Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
WatchGuard Cloud enables you to view and manage your products and services in one place. You can set up your devices and configure and manage security and networking policies across multiple Fireboxes with flexible templates.
This guide describes the procedures and best practices to help you change your locally-managed Fireboxes to cloud management in WatchGuard Cloud.
There are two ways you can manage a Firebox in WatchGuard Cloud:
- Firebox Management in WatchGuard Cloud (Cloud Management) — When a Firebox is cloud-managed, you fully manage the configuration and monitor for visibility and reporting in WatchGuard Cloud. You no longer manage the device configuration with Fireware Web UI or WatchGuard System Manager.
- Firebox Visibility and Reporting in WatchGuard Cloud (Local Management) — When you add a locally-managed Firebox to WatchGuard Cloud, you continue to configure the device locally from Fireware Web UI or WatchGuard System Manager, but you can monitor live status, view log messages and reports, and perform firmware upgrades from WatchGuard Cloud.
To more easily change Fireboxes from local management to cloud management, we recommend you first add your locally-managed Fireboxes to WatchGuard Cloud for visibility and reporting. With this method, it is easier to change a Firebox to cloud management because the device is already available in WatchGuard Cloud, and you can gradually change your devices. For more information, go to Add a Locally-Managed Firebox to WatchGuard Cloud.
Use the steps in the Migrate Fireboxes to WatchGuard Cloud — Checklist to plan your change to cloud management.
- Plan the Change to Cloud Management — Review your current locally-managed Firebox configurations and plan how to change to cloud management.
- Set Up WatchGuard Cloud — Before you change to cloud management, set up your WatchGuard Cloud account, operators, and managed accounts.
- Plan and Set Up Templates and Configuration Settings — After you add your Fireboxes to WatchGuard Cloud, set up templates and configuration settings for the devices.
- Change Locally-Managed Fireboxes from Visibility to Cloud-Managed — After you build the Firebox configuration in WatchGuard Cloud, change your Firebox to cloud management.
- Test the Firebox After Change to Cloud Management — Test the device to make sure that your Firebox works as expected.
We recommend you select a locally-managed Firebox as an initial test device to change to cloud management. Create a cloud configuration with a base configuration that includes common settings for your Fireboxes, and then use Firebox templates to configure additional policies and services, as required. When you change other Fireboxes to cloud management, you can copy the configuration settings from this initial cloud-managed Firebox.
These are the steps to change a locally-managed Firebox to cloud management:
Before you change a Firebox to cloud management:
- Make sure you save a backup of the latest up-to-date configuration file of your locally-managed Firebox. This enables you to restore a backup configuration if you have to revert the Firebox to local management during the change to cloud management.
- We recommend that you upgrade your locally-managed Firebox to the latest Fireware release before you change the device to cloud management. At minimum, the Firebox must run Fireware v12.5.7 or Fireware v12.6.4 or higher, depending on the Firebox model. For more information about Fireware requirements for cloud management, go to Fireware Requirements.
We recommend you first add your locally-managed Fireboxes to WatchGuard Cloud for visibility and reporting. This enables you to more easily move Fireboxes from local management to cloud management.
- When you add the Firebox to WatchGuard Cloud for visibility and reporting, you continue to manage and configure the Firebox locally from Fireware Web UI or WatchGuard System Manager, but use WatchGuard Cloud for monitoring and reports.
- This enables you to more easily change your Fireboxes to cloud management because the devices are already in WatchGuard Cloud, and you can move each Firebox in your deployment to cloud management when you are ready.
- After you add a locally-managed Firebox to WatchGuard Cloud, run the Policy Usage Report for the device to determine how your current policies are used, identify unused policies you can remove, and find common policies that you can consolidate before you change the Firebox to cloud management.
When you are ready to move your Fireboxes to cloud management, you can click the Change to Cloud Management button for the device in WatchGuard Cloud.
For an example of this procedure, go to Example: Change a Locally-Managed Firebox to Cloud Management with Copy Configuration.
- When you change to cloud management, you can no longer administer the device locally with WatchGuard System Manager (WSM). Fireware Web UI is still available but simplified for cloud-managed devices and enables you to perform only basic administration and diagnostic tasks.
- When you update the passwords for the Firebox during the change to cloud management, the new passwords take effect immediately, If you back out of the process and revert the device to local management, these passwords also become the new passwords for local management.
- Until you make the first cloud configuration deployment, the device continues to run in its current configuration. This enables you to take your time to complete your configuration in WatchGuard Cloud before you deploy the cloud configuration to the device.
- You must create a new configuration for the device in WatchGuard Cloud. You cannot convert an existing locally-managed Firebox configuration to WatchGuard Cloud while you make the initial change to cloud management.
- To help simplify the configuration process when you move the device to cloud management, you can copy configuration settings from an existing cloud-managed Firebox. This provides a ready-made configuration that contains general settings and policies appropriate for your network.
- The cloud-managed Firebox to copy from must be in the same WatchGuard Cloud account.
- You can only copy between cloud-managed devices that have the same valid security subscription license.
- All network settings, wireless settings, device policies, and Firebox template subscriptions are copied.
- Review your network settings, including internal, external, and any wireless interfaces, before you deploy the configuration.
- Make sure you review the list of settings that are not copied to the new device.
- After you move the Firebox to cloud management, you can also import some settings from the configuration file of a locally-managed Firebox. These settings include: Aliases, Exceptions, Routes, Blocked Ports, Blocked Sites, Dimension Servers, Syslog Servers, and Technology Integrations.
- Deploy the cloud-managed configuration to the Firebox.
The original configuration of your locally-managed Firebox remains on the device until you deploy the cloud-managed configuration. - After conversion, test your Firebox to make sure that the device works as expected with your cloud configuration.
For more information, go to Change a Locally-Managed Firebox to Cloud Management.
In this example, we change a locally-managed Firebox that has already been added to WatchGuard Cloud for visibility and reporting to cloud management, and copy the configuration from another existing cloud-managed Firebox.
To change a locally-managed Firebox to cloud management and copy the configuration from another cloud-managed Firebox:
- In Fireware Web UI or WSM, log in to your locally-managed Firebox and download the most recent configuration file as a backup.
- Log in to your WatchGuard Cloud account.
For Service Provider accounts, from Account Manager, select My Account. - Select Configure > Devices.
- Select the Firebox you want to change to cloud management.
The Device Settings page opens. - Make sure the Firebox runs the latest version of Fireware. You can click the Upgrade Firmware link to upgrade the Firebox.
- In the Cloud Management section, click Change to Cloud Management.
- Confirm that you want to change to cloud management.
Caution: When you advance to the next step and the Add Device wizard starts, you can no longer make configuration changes to the Firebox configuration with Fireware Web UI or WatchGuard System Manager.
- Select the Copy a configuration from another cloud-managed Firebox option, then click Next.
- Select the cloud-managed Firebox you want to copy the configuration from, then click Next.
Make sure you review the list of settings that are not copied and require manual configuration in WatchGuard Cloud, such as VPN settings and device certificates.
- Enter the Device Name, select a Time Zone, and select the folder location for the device in WatchGuard Cloud. Click Next.
- If you have a wireless-capable Firebox, configure the wireless SSID network names and passphrases, then click Next.
- Set the Status and Admin passwords for Fireware Web UI access, then click Next.
Caution: If you have to back out of the chance to cloud management and revert the device to local management, you must use these new credentials to log in to the device with Fireware Web UI or WatchGuard System Manager.
- Click Next.
- Review the device configuration and make changes as necessary:
- The current local configuration remains active until you deploy the cloud-managed configuration. The configuration to deploy appears in the Deployment History page with the description Initial Deployment and a status of Staged.
- Make sure you review the external and internal network interfaces, network settings, wireless settings, and VPN settings, if applicable, in the cloud-managed configuration before you deploy. If you require more than one external interface or the external interface is physically connected to another port, manually configure the interface before you schedule the deployment.
- Review your Firebox template subscriptions.
- Add any policies that you require on the device.
- To deploy the configuration, click Schedule Deployment.
For more information, go to Manage Device Configuration Deployment.
WatchGuard Cloud automatically creates a deployment history of all scheduled deployments. The new cloud-managed configuration replaces the locally-managed configuration on the Firebox.
If you must revert the device to local management before the change to cloud management successfully completes (for example, if you encounter web browser or connection issues), you can click Remove in the Cloud Management section of the Device Settings page to remove the device from cloud management.
Caution: Do not click Remove in the Remove Device section because this removes the device completely from WatchGuard Cloud instead of from cloud management.
If you remove the Firebox from cloud management before the first configuration deploys to the device, no configuration changes are applied to the device and you can manage the Firebox locally again from WatchGuard System Manager or Fireware Web UI.
If you changed the admin and status user passwords in the Add Device wizard, these passwords become the new passwords for Fireware Web UI and WatchGuard System Manager when you revert to local management.
Migrate Fireboxes to WatchGuard Cloud — Checklist
Firebox Feature Comparison — Locally-Managed and Cloud-Managed
Features and Benefits of Firebox Management in WatchGuard Cloud (KB article)