Manage Device Configuration Deployment

Applies To: Cloud-managed Fireboxes, WatchGuard Cloud-managed Access Points

Some of the features described in this topic are only available to participants in the WatchGuard Cloud Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

When you save configuration changes for a cloud-managed device, the configuration settings are stored in WatchGuard Cloud.

For initial deployment of a device in the factory-default state, when it first connects to WatchGuard Cloud, it receives the WatchGuard defined initial configuration. The device receives the initial configuration as part of the first deployment, or, when a template is applied to the device before deployment of the initial configuration, the initial configuration is skipped and included as part of the next configuration update.

Scheduled Deployments

To create a configuration update for the device to download, you must schedule a deployment. You can schedule a deployment from the Deployment History page or from the message banner.

When you schedule a deployment, you can choose to deploy the current configuration immediately (Deploy Now), or specify a future date and time for the deployment. At the specified time, WatchGuard Cloud creates a configuration update for the device to download.

At the scheduled deployment time:

  • WatchGuard Cloud creates a configuration update that contains all device configuration settings saved as of the deployment date and time.
  • WatchGuard Cloud saves the configuration update to a cloud location where the device can connect to download it.
  • WatchGuard Cloud notifies the device that a new configuration is ready to download.
  • WatchGuard Cloud verifies that the Fireware version on the Firebox supports the features in the configuration update (Firebox only).
  • If the device is connected to WatchGuard Cloud, it immediately tries to download and apply the configuration update.

If the device is not connected to WatchGuard Cloud at the scheduled deployment time, the device downloads and applies the configuration update the next time it connects.

Verify Supported Features on Firebox Configuration Deployment

On deployment, WatchGuard Cloud verifies that the Fireware version of a Firebox supports the features enabled in the configuration and enables you to upgrade the Fireware version if required. This verification makes sure that a Firebox configuration update takes place only if the Fireware version supports the features in the deployment, and offers steps to correct the deployment if the Fireware version does not support the feature.

When you deploy a configuration, you must upgrade the Fireware version or change the configuration when the Firebox:

  • Runs a Fireware version that does not support a feature in the configuration update. You must upgrade the Fireware version of the Firebox to support the feature. If no Fireware upgrade that supports the feature is available for your Firebox model, you must remove the feature from the configuration update.

Screen shot of device Fireware upgrade UI

  • Runs a Fireware version that does not support a feature in the update because the feature is deprecated. You must remove the deprecated feature from the configuration update.

Screen shot of device Fireware upgrade UI and not compatible

When you select to upgrade the Fireware version, WatchGuard Cloud immediately upgrades the Fireware version of the Firebox to the latest version available for the Firebox model. If you are part of the WatchGuard Cloud Beta program, the Fireware version upgrades to the latest beta version, if applicable.

Feature support verification starts with the AuthPoint feature, which was introduced in Fireware v12.7.

Shared Configuration Deployments

There are three types of deployments that happen automatically when you make changes or deploy a shared configuration:

When you add, edit, or delete a BOVPN for a cloud-managed Firebox, WatchGuard Cloud immediately creates and deploys a configuration update for the cloud-managed Fireboxes. The automatic deployment contains the configuration settings from the last deployed configuration with the BOVPN settings added.

For more information about VPN configuration, go to Manage BOVPNs for Cloud-Managed Fireboxes.

If you use templates to configure shared settings for multiple cloud-managed Fireboxes, WatchGuard Cloud automatically deploys a template update to subscribed devices.

There are two types of template deployments:

  • Template subscription update — You changed which templates a Firebox subscribes to
  • Template update — You deployed changes to a template the Firebox subscribes to

Template deployments do not deploy other saved, undeployed changes for subscribed devices.

For more information about template deployment, go to Deploy Firebox Templates.

If you use sites to configure shared settings for multiple cloud-managed access points, WatchGuard Cloud can automatically deploy a site update to subscribed devices, or you can schedule the deployment for a future date and time to avoid potential disruption.

There are three types of site deployments:

  • Site subscription update — You changed which site an access point subscribes to
  • Site update — You deployed changes to a site the access point subscribes to
  • VPN update — You deployed site changes that contain an Access Point VPN configuration. In this case, it also automatically deploys to the Firebox that is configured for the VPN.

Site deployments do not deploy other saved, undeployed changes for subscribed devices.

For more information about site deployment, go to Deploy an Access Point Site.

View the Deployment Status

From the Deployment History page, you can view information about previous deployments and create or update a scheduled deployment.

To open the Deployment History page:

  1. In WatchGuard Cloud, select Configure > Devices.
  2. Select the cloud-managed device.
  3. Click Deployment History.

For each deployment, the Deployment History page shows this information:

  • Version — The configuration version. For a deployment that includes shared settings, a label might appear after the version number:
  • TEMPLATE — A deployment created when an operator deployed an update to a template configuration. Point to the label to show the name of the template configuration that was applied.
  • Deployed — The date and time the configuration was created (the scheduled deployment time).
  • Operator — The operator who scheduled the deployment.
  • Description — The description of the deployed configuration version.
  • Status — The status of whether the device successfully downloaded and applied the deployed configuration update:
  • Staged — The configuration update was created and is ready for deployment to a cloud-managed device. WatchGuard Cloud holds the configuration update until deployment. This status shows for devices that you change from locally-managed to cloud-managed until you deploy the configuration.
  • Succeeded — The device successfully downloaded and applied the configuration update.
  • Waiting for Initial Connection —The configuration update was created and is ready for the device to download and apply. This status appears for a cloud-managed device that has not yet connected to WatchGuard Cloud to download the configuration.
  • Waiting for Device — The configuration update was created and is ready for the device to download and apply. This could happen if the device is not connected to WatchGuard Cloud at the deployment date and time.
  • Skipped — The deployed configuration was superseded by a later deployment. If a previous deployment had the status Waiting for Device, and you deploy a newer configuration update, the status of the previous deployment changes from Waiting for Device to Skipped.

    • If the device is in factory-default state when it first connects to WatchGuard Cloud and there is a template applied to the device, the initial configuration is Skipped and included as part of the next configuration update.

  • Failed — The device could not download or apply the deployed configuration. This could happen, for example, if something between the cloud-managed device and WatchGuard Cloud blocks DNS or other traffic required for the device to connect to download the configuration.
  • Applied —The date and time the device applied the configuration.

To compare configuration versions to view what changed between them, click Compare Versions. For more information, go to Compare Configuration Versions.

To view more details about deployment status, click the link in the Status column for that deployment.

To view a report of all settings in a deployed configuration, click the version number. Or, click and select View Configuration Report. For more information, go to View the Device Configuration Report.

Undeployed Saved Changes

If configuration changes were saved to the cloud after the last deployed configuration, the upper part of the Deployment History page shows that you have undeployed saved changes.

From the Deployment History page, you can:

  • Schedule a deployment.
  • Update a scheduled deployment.
  • Delete a scheduled deployment.
  • View the pending changes compared to the last deployment.
  • Revert changes saved since the last deployment.
  • Compare configuration versions.

The options available depend on whether a deployment is scheduled.

If there are saved changes but no deployment is scheduled

The Deployment History shows that you have undeployed saved changes.

Screen shot of the Pending Changes section when a deployment is not scheduled

  • To view the pending changes in the undeployed configuration compared to the current deployed configuration, click View Pending Changes.
  • To revert changes saved since the last deployment, click Revert Undeployed Changes.
  • To schedule a new deployment, click Schedule Deployment.
  • To compare the undeployed pending changes to the current deployed configuration, click Compare Versions. If there are no pending changes, you can compare the last two deployed configurations.

If a deployment is already scheduled

The Deployment History shows the date and time for the scheduled deployment.

Screen shot of the Pending Changes section when a deployment is scheduled

  • To view the pending changes in the undeployed configuration compared to the current deployed configuration, click View Pending Changes.
  • To update the scheduled deployment, click Update Scheduled Deployment.
  • To cancel the scheduled deployment, click Delete Scheduled Deployment.

Deployment Message Banners

When the device has undeployed changes saved to the cloud by any operator, the Device Configuration pages show a message banner. In the message banner, you can click a link to schedule or update a deployment.

If no deployment is currently scheduled, you can click the link to schedule a deployment.

Screen shot of the notification banner when there are undeployed saved changes

If a deployment is already scheduled, you can click the link to update the schedule.

Screen shot of the message banner when a deployment is scheduled

Schedule a Deployment

You can schedule a deployment from the message banner or the Deployment History page. When you schedule a deployment, you choose whether to deploy the currently saved configuration immediately, or to schedule the deployment for a future date and time. If you schedule a deployment for a future date and time, the deployed configuration will include all changes saved to the cloud as of the scheduled deployment time.

  1. On the Deployment History page or in the message banner, click Schedule Deployment.
    The Schedule Deployment dialog box opens.

Screen shot of the Schedule Deployment settings

  1. In the Schedule Deployment dialog box, select Deploy Changes Now.
  2. In the Description text box, type a description for this deployment.
  3. Click Deploy.
    The deployment wizard performs a check to determine the Fireware version (Firebox only). If a Fireware version upgrade is not necessary, the changes are deployed to the cloud for the device to download.

Screen shot of Schedule Deployment UI

  1. (Firebox only) If a feature in the deployment is not supported by the current Fireware version on the Firebox, you have the option to upgrade the Fireware version so that it supports the feature.

Screen shot of Schedule Deployment and Fireware upgrade required UI

If the Fireware version on the Firebox cannot support a feature and an applicable Fireware upgrade is not available, you are prompted to remove the feature from the deployment instead.

  • To upgrade, click Upgrade and Deploy Now.
    WatchGuard Cloud immediately upgrades the Fireware version of the Firebox to the latest version available for the Firebox model. After the upgrade, the Firebox restarts, and the deployment takes place.
  • To refuse the Fireware upgrade, click Cancel. No configuration update or deployment takes place. You can remove the Fireware-dependent feature from the deployment and try again.

If you selected to upgrade the Fireware version, you can review the upgrade progress from Device Settings.

  1. Click Close.

  1. On the Deployment History page or in the message banner, click Schedule Deployment.
    The Schedule Deployment dialog box opens.
  2. In the Schedule Deployment dialog box, select Schedule Deployment.

Screen shot of the Schedule Deployment settings with the Date and Time settings

  1. Type or select the Date and Time to schedule the deployment.
    The time is based on a 24-hour clock.
  2. In the Description text box, type a description for this deployment.
  3. Click Deploy.
    The deployment wizard performs a Fireware version check to determine the Fireware version of the Firebox (Firebox only).
    A confirmation message opens, with the date and time of your scheduled deployment.
  4. (Firebox only) If a feature in the deployment is not supported by the current Fireware version on the Firebox, you have the option to upgrade the Fireware version so that it supports the feature.

Screen shot of scheduled deployment and firmware check.

If the Fireware version on the Firebox cannot support a feature and an applicable Fireware upgrade is not available, you are prompted to remove the feature from the deployment instead.

  • To upgrade, click Upgrade and Deploy Now.
    At the scheduled time, WatchGuard Cloud upgrades the Fireware version of the Firebox to the latest version available for the Firebox model. After the upgrade, the Firebox restarts, and the deployment takes place.

If you selected to upgrade the Fireware version, you can review the upgrade progress from Device Settings.

  • To refuse the Fireware version upgrade, click Cancel. No configuration update or deployment takes place. You can remove the Fireware-dependent feature from the deployment and try again.
  1. Click Close.

Update a Scheduled Deployment

You can update a scheduled deployment any time before the scheduled time for the deployment.

To edit the scheduled deployment, use one of these methods: 

  • On the Deployment History page, click Update Scheduled Deployment.
  • In the message banner, click Update.

Screen shot of the Schedule Deployment settings

  1. In the Schedule Deployment dialog box, select Deploy changes now.
  2. Click Update.
    The deployment wizard performs a check to determine the Fireware version of the Firebox (Firebox only).
    A confirmation message opens.
  3. Click Close.

  1. In the Schedule Deployment dialog box, edit the Date and Time to schedule the deployment.
    The time is based on a 24-hour clock.
  2. Click Update.
    The deployment wizard performs a check to determine the Fireware version of the Firebox (Firebox only).
    A confirmation message opens, with the updated date and time of your scheduled deployment.
  3. Click Close.

Delete a Scheduled Deployment

You can delete a scheduled deployment any time before the scheduled time for the deployment. When you delete a scheduled deployment, it does not affect the device configuration saved in the cloud.

To delete a scheduled deployment:

  1. On the Deployment History page, click Delete Scheduled Deployment.
    A confirmation message opens.
  2. To confirm that you want to delete this deployment, click Delete.
    The upper part of the page updates to show that you have undeployed saved changes.

Audit Trail Report

You can also view an Audit Trail Report that shows information about Firebox configuration deployment changes. The Audit Trail Report is available for both cloud-managed and locally-managed Fireboxes. For more information, go to Audit Trail Report.

Related Topics

Revert to a Previous Device Deployment

View the Device Configuration Report

Compare Configuration Versions