Configure an RMA Replacement for a Cloud-Managed FireCluster Member

Applies To: Cloud-managed Fireboxes

If your Firebox hardware fails during the warranty period, WatchGuard might replace it with an RMA (Return Merchandise Authorization) unit of the same model. When you exchange a Firebox for an RMA replacement, WatchGuard Customer Care transfers the licenses from the original device serial number to the new device serial number. All the features that were licensed to the original device are transferred to the replacement device.

WatchGuard automatically allocates the RMA replacement device to the same WatchGuard Cloud account as the original cloud-managed device.

Caution: When you return a Firebox, return only the defective product. You should keep any expansion modules, and keep all of the original manuals, cables, cords, and disks, as we do not ship these with the replacement product.

If you must replace a member of a cloud-managed active/passive FireCluster, follow the procedures in this topic to prepare the replacement Firebox and add it to the FireCluster:

Before You Begin

Before you begin:

  • Remove the cables from the old Firebox that you plan to replace.
  • Remove any expansion modules from the old Firebox and install them on the replacement Firebox.
  • Connect and power on the replacement Firebox.
  • Use an Ethernet cable to connect your computer to interface 1 on the replacement Firebox. You must do this to connect to WatchGuard System Manager, which is the user interface for local management.
  • (Recommended) Connect the Firebox to the Internet. This will help you to automatically synchronize the Firebox feature key.
  • Download WatchGuard System Manager from the WatchGuard Software Downloads page.
  • Install WatchGuard System Manager on your computer.

Compare the Firmware Version

The replacement Firebox and cluster master Firebox must run the same firmware version. As a best practice, we recommend that both Fireboxes have the same build number.

To find the firmware version and build number on the cluster master Firebox:

  1. Log in to WatchGuard Cloud.
  2. Select Monitor > Devices.
  3. Select the FireCluster.
    The Device Summary page opens and shows the firmware version and build number.

Screen shot of the Device Information page for a FireCluster

Next, find the firmware version and build number on the replacement Firebox:

  1. Start WatchGuard System Manager on your computer.
  2. In WatchGuard System Manager, connect to the replacement Firebox with these settings:
    IP Address10.0.1.1
    User Namestatus
    Passphrasereadonly
  3. After you connect to the replacement Firebox, adjacent to the Firebox model number, find the firmware version and build number. The build number begins with the letter "B".

Next, compare the firmware version and build number on the replacement Firebox and the cluster master Firebox. If the firmware version and build numbers are different:

  1. Get the feature key for the replacement Firebox.
  2. Upgrade or downgrade the replacement Firebox to the same firmware version installed on the cluster master.

Get the Feature Key for the Replacement Firebox

You can use Firebox System Manager to automatically get a feature key from the WatchGuard website. Or, you can manually copy the feature key from the WatchGuard website and import it in Policy Manager.

  1. Connect the replacement Firebox to the Internet.
  2. Start Firebox System Manager.
  3. In Firebox System Manager, select Tools > Synchronize Feature Key.
    The Synchronize Feature Key dialog box opens.

Screen shot of the Synchronize Feature Key dialog box with the Passphrase text box

  1. In the User Name and Passphrase text boxes, enter the credentials for a user with Device Administrator privileges.
  2. Click OK.
    The device gets the feature key from the WatchGuard website and updates it on the device.
  1. Open a web browser and go to https://www.watchguard.com/.
  2. Log in with your WatchGuard account user name and password.
  3. Click Support Center in the Partner portal.
  4. On the Support Center Home page, click My WatchGuard > Manage Products. Or on the Support Center Home page, in the Manage Your Products section, click See All.
    The Manage Products page opens.
  5. In the list of products, select your device.
    The Product Details page opens.
  6. On the Product Details page, click Get your feature key.
    The feature key details appear in a dialog box.
  7. Select all of the text in the feature key.
  8. To copy the selected text, right-click the selected text and select Copy or press Ctrl+C on your keyboard.
  9. (Optional) Paste the selected text into an empty text file.
  10. Open Policy Manager.
  11. Select Setup > Feature Keys.
  12. To remove the current feature key, click Remove.
  13. Click Import.
  14. Click Browse and find the feature key file that you saved from the WatchGuard website.
  15. Click OK.
    The Import a Firebox Feature Key dialog box closes and the new feature key information appears in the Firebox Feature Key dialog box.
  16. Click OK.
  17. Save the Configuration File.
    The feature key is not installed on the Firebox until you save the configuration file to the device.

Upgrade or Downgrade the Firmware on the Replacement Firebox

To upgrade or downgrade the firmware version on the replacement Firebox, from Policy Manager:

  1. Select File > Upgrade.
    The Upgrade dialog box opens.
  2. Enter the configuration passphrase. The default administrator account credentials are:
    Usernameadmin
    Passphrasereadwrite
  3. To enter the path to the upgrade or downgrade image, click Browse. Make sure to select the image file that is the same version as the version installed on the cluster master.
  4. Confirm that you want to upgrade the Firebox.
    The Firebox reboots automatically after you confirm.

Edit the Serial Number in the FireCluster Configuration

In the FireCluster configuration, you must enter the serial number of the replacement Firebox.

To edit the serial number:

  1. Select Configure > Devices.
  2. Select the FireCluster.
  3. Select Device Configuration.
  4. In the Settings tile, select FireCluster Settings.
    The Settings page opens.
  5. Select the FireCluster Settings tab.

Screen shot of the FireCluster Settings page

  1. In the FireCluster Details section, next to the replacement cluster member, click Edit.
    The Edit Member dialog box opens.

Screen shot of the Edit Member dialog box for RMA cluster members

  1. In the Serial Number text box, enter the serial number of the replacement Firebox. Do not include a hyphen.
  2. Click Save.
  3. Deploy the configuration.

After you deploy the FireCluster member replacement configuration, from the Device Summary page for the FireCluster, you can click the Older Devices link to view details about the previous devices in the cluster. For more information, go to See the Device Summary Page for a Firebox.

Connect the Replacement Firebox and Form the Cluster

Next, you must connect the replacement Firebox to the cluster master Firebox and to your network. The cable configuration on the replacement Firebox must be the same as the cable configuration on the cluster master Firebox.

To connect the replacement Firebox:

  1. Connect the primary cluster interfaces of each Firebox.
  2. Connect all other network interfaces on the replacement Firebox.
  3. Reboot the replacement Firebox in factory-default mode.

After you connect the cables on the replacement Firebox, the cluster automatically forms in WatchGuard Cloud. The replacement Firebox automatically receives an updated configuration from the cluster master.

For more information about the FireCluster hardware configuration, go to Connect the Hardware for a Cloud-Managed FireCluster.

Verify the FireCluster is Operational

To verify that the FireCluster is operational, in WatchGuard Cloud:

  1. Select Monitor > Devices.
  2. Select a Firebox.
    The Device Summary page for the selected Firebox opens.
  3. Select Live Status > FireCluster.
    The FireCluster page opens.
  4. Verify that both cluster members are up.

For more information about FireCluster monitoring, go to Monitor FireClusters.

Update Mobile VPN with IKEv2 Profiles

If you use Mobile VPN with IKEv2 with the FireCluster, make sure you generate new profiles and install them on your clients after you add the replacement Firebox to the cluster. For more information, go to Download the Mobile VPN with IKEv2 Client Profile.

Related Topics

About FireCluster in WatchGuard Cloud