Deploy Firebox Templates

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud.

Some of the features described in this topic are only available to participants in the WatchGuard Cloud Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

After you make changes to template settings, you must deploy the template to deploy the settings to subscribed devices.

When you deploy a template, three things happen:

1. The saved template settings are deployed to the cloud.
2. WatchGuard Cloud verifies that the Fireware version on the subscribed device supports the features enabled in the template.
3. Template settings are deployed to all subscribed devices.

A template deployed to each subscribed device includes the most recent previously deployed device configuration for that device plus the settings from the template.

If a template does not have any subscribed devices, it is still important to deploy template changes so that devices that subscribe to the template in the future get the latest updates to the template.

Verify Supported Features on Firebox Template Deployment

On template deployment, WatchGuard Cloud verifies that the Fireware version on the Firebox supports the features enabled in the template configuration, and enables you to upgrade the Fireware version if required. This verification makes sure that the Firebox can subscribe to a template only if the Fireware version supports the features in the template, and offers steps to correct the template deployment if the Fireware version does not support the feature.

To subscribe a Firebox to a template, you must upgrade the Fireware version or change the configuration when the Firebox:

• Runs a Fireware version that does not support a feature in the template. You must upgrade the Fireware version of the Firebox to support the feature. If no Fireware upgrade that supports the feature is available for your Firebox model, you must remove the feature from the template.

• Runs a Fireware version that does not support a feature in the template because the feature is deprecated. You must remove the deprecated feature from the template.

When you select to upgrade the Fireware version, WatchGuard Cloud immediately upgrades the Fireware version of the Firebox to the latest version available for the Firebox model. If you are part of the WatchGuard Cloud Beta program, the Fireware version upgrades to the latest beta version, if applicable.

Feature support verification starts with the AuthPoint feature, which was introduced in Fireware v12.7.

Deploy a Template From the Notification Banner

After you update settings in a Firebox template, the Configuration Details tab in the template shows a message banner that indicates that you have undeployed saved changes.

To deploy a Firebox template, from WatchGuard Cloud: 

1. Configure the template settings and save the changes. For more information about template settings, go to Manage Firebox Templates.
   After you save a configuration change, a message banner shows that the template has undeployed saved changes.
2. To deploy the template, in the message banner, click Schedule Deployment.
   The Schedule Deployment dialog box opens.

3. In the Description text box, type a description of the settings you configured.
4. Click Deploy.
   The wizard determines the Fireware version on the Firebox and if you must upgrade to support features in the template. If a Fireware version upgrade is not necessary, the template is immediately deployed to the cloud for the device to download, and a confirmation dialog box appears with the time and date of the deployment.
5. If the Fireware version check determines that a feature in the template is not supported by the current Fireware version on the Firebox, you have the option to upgrade so that it supports the feature.

If the Fireware version on the Firebox cannot support a feature and an applicable upgrade is not available, you are prompted to remove the feature from the template instead.

• To upgrade, click Upgrade Now and Deploy.
  WatchGuard Cloud immediately upgrades the Fireware version of the Firebox to the latest version available for the Firebox model. After the upgrade takes place, the Firebox restarts, and the template is deployed to the Firebox.

If you selected to upgrade the Fireware version, you can review the upgrade progress from Device Settings.

• To refuse the Fireware version upgrade, click Cancel. No configuration update or deployment takes place. You can remove the Fireware-dependent feature from the deployment and try again.

6. Click Close.

View the Template Deployment History

For each template, the Deployment History tab shows the deployment of the initial configuration, when the template was added, and each subsequent deployment to the cloud.

When you add a new template, Version 1 is deployed automatically, and includes only the template Name and Description.

Manage Template Deployment from the Deployment History

If a template has saved configuration changes that are not deployed to the cloud, the Deployment History page shows that you have undeployed changes. From this section you can deploy or revert the undeployed saved template changes.

To revert undeployed saved template changes, from WatchGuard Cloud:

1. In the Deployment History, click Revert Changes.
   This option is available only if there are undeployed saved changes.
2. In the confirmation dialog box, click Revert.
   The template configuration settings in WatchGuard Cloud revert to the settings from the last deployed configuration.

To deploy the saved template changes, from the Deployment History tab:

1. In the Deployment History, click Schedule Deployment.
   The Schedule Deployment dialog box opens.

2. In the Description text box, type a description of the settings you configured.
3. Click Deploy.
   The wizard determines the Fireware version on the Firebox and if you must upgrade to support features in the template. If a Fireware version upgrade is not necessary, the template is immediately deployed to the cloud for the device to download, and a confirmation dialog box appears with the time and date of the deployment.
4. In the confirmation dialog box, click Close.

After you deploy or revert undeployed saved changes, the Pending Changes section is no longer shown on the Deployment History page for the template.

View Template Deployment Status

In the Deployment History tab for a template, the Creation Status column indicates the status of the template deployment to the cloud. Succeeded indicates that the saved template configuration changes are deployed to the cloud for deployment to subscribed devices. When a template deploys to the cloud, it creates a Deployment Status for each template configuration version.

To view the deployment status of a template configuration version, from WatchGuard Cloud:

1. Select Configure > Firebox Templates.
2. Select a template.
3. Select the Deployment History tab.
   The Deployment History page opens.

4. From the Deployment Status column, in the relevant template Version row, click Status Page.
   The Deployment Status page opens for the selected template configuration version.

For accounts with many templates, it might take several seconds for the status to update for each template. You can continue your actions on this page while the status continues to load.

5. (Optional) The Deployment Status column indicates the status of each device in the template deployment. Click a tile to filter the list of devices by deployment status. Each tile shows the number of devices for a deployment status type.

Click to download a CSV file that reports the template deployment status of devices.

Filter by Deployment Status Type

You can clickto filter the list of devices by deployment status. You can filter the list by these deployment statuses:

Succeeded

The device successfully downloaded and applied the configuration update.

Failed

The device could not download or apply the deployed configuration. For example, a DNS name resolution error, duplicate template names, or failure to apply the configuration might be the cause of a Failed status.

Skipped

The deployed configuration was superseded by a later deployment.

Staged

The configuration update was created and is ready for deployment to a device. WatchGuard Cloud holds the configuration update until deployment. Deployment results in either a Succeeded, Failed, or Skipped status.

Waiting for Device

The configuration update was created and is ready for the device to download and apply.

To filter devices by template deployment status:

1. Click to filter the list by deployment status.
2. From the list of device statuses, select a status or statuses.
3. Click Apply Filters.

View Template Deployment Details for a Device

You can view the template deployment details for a specific cloud-managed Firebox.

To view template deployment details for a device, from WatchGuard Cloud:

1. Select Configure > Firebox Templates.
2. Select a template.
3. Click the Deployment History tab.
   The Deployment History page opens.
4. From theDeployment Status column, in the relevant template version row, click Status Page.
   The Deployment Status page opens for the configuration version.
5. From the Deployment Status column, in the relevant device row, click the status.

The Deployment Detail dialog box opens with information about the template deployment status for the device.

View the Template Configuration Report

To view the configuration deployed for each template version, you can use the template Configuration Report.

For information on how to compare consecutive configuration versions, go to Compare Configuration Versions.

To view the Configuration Report for a template:

1. In the Deployment History, click the version number. Or, click and select View configuration report.
   The Configuration Report opens. The upper part of the report shows the configuration version number.

2. To go to a section of the report, click Go To Section, and click a section name.
   The Configuration Report for a template only includes sections for the settings you can configure in the template.
3. To print the report, click .
4. To return to the Deployment History tab, at the end of the report, click Back.

View the Template Deployment Status for a Subscribed Device

When you deploy a template, the changes are automatically deployed to all devices that subscribe to the template. The Firebox must connect to WatchGuard Cloud to download and apply the update.

A template deployment to subscribed devices does not deploy other saved undeployed changes for those devices.

To review template deployment status for a subscribed device, from WatchGuard Cloud:

1. Select Configure > Devices.
2. Select the cloud-managed Firebox.
3. Click Deployment History.
   In the Deployment History, a template deployment has the TEMPLATE label in the Version column.

To view the name of the updated template that was deployed for a device:

1. In the Firebox Deployment History, click the version number. Or, click and select View configuration report.
2. At the upper part of the configuration report, hover over the Template label.

If you change the template subscription from the Firebox device configuration, the Deployment History for the device shows an entry with the description "Template subscription update".

You cannot revert a device to a Firebox template configuration deployment, but you can revert to a configuration for deployments previous to the template deployment.

For more information about the deployment history, go to Manage Device Configuration Deployment. For information about how to compare configuration files, go to Compare Configuration Versions.

Related Topics

About Firebox Templates

Video tutorial: Cloud-Managed Firebox Templates