point Detection | Not Planned | Supported | Supported |
| SD-WAN | |||
| Dynamic Path - Jitter, Packet Loss, Latency | Supported | Supported | Supported |
| Link Monitoring - Ping, DNS, TCP | Supported | Supported | Supported |
| Failback - Immediate, Gradual, No Failback | Supported | Supported | Supported |
| Load Sharing (Round-Robin) | Supported | Supported | Supported |
| Traffic Management | |||
| Guarantee/Restrict Bandwidth | Supported | Supported | Supported |
| Apply to All Policies, Per Policy, Per IP Address | Supported | Supported | Supported |
| Forward / Reverse | Supported | Supported | Supported |
| Apply to Applications and Application Categories | Supported | Supported | Supported |
| QoS | |||
| QoS Marking | Supported | Supported | Supported |
| Traffic Priority | Supported | Supported | Supported |
| Quotas | Not Supported | Supported | Supported |
| Mobile VPN | |||
| Mobile VPN with IKEv2 | Supported | Supported | Supported |
| Mobile VPN with SSL | Supported | Supported | Supported |
| Network Access Enforcement (Endpoint) | Supported | Supported | Supported |
| Custom Networks for Mobile VPN with SSL | Planned | Supported | Supported |
| Mobile VPN with L2TP | Not Planned | Supported | Supported |
| Mobile VPN with IPSec | Not Planned | Supported | Supported |
| Branch Office VPN | |||
| Firebox to Firebox - IKEv2 Routed | Supported | Supported | Supported |
| Firebox to Third-Party - IKEv2 Routed | Supported | Supported | Supported |
| DF Bit and MTU per VPN | Supported | Supported | Supported |
| 1-to-1 NAT through BOVPN | Supported | Supported | Supported |
| Policy-Based VPNs | Planned | Supported | Supported |
| BOVPN Over SSL | Not Planned | Supported | Supported |
| Firebox to Third-Party - IPSec | Not Planned | Supported | Supported |
| Domain User as Endpoint ID for BOVPNs to Third-Party Endpoints | Not Supported | Supported | Supported |
| Security Services | |||
| Intrusion Prevention Service (IPS) | Supported | Supported | Supported |
| - IPS Signature Exceptions | Supported | Supported | Supported |
| - Signature Updates through Proxy Server | Not Supported | Supported | Supported |
| Application Control | Supported | Supported | Supported |
| WebBlocker | Supported | Supported | Supported |
| - URL Filtering by Policy | Supported | Supported | Supported |
| - Alarm by Category | Supported | Supported | Supported |
| - Warn | Supported | Supported | Supported |
| - On-Premises WebBlocker Server | Not Planned | Supported | Supported |
| - Password Override | Planned | Supported | Supported |
| spamBlocker | Supported | Supported | Supported |
| Gateway AntiVirus | Supported | Supported | Supported |
| Geolocation | Supported | Supported | Supported |
| Botnet Protection | Supported | Supported | Supported |
| APT Blocker | Supported | Supported | Supported |
| - Select Server Region | Not Planned | Supported | Supported |
| DNSWatch | Supported | Supported | Supported |
| IntelligentAV | Supported | Supported | Supported |
| Visibility in WatchGuard Cloud | Supported | Supported | Supported |
| EDR Core | Supported | Supported | Supported |
| ThreatSync | Supported | Supported | Supported |
| Blocked Ports | Supported | Supported | Supported |
| Blocked Sites | Supported | Supported | Supported |
| Remove Auto-Blocked Ports | Not Supported | Supported | Supported |
| Remove Auto-Blocked Sites | Not Supported | Supported | Supported |
| Access Portal | Planned | Supported | Supported |
| Network Discovery | ThreatSync+ NDR Feature | Not Supported | Supported |
| Default Threat Protection | |||
| Default Packet Handling | Supported | Supported | Supported |
| Authentication | |||
| Authentication Domains | Supported | Not Supported | Not Supported |
| Firebox Database | Supported | Supported | Supported |
| RADIUS | Supported | Supported | Supported |
| Active Directory | Supported | Supported | Supported |
| SSO | Supported | Supported | Supported |
| AuthPoint Integration (no RADIUS) | Supported | Supported | Supported |
| Terminal Services | Not Supported | Supported | Supported |
| Block Failed Logins | Supported | Supported | Supported |
| General Settings | |||
| NTP Servers | Supported | Supported | Supported |
| Firebox as an NTP Server | Planned | Supported | Supported |
| Device Feedback | Supported | Supported | Supported |
| Fault Reports | Supported | Supported | Supported |
| Certificate Management | |||
| Proxy Authority Certificates | Supported | Supported | Supported |
| VPN Certificates | Supported | Supported | Supported |
| Certificate Signing Requests | Supported | Supported | Supported |
| Web Server Certificates | Supported | Supported | Supported |
| Troubleshooting Tools | |||
| Interface Status | Supported | Supported | Supported |
| Ping | Supported | Supported | Supported |
| TCP Dump | Supported | Supported | Supported |
| nslookup | Supported | Supported | Supported |
| Download Support.TGZ File | Supported | Supported | Supported |
| Scheduled Reboots | Planned | Supported | Supported |
For information on the Firebox security features available with a Standard Support, Basic Security Suite, or Total Security Suite license, go to Security Services on WatchGuard.com.
WatchGuard Cloud Features Supported by Fireboxes
You can add both locally-managed and cloud-managed devices to WatchGuard Cloud.
This table shows the WatchGuard Cloud features supported by locally-managed and cloud-managed Fireboxes that you add to WatchGuard Cloud:
| WatchGuard Cloud Features | Cloud-Managed | Locally-Managed |
|---|---|---|
| Manage Firebox configuration settings, such as policies, security services, VPNs, and more. | Supported | Not Supported |
| Manage FireCluster configurations | Supported | Not Supported |
| Configure shared device settings in templates | Supported | Not Supported |
| Schedule and deploy changes to device settings | Supported | Not Supported |
| Revert to a previously deployed configuration | Supported | Not Supported |
| Initiate FireCluster system actions (upgrade firmware, reboot, and failover) | Supported | Supported |
| Monitor live status (network status, routes, VPNs, users, FireCluster, etc.) | Supported | Supported |
| View log messages and reports | Supported | Supported |
| Upgrade firmware | Supported | Supported |
| Reboot the Firebox | Supported | Supported |
| Send incident data to ThreatSync | Supported | Supported |
| Send network traffic data to ThreatSync+ NDR | Supported | Supported |
| Manage Firebox backups | Not Supported | Supported |
Features and Benefits of Firebox Management in WatchGuard Cloud (KB article)
Get Started — Add a Device to WatchGuard Cloud
Change a Locally-Managed Firebox to Cloud Management
Upgrade Firmware in WatchGuard Cloud
Manage Firebox Backup Images in WatchGuard Cloud
Live Status Reporting for Fireboxes and FireClusters