firebox cloud deployment guide - watchguard · aboutaws...

Firebox Cloud

Deployment Guide

Firebox Cloud for AWS and Microsoft Azure

About This GuideThe Firebox Cloud Deployment Guide is a guide for deployment of aWatchGuard Firebox Cloud virtualsecurity appliance. For themost recent product documentation, see the Fireware Help on theWatchGuardwebsite at https://www.watchguard.com/wgrd-help/documentation/overview.Information in this guide is subject to change without notice. Companies, names, and data used inexamples herein are fictitious unless otherwise noted. No part of this guidemay be reproduced ortransmitted in any form or by any means, electronic or mechanical, for any purpose, without the expresswritten permission of WatchGuard Technologies, Inc.Guide revised: 11/22/2019

Copyright, Trademark, and Patent InformationCopyright © 1998–2019WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade namesmentioned herein, if any, are the property of their respective owners.Complete copyright, trademark, patent, and licensing information can be found in the Copyright andLicensing Guide, available online at https://www.watchguard.com/wgrd-help/documentation/overview.

About WatchGuardWatchGuard® Technologies, Inc. is a global leader in networksecurity, providing best-in-class Unified Threat Management,Next Generation Firewall, secure Wi-Fi, and network intelligenceproducts and services to more than 75,000 customers worldwide.The company’s mission is to make enterprise-grade securityaccessible to companies of all types and sizes through simplicity,making WatchGuard an ideal solution for Distributed Enterprisesand SMBs. WatchGuard is headquartered in Seattle,Washington, with offices throughout North America, Europe, AsiaPacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, followWatchGuard on Twitter, @WatchGuard on Facebook, or onthe LinkedIn Company page. Also, visit our InfoSec blog,Secplicity, for real-time information about the latest threatsand how to cope with them at www.secplicity.org.

Address505 Fifth Avenue SouthSuite 500Seattle, WA 98104

Supportwww.watchguard.com/supportU.S. and Canada +877.232.3531All Other Countries +1.206.521.3575

SalesU.S. and Canada +1.800.734.9905All Other Countries +1.206.613.0895

ii Firebox Cloud Deployment Guide

https://www.watchguard.com/wgrd-help/documentation/overview

https://www.watchguard.com/wgrd-help/documentation/overview

Firebox Cloud Deployment Guide iii

Contents

Introduction to Firebox Cloud 1

About Firebox Cloud 1

Firebox Cloud Use Cases 2

Protect Virtual Servers 2

BranchOffice VPN 2

Mobile VPN Gateway 2

About Microsoft Azure 3

About AWS 4

Firebox Cloud License Options 5

License Types 5

Licensed Security Services 6

Deploy Firebox Cloud on Microsoft Azure 7

Identify your Firebox Cloud Software Plan and License Type 7

Create a Key Pair for SSH Authentication 7

Deploy Firebox Cloud 9

Find the Instance ID (VM ID) 12

Activate your Firebox Cloud License 12

Run the Firebox Cloud SetupWizard 13

Connect to FirewareWebUI 14

Add the Feature Key 15

Next Steps 16

Enable Feature Key Synchronization 16

Configure Firebox Cloud to Send Feedback toWatchGuard 16

Configure Firewall Policies and Services 17

Deploy Firebox Cloud on AWS 19

Before You Begin 19

Firebox Cloud Deployment Guide iv

Deployment Overview 19

Create a VPC with Public and Private Subnets 20

Terminate the NAT Instance 23

Create an Instance of Firebox Cloud 24

Select or Create a Key Pair for SSH Authentication 28

Disable Source/Destination Checks 30

Assign an Elastic IP Address to the External Interface 31

Configure the Default Route 32

Verify the Instance Status 33

Activate your Firebox Cloud License (BYOLOnly) 33

Run the Firebox Cloud SetupWizard 34

Connect to FirewareWebUI 35

Add the Feature Key (BYOLOnly) 36

Next Steps 37

Enable Feature Key Synchronization 37

Configure Firebox Cloud to Send Feedback toWatchGuard 37

Configure Firewall Policies and Services 38

Firebox Cloud Feature Differences 39

Administration 39

Licensing and Services 39

Network Interfaces 39

Default Firebox Configuration 40

Fireware Features 40

See Firebox Cloud VM Information 42

VM Information in FirewareWebUI 42

The Front Panel Dashboard 42

The VM Information System Status 2

The Interfaces Dashboard 43

Firebox Cloud Deployment Guide v

VM Information in Firebox SystemManager 44

Use Firebox Cloud to Protect a Web Server 45

Step 1 — Launch an Instance of Firebox Cloud 45

Step 2 — Add A Static NAT Action 46

Step 3 — Add HTTP and HTTPS Proxy Policies 47

Add an HTTP-Proxy Policy 47

Add an HTTPS-Proxy Policy 48

Import a Proxy Server Certificate 50

Step 4 — Enable Subscription Services 51

Enable Gateway AntiVirus 51

Enable Intrusion Prevention Service (IPS) 51

Enable Botnet Detection 51

Enable Data Loss Prevention 52

Configure Threat Detection and Response 52

Configure Geolocation 53

Enable Logging for Firebox Cloud 53

Configure Logging toWatchGuard Cloud 53

Configure Logging to Dimension 54

Changes that Require a Firebox Cloud Reboot 55

Administer Firebox Cloud with the CLI 56

Reset the Firebox to Factory-Default Settings 56

Additional Resources 57

Firebox Cloud Deployment Guide vi

Introduction to Firebox Cloud

TheWatchGuard® Firebox security platform delivers unparalleled unified threat management, superiorperformance, ease of use, and value for your growing network. Fireware OS andWatchGuard securityservices give you fully integrated protection from spyware, viruses, worms, trojans, web-based exploits,and blended threats. From firewall and VPN protection, to secure remote access, WatchGuard devicessupport a broad range of network environments.

About Firebox CloudFirebox Cloud brings the proven features and services of the Firebox to the AmazonWeb Services (AWS)andMicrosoft Azure cloud computing platforms. Firebox Cloud uses the same powerful Fireware OS andmost of the same subscription services available on other Firebox models. You can use Firebox Cloud toprotect servers deployed on your private cloud, and you can use it as a secure VPN endpoint forconnections to resources on your virtual network.

For greater visibility into the status of traffic and security on your virtual network, you can useWatchGuardDimension tomonitor Firebox Cloud. The Firebox Cloud BYOL license also includes a license forWatchGuard Cloud. After you activate aWatchGuard Cloud BYOL license, you can add the Firebox Cloudinstance to yourWatchGuard Cloud account.

Firebox Cloud is available for AWS andMicrosoft Azure cloud computing platforms.

Firebox Cloud Deployment Guide 1

Firebox Cloud Use CasesYou can use Firebox Cloud to protect any virtual network on AWS or Azure. These use cases describesome of the ways you can use Firebox Cloud to add security to your virtual network.

Protect Virtual ServersTo provide protection to one or more virtual servers that are accessible from the Internet, you can install aFirebox Cloud instance. Your instance of Firebox Cloud is then the gateway for inbound connections to yourservers from the internet. You configure policies and security services on your instance of Firebox Cloud tocontrol traffic to your virtual servers.

For a summary of how to configure policies and services on Firebox Cloud for inbound connections to aprotected web server, see Use Firebox Cloud to Protect aWeb Server.

Branch Office VPNYou can configure your Firebox Cloud as a branch office VPN (BOVPN) gateway endpoint so you canmaintain a secure VPN connection between your virtual network resources and other networks protected bya Firebox or compatible VPN gateway endpoint. You can also configure your Firebox Cloud as a BOVPNover TLS Server or Client. Firebox Cloud supports all the same VPN features as other Firebox models.

Mobile VPN GatewayYou can also enable Firebox Cloud to accept VPN connections from SSL, IPSec, IKEv2, and L2TP mobileVPN clients, and configure policies to control user and group access to your protected AWS networkresources.


2 Firebox Cloud Deployment Guide


About Microsoft AzureMicrosoft Azure is Microsoft's cloud computing platform that provides datamanagement, compute,networking and performance services at a variable cost based on the resources you use. If you are new toAzure, youmust understand the Azure terms and concepts in this section before you deploy Firebox Cloud.

Virtual Network (Vnet)An Azure Virtual Network is a logically isolated private virtual network environment in the Azurecloud. Firebox Cloud, and the virtual servers it protects, are all virtual machines that you deploy in aVirtual Network.

Virtual Machine Image (VHD)A VHD file is a virtual hard disk image that contains a VM image. Firebox Cloud is distributed as aVHD file that you can use to deploy one or more Firebox Cloud instances.

Storage AccountMicrosoft Azure Storage is aMicrosoft-managed cloud service that provides storage. The FireboxCloud VHD is stored in a container in your Storage Account.

ResourceA manageable item available through Azure. For example, a virtual machine, storage account, andvirtual machine are each resources.

Resource GroupA group of Azure resources that youmanage as a group. When you add a storage account, youspecify the resource group it belongs to. Each resource can belong to only one group.

TemplateAn Azure template is a JSON file that defines the resources and settings required to deploy anapplication. To deploy Firebox Cloud, you fill out the required settings and specify required resourcesdefined in the Firebox Cloud template.

VM ID (Instance ID)The VM ID, or instance ID, is a unique identifier associated with an Azure virtual machine instance.For Firebox Cloud you use the instance ID to activate your Firebox Cloud license on theWatchGuardwebsite. The Instance ID is also the default admin passphrase you use to connect to Firebox Cloudto run the setup wizard.

Regions and Availability ZonesMicrosoft Azure has several regions around the world. Each region contains several AvailabilityZones. Youmust specify the region when you deploy a Firebox Cloud instance.


About AWSAmazonWeb Services (AWS) is a flexible, on-demand, cloud services platform that provides computepower, networking, database storage, and other services at a variable cost based on the resources you use.If you are new to AWS, youmust understand the AWS terms and concepts in this section before you deployFirebox Cloud.

Amazon Virtual Private Cloud (VPC)An Amazon VPC is a logically isolated private virtual network environment in the AWS cloud.Firebox Cloud, and the virtual servers it protects, are all virtual machines that you deploy in a VPC.

Amazon Elastic Compute Cloud (EC2)Amazon EC2 is a virtual server hosting service that provides scalable computing capacity in theAWS cloud

AmazonMachine Image (AMI)An AMI is a virtual machine template that you use to deploy a virtual server in AWS. Firebox Cloud isdelivered as an .AMI file that you use to deploy Firebox Cloud in your AWS VPC.

EC2 InstanceTo launch one or more EC2 instances, you use an .AMI file. Each instance is a copy of the .AMI thatruns as a virtual server. When you launch a new instance, you select the instance type, whichdetermines the amount of CPU, storage, and network capabilities assigned to the instance. FireboxCloud runs as an EC2 instance in your Amazon VPC. Each instance has a unique Instance ID.

Elastic IP Address (EIP)An Elastic IP address is a static public IP address that you can assign to an EC2 instance. First, youallocate an Elastic IP address to a VPC, and then you associate it with an EC2 instance in the VPC.For Firebox Cloud, you allocate an Elastic IP address for the external interface.

Security GroupThe security group is a virtual firewall that controls which inbound and outbound traffic is allowed toreach the associated instances. In the security group, you define rules that control what traffic toallow. When you launch an instance, youmust specify at least one security group.

AWS Regions and Availability ZonesAWS has multiple AWS Regions. Each region contains several Availability Zones. A VPC cancontain subnets in different Availability Zones.



Firebox Cloud License Options


Firebox Cloud is available in both theMicrosoft AzureMarketplace and AWS Marketplace with two licenseoptions.

License TypesBring Your Own License (BYOL)

With this license option, you pay Microsoft or Amazon for the virtual machine instance and resourcesit uses. You then purchase a license for Firebox Cloud separately from an authorizedWatchGuardreseller. For Firebox Cloud with a BYOL license, youmust activate a license key for Firebox Cloudon theWatchGuard website. Then, add the feature key to your Firebox Cloud instance, whichenables you to configure all the licensed features. This feature key is unique to that instance and hasan expiration date. You can purchase a renewal from an authorizedWatchGuard reseller.

After you activate the BYOL license, you can add the Firebox Cloud instance to yourWatchGuardCloud account.

For more information, see Add a Firebox toWatchGuard Cloud.

The feature key is valid only for the instance ID you specify when you activate thelicense. If you want to move your Firebox Cloud license to a different instance of FireboxCloud, youmust contact WatchGuard customer care to help you activate the license fora different instance ID.

You can purchase a Firebox Cloud for one of four models. Themodels are based on themaximumnumber of CPUs that Firebox Cloud uses.

Firebox Cloud Model Maximum AWS vCPUs or Azure CPU Cores

Small 2

Medium 4

Large 8

Extra Large 16

If you deploy Firebox Cloud on a virtual machine with more CPUs than the Firebox Cloudmodelsupports, Firebox Cloud uses only the supportedmaximum number of CPUs.


https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/device_add_to_cloud.html

Hourly / Pay As YouGo (PAYG)With this license option, the cost of the license for Firebox Cloud and all security services is includedin the price charged by Amazon or Microsoft. This provides a perpetual license with no fixedexpiration date. There is no need to purchase, activate, or renew a separate license fromWatchGuard.

The Azure Firebox Cloud (PAYG) option includes a 30 day free trial. For the 30 day trial period, thereare no hourly software charges. Azure infrastructure charges still apply. After the 30 day trial expires,the instance converts to a paid hourly subscription.

To switch a Firebox Cloud instance from one license type to another, youmust deploy anew instance andmove the configuration to the new instance. For information about howtomove a Firebox configuration, seeMove a Configuration to a New Firebox.

Licensed Security ServicesFirebox Cloud supports theseWatchGuard security services:

n Access Portal (requires Fireware v12.1 or higher)

n Application Control

n APT Blocker

n Botnet Detection

n Data Loss Prevention

n DNSWatch (supported with a BYOL license only)

n Gateway AntiVirus / Intelligent AntiVirus

n Geolocation

n Intrusion Prevention Service (IPS)

n Reputation Enabled Defense

n spamBlocker andQuarantine Server (requires Fireware v12.2 or higher)

n Threat Detection and Response (TDR Host Sensor licenses included with a BYOL license only)

n WatchGuard Cloud Visibility (supported with a BYOL license only)

n WebBlocker

WatchGuard Cloud with an Hourly / Pay As YouGo license does not supportWatchGuard Cloud or DNSWatch, and does not include TDR Host Sensor licenses.



https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/config_file_use_new_model_wsm.html

Deploy Firebox Cloud on Microsoft Azure


Before you can create a Firebox Cloud virtual machine, youmust create aMicrosoft Azure account. Whenyou set up your account, you specify billing information and the credentials you use to connect to theMicrosoft Azure portal. Firebox Cloud requires a storage account. You can create a storage account beforeyou deploy Firebox Cloud, or you can create one as part of the deployment.

Identify your Firebox Cloud Software Plan and License TypeWhen you create a Firebox Cloud VM in Azure, you select one of these two software plans.

Firebox Cloud (BYOL)With the Bring Your Own License (BYOL) software plan, you purchase a Firebox Cloud license for aspecified size, Small, Medium, Large, or Extra Large. The Firebox Cloud license defines themaximum number of Azure CPU cores that the Firebox Cloud VM can use.

When you create a Firebox Cloud (BYOL) VM, you select a License Type. To deploy your VM withappropriate resources, select the License Type that matches your Firebox Cloud license size.

Firebox Cloud (PAYG)With the Pay As YouGo (PAYG) software plan, you do not purchase a Firebox Cloud license. ThePAYG option includes a 30 day free trial.

For more information about license options and trials, see Firebox Cloud LicenseOptions.

Create a Key Pair for SSH AuthenticationBefore you create a Firebox Cloud instance, youmust generate an SSH-2 RSA public key / private key pair.You can use a tool such as puttygen, or ssh-keygen command in Linux to generate the key pair.

n Use the public key when you deploy your Firebox Cloud instance.

n Use the private key for ssh connections to the Fireware command line interface (CLI) for your FireboxCloud instance.


To use the puttygen utility to generate an SSH-2 RSA key pair:

1. Download and install the PuTTYgen utility available from www.putty.org.

2. Start PuTTYgen.

3. Click Generate.

4. Move themouse over the blank area to generate some randomness.PuTTYgen uses themousemovements as input to generate the keypair.

5. To save the generated public key to a file, click Save public key.

6. (Optional) Specify a passphrase to protect the private key file.

7. To save the generated private key to a file, click Save private key.

Save the private key in a secure location. Youmust provide the private key to connect tothe Fireware command line interface.



http://www.putty.org/


Deploy Firebox CloudTo create the Firebox Cloud instance:

1. Log on to the Azure portal with your Microsoft Azure account credentials.

2. Click Create a Resource.The AzureMarketplace appears.

3. In the Search text box, type Firebox Cloud.

4. Select WatchGuard Firebox Cloud.TheWatchGuard FireboxCloud license optionsappear.

5. From the Select a software plan drop-down list, select WatchGuard Firebox Cloud (BYOL) orWatchGuard Firebox Cloud (PAYG).

6. Click Create.The VM configuration stepsappear.


7. In the Basics step, specify basic information about your virtual machine.

Firebox Cloud VM Name

The name for the Firebox Cloud virtual machine in the Azure portal.

Subscription

The name of the Azure subscription where the virtual machine and resources are stored. This isthe account that Microsoft bills for VM use and storage.

Resource group

A resource group is a collection of resources that share the same lifecycle, permissions, andpolicies. All objects, such as networks and interfaces, and data for the Firebox Cloud instancewill be associated with the resource group you specify. The resource group does not affectnetworking or connectivity from the Firebox to existing Azure resources.

Microsoft Azure does not support deployment of amanaged application to a resourcegroup with existing resources. Youmust create a new resource group or use an emptyresource group.

Location

The Azure region for this Firebox Cloud instance.

8. In the VM Size and Key Data step, specify virtual machine configuration details.

Firebox Cloud License Type and VM Size — for Firebox Cloud (BYOL)

For a BYOL license, select the Firebox Cloud License Type. This is the Firebox Cloud licenseyou purchased fromWatchGuard or aWatchGuard reseller. Select Small, Medium, Large orExtra Large. After you select the License Type, an appropriate VM size is selected by default.To select a different size, click Change size.

Azure VM Tier and VM Size — for Firebox Cloud (PAYG)

For a PAYG license, select the Azure VM tier for the virtual machine. Select Free Tier Eligibleor Standard. After you select the VM tier, an appropriate VM size is selected by default. Toselect a different size, click Change size.

SSH public key

The public key for this Firebox. You can use a tool such as puttygen, or ssh-keygen command inLinux to generate the key pair. Youmust use the private key associated with this public key toconnect to the Firebox Cloud CLI.

Storage account

The name of the storage account to store boot diagnostic log files. The storage account youselect must not be in another resource group in your subscription. Boot diagnostic log filescontain information that can helpWatchGuard support troubleshoot issues.




9. In the Network step, specify required network configuration information.

Virtual network

The virtual network to use for this Firebox Cloud. By default, a new available address space witha /16 netmask is selected. You can use the default virtual network, edit the default virtualnetwork, or choose another existing virtual network.

Subnets

Review and configure the subnets to use for the External (Public) and Trusted (Private)networks.

Public IP address

Select or create a public IP address to use for your Firebox Cloud external interface. For a newpublic IP address, specify a name, and select the SKU type (Basic or Standard). If you select aBasic SKU type, select the IP address assignment type, Dynamic or Static.

Inbound connections to a public IP address with the Standard SKU type fail until youcreate and associate a network security group and explicitly allow the desired inboundtraffic. For more information, see the article IP address types and allocationmethods inAzure in theMicrosoft Azure documentation.

Domain name label

Specify the DNS label for the Firebox Cloud public IP address. It must be all lowercase lettersand numbers.

10. In the Summary step, review the information, and correct any errors.

11. In the Buy step, review the terms and conditions and click Create.The deployment starts.

After the deployment is completed, you can go to the resource group or pin the VM to theMicrosoft Azuredashboard.


https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm

Find the Instance ID (VM ID)After you deploy your Firebox Cloud instance, youmust find the Instance ID, also known as the VM ID. Youwill need this to activate your license, and to log in to the FirewareWebUI to run the Firebox Cloud SetupWizard. You can find the instance ID in the name of the storage container for boot diagnostic logs.

To find the Firebox Cloud Instance ID:

1. In the Azure left navigationmenu, select Storage accounts.

2. Click the name of the storage account associated with your Firebox Cloud instance.

3. In the Blob Service list, select Containers.

4. Find the boot diagnostic container.The name of the boot diagnostic container is in the format:<bootdiagnostics>-<vmname>-<vmid>

For example:bootdiagnostics-fbcloud-11111111-2222-3333-4444-f86331913a6d

5. Copy the VMID at the end of the container name.

Youmust have this instance ID to activate your Firebox Cloud license and to run the Firebox Cloud SetupWizard.

Activate your Firebox Cloud LicenseFor Firebox Cloud with a BYOL license, youmust activate the Firebox Cloud serial number in theWatchGuard portal. Before you can activate Firebox Cloud, youmust have the Firebox Cloud serial numberyou received fromWatchGuard and youmust know the Firebox Cloud Instance ID.

To activate your Firebox Cloud license:

1. Go to www.watchguard.com.

2. Click Support.

3. Click Activate Products.

4. Log in to yourWatchGuard Customer or Partner portal account. If you do not have an account, you cancreate one.

5. If necessary, navigate to the Support Center and select My WatchGuard > Activate Product.

6. When prompted, provide your Firebox Cloud serial number and Instance ID.

7. When activation is complete, copy the feature key and save it to a local file.




Run the Firebox Cloud Setup WizardAfter you deploy Firebox Cloud, you can connect to FirewareWebUI through the public IP address to runthe Firebox Cloud SetupWizard. You use the wizard to set the administrative passphrases for FireboxCloud.

To run the Firebox Cloud SetupWizard:

1. Connect to FirewareWebUI for your Firebox Cloud with the public IP address:https://<eth0_public_IP>:8080

2. Log in with the default Administrator account user name and passphrase:n User name — admin

n Passphrase — The Firebox Cloud Instance ID

The FireboxCloud SetupWizard welcome page appears.

3. Click Next.The setup wizard starts.

4. Review and accept the End-User License Agreement. Click Next.

5. Specify new passphrases for the built-in status and admin user accounts.

6. Click Next.The configuration is saved to FireboxCloud and the wizard is complete.


Connect to Fireware Web UITo connect to FirewareWebUI and administer Firebox Cloud:

1. Open a web browser and go to the public IP address for your instance of Firebox Cloud at:https://<eth0_public_IP>:8080

2. Log in with the admin user account. Make sure to specify the passphrase you set in the Firebox CloudSetupWizard.

By default, Firebox Cloud allows more than one user with Device Administrator credentials to log in at thesame time. To prevent changes by more than one administrator at the same time, the configuration is

locked by default. To unlock the configuration so you canmake changes, click .

If you prefer to allow only one Device Administrator to log in at the same time, select System > GlobalSettings and clear the Enable more than one Device Administrator to log in at the same time checkbox.

Microsoft Azure automatically terminates your management connection to FireboxCloud after 30minutes of inactivity. To avoid unexpected disconnection of yourmanagement session, do not set theManagement Session Idle Timeout in the FirewareAuthentication > Settings page to a value higher than 30minutes.




Add the Feature KeyIf you have received or downloaded the Firebox Cloud feature key to a local file, in the Feature Key Wizardselect Yes I have a local copy of the feature key and paste the feature key into the wizard.

If you activated a Firebox Cloud license in theWatchGuard portal, your feature key is available directly fromWatchGuard. Youmust add this feature key to the Firebox Cloud configuration to enable all functionalityand configuration options on Firebox Cloud.

After you add the feature key, Firebox Cloud automatically reboots with a new serialnumber.

To add the feature key, from FirewareWebUI:

1. Select System > Feature Key.The Feature KeyWizard page appears.

2. To unlock the configuration file, click .

3. To download and install the feature key, click Next.

4. On the Summary page, verify that your feature key was successfully installed.When your feature keyhasbeen installed, Feature KeyRetrievalSuccessappears on the Summarypage.


5. Click Next.Thewizard completesand FireboxCloud rebootswith a new serial number.

Next StepsAfter you run the setup wizard and add the feature key you can use FirewareWebUI or Policy Manager toconfigure the settings for Firebox Cloud.

Enable Feature Key SynchronizationEnable Firebox Cloud to automatically check for feature key updates when services are about to expire.

To enable feature key synchronization, in FirewareWebUI:

1. Select System > Feature Key.

2. Select the Enable automatic feature key synchronization check box.

3. Click Save.

To enable feature key synchronization, in Policy Manager:

1. Connect to Firebox Cloud inWatchGuard SystemManager.

2. Open Policy Manager.

3. Select System > Feature Keys.


5. Click Save.

Configure Firebox Cloud to Send Feedback to WatchGuardTo enable Firebox Cloud to send feedback, in FirewareWebUI:

1. Select System > Global Settings.

2. Select the Send device feedback to WatchGuard check box.

3. Select the Send Fault Reports to WatchGuard daily check box.

To enable Firebox Cloud to send feedback, in Policy Manager:



3. Select Setup > Global Settings.






Configure Firewall Policies and ServicesThe default WatchGuard andWatchGuardWebUI policies allow management connections from anycomputer on the trusted, optional, or external networks. If you do not want to allow managementconnections from the external network, edit theWatchGuard andWatchGuardWebUI policies to removethe Any-External alias from the From list. To allow management from only a specific computer on theexternal network, you can add the address of that management computer to the From list in these policies.

Configure other policies and services as you would for any other Firebox.

Firebox Cloud does not support every Fireware feature. For a summary of thedifferences between Firebox Cloud and other Firebox models, see Firebox CloudFeature Differences.


Deploy Firebox Cloud on AWS

Before You BeginBefore you can use Firebox Cloud, youmust create an AWS account. When you set up your AWS account,you specify billing information and the security credentials you use to connect to the AWS ManagementConsole.

For more information about how to get started with AWS, see:

http://docs.aws.amazon.com/gettingstarted/latest/awsgsg-intro/gsg-aws-intro.html

For information about the AWS Management Console, see:

http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html

Deployment OverviewTo deploy your instance of Firebox Cloud on AWS youmust complete these procedures:

Create a Virtual Private Cloud (VPC)Use the VPC Wizard to create a VPC with public and private subnets.

Terminate the NAT instanceTerminate the NAT instance that was automatically created for the VPC by the VPC Wizard. Youcan terminate this default NAT instance because the instance of Firebox Cloud will completeNAT functions for subnets in this VPC.

Create an instance of Firebox CloudLaunch an EC2 instance for Firebox Cloud with these properties:

n VPC Configuration — VPC with Public and Private Subnets

n AMI — WatchGuard Firebox Cloud

n Instance Type — If you select Firebox Cloud with a BYOL license, make sure to select theinstance type that has the same number of vCPUs as the Firebox Cloud license you purchased.

n Network — A VPC with public and private subnets

n Interfaces — Eth0must use a public subnet; Eth1must use a private subnet

n Storage — Keep the default size

n Security Group — Allow all inbound traffic


http://docs.aws.amazon.com/gettingstarted/latest/awsgsg-intro/gsg-aws-intro.html

http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html

For information about supported EC2 instance types for Firebox Cloud (BYOL) andFirebox Cloud (Hourly), see the Firebox Cloud product information in theAWS Marketplace.

Disable the Source/Destination checks for Firebox CloudFor your Firebox Cloud to function as a NAT device for your VPC, youmust disable thesource/destination check for the instance of Firebox Cloud.

Assign an Elastic IP address to the instance of Firebox CloudAssign an Elastic IP (EIP) address to the eth0 interface for your instance of Firebox Cloud. You canuse the EIP address that was allocated to the NAT instance you terminated or any other availableEIP address.

Configure the default route for the private networkChange the routing for the private subnet so that it uses the instance of Firebox Cloud as the defaultgateway.

Check instance statusCheck the state of the instance of Firebox Cloud to verify that it has powered up, that it has a publicIP address and DNS server assigned, and the correct security group is configured.

Each of these procedures is described in detail in the next sections.

Create a VPC with Public and Private SubnetsIf you do not already have a VPC with public and private subnets, youmust create one.

To use the VPC Wizard to create a VPC:

1. Log in to the AWS Management Console at aws.amazon.com.

2. Select Services > VPC.

3. Click Start VPC Wizard.

4. At the left side of the page, select VPC with Public and Private Subnets.



https://aws.amazon.com/marketplace

http://aws.amazon.com/


5. Click Select.The public and private subnet configuration settingsappear.

6. In the VPC name text box, type a name to identify your VPC.

7. Configure the public and private subnets. You can use the default public and private subnets or selectother subnets.

8. Configure the Availability Zone for each subnet. Make sure that the public subnet and private subnetare in the same zone.

9. In the NAT settings, click Use a NAT instance instead.TheNAT instance settingsappear. You can use the default instance settings.

Youwill terminate the NAT instance later and use the instance of Firebox Cloud forNAT.


10. Click Create VPC.Thewizard creates the VPC and the associated NAT instance.

11. Click OK to go to the VPC Dashboard.

12. Select Subnets to see the subnet and routing information for your VPC.To filter the list, from the Filter by VPC drop-down list, select your VPC.




Terminate the NAT InstanceThe VPC Wizard automatically creates a NAT instance for your VPC. This default NAT instance is notnecessary because the Firebox will provide NAT services for the VPC. You can terminate the automaticallycreated NAT instance from the EC2 Instances page.

By default, the automatically created NAT instance does not have a tag associated with it. If you havemorethan one untagged NAT instance, make sure you terminate only the instance associated with your VPC.

To verify which instance is the NAT instance:

1. On the EC2 Instances page, select the instance.The instance information appears at the bottom of the page.

2. Verify that the VPC ID for the instancematches your VPC.

3. Verify the AMI ID is for a NAT instance. The AMI ID for the NAT instance begins with amzn-ami-vpc-nat.

When you terminate the NAT instance, you can also choose to release the Elastic IP (EIP) addressassigned to the NAT instance. In this procedure, we do not release the EIP address, so it is stillavailable for you to assign to the instance of Firebox Cloud later.

To assign the EIP associated with the NAT instance to your instance of Firebox Cloud,copy the EIP address before you terminate the NAT instance. This makes it easier toidentify which EIP address you want to assign to the instance of Firebox Cloud.

To terminate the NAT instance:

1. Select the NAT instance.

2. Select Actions > Instance State > Terminate.

3. Select Yes, Terminate.


Create an Instance of Firebox CloudFrom the EC2 dashboard, you can create an EC2 instance for Firebox Cloud.

To launch an instance of Firebox Cloud:

1. Select Services > EC2.

2. In the navigation pane, select AMIs.

3. Select theWatchGuard Firebox Cloud AMI.

4. Click Launch.

5. Select the AWS instance type. If you selected Firebox Cloud with a BYOL license, select an instancethat has the number of vCPUs your Firebox Cloud license supports.n For information about themaximum number of vCPUs supported for each Firebox Cloudmodel,

see Firebox Cloud LicenseOptionsIntroduction to Firebox Cloudn For information about supported EC2 instance types for Firebox Cloud (BYOL) and Firebox

Cloud (Hourly), see the Firebox Cloud product information in the AWS Marketplace .

6. Click Next: Configure Instance Details.TheConfigure Instance Details step appears.



https://aws.amazon.com/marketplace


7. From the Network drop-down list, select your VPC.

8. From the Subnet drop-down list, select the public subnet to use for eth0.The subnet you select appears in the Network Interfaces section for eth0.

9. To add a second interface, in the Network interfaces section, click Add Device.Eth1 is added to the list of network interfaces.

10. From the Subnet drop-down list for eth1, select the private subnet to use for eth1.


11. Click Next: Add Storage.

12. Use the default storage size (5 GB). Click Next: Add Tags.

13. In the Value text box, type a name to identify this instance.

14. Click Next: Configure Security Group.




By default, the instance uses a security group that functions as a basic firewall. Because FireboxCloud is a firewall, youmust add a new security group that allows all traffic, and assign that securitygroup to this EC2 instance.

15. Select an existing security group or add a new security group that allows all traffic.If you create a new security group, from the Type drop-down list, select All traffic.

16. Click Review and Launch.The configured information for your instance appears.

17. Click Launch.The keypair settingsdialog boxappears.


Select or Create a Key Pair for SSH AuthenticationWhen you launch a new EC2 instance, you can select or create a key pair. The key pair is needed only forssh connections to the Fireware command line interface (CLI) for Firebox Cloud. You do not need the keypair to connect to FirewareWebUI. If you proceed without a key pair, you can log in to FirewareWebUI,but you cannot connect to the CLI from outside of the VPC.

You can use an existing key pair if you have access to the private key file. Or you can create a new key pairand download the private key file.

To use an existing key pair:

1. From the top drop-down list, select Choose an existing key pair.

2. From the Select a key pair drop-down list, select an existing key pair.

3. Select the check box to acknowledge that you have access to the selected private key file.

4. Click Launch Instances.




To create a new key pair:

1. From the top drop-down list, select Create a new key pair.

2. In the Key pair name text box, type a name for the new key pair

3. Click Download Key Pair.The .PEM file that contains the private key is downloaded.

Save the private key file in a secure location. Youmust provide the private key toconnect to the Fireware command line interface.

4. Save the private key to a location that is a secure and accessible; you cannot download the private keyfile again.

5. Click Launch Instances.


Disable Source/Destination ChecksBy default, each EC2 instance completes source/destination checks. For the networks on your VPC tosuccessfully use your instance of Firebox Cloud for NAT, youmust disable the source/destination check forthe network interfaces assigned to the instance of Firebox Cloud.

To disable source/destination checks for the public interface:

1. From the EC2Management Console, select Instances > Instances.

2. Select the instance of Firebox Cloud.

3. Select Actions > Networking > Change Source/Dest. Check.The confirmationmessage includes the public interface for this instance.

4. Click Yes, Disable.The source and destination checksare disabled for the public interface.

To disable source/destination checks on the private interface:

1. From the EC2Management Console, select Network & Security > Network Interfaces.

2. Select the private interface of your VPC.

3. Select Actions > Change Source/Dest. Check.

4. Select Disabled.

5. Click Save.




Assign an Elastic IP Address to the External InterfaceYoumust assign an Elastic IP (EIP) address to the eth0 interface for the instance of Firebox Cloud. You canuse the EIP address that was previously assigned to the NAT instance you terminated, or any otheravailable EIP address. Tomake sure you assign it to the correct interface, find and copy the eth0 interfaceID for your instance of Firebox Cloud.

To find the eth0 interface ID for your instance of Firebox Cloud:

1. From the EC2Management Console, select Instances.

2. Select the instance of Firebox Cloud.The instance details appear.

3. Click the eth0 network interface.More information about the network interface appears.

4. Copy the Interface ID value.

To associate the Elastic IP address with the eth0 interface:

1. From the EC2Management Console, select Network & Security > Elastic IPs.

2. Select an available Elastic IP address.

3. Select Actions > Associate Address.The Associate addresspage appears.

4. In the Resource type settings, select Network interface.

5. In the Network Interface text box, paste the Interface ID for eth0.

6. Click Associate.

You can now use the EIP address to connect to FirewareWebUI for your instance of Firebox Cloud.

To connect to FirewareWebUI, open a web browser and go to https://<eth0_EIP>:8080.


Configure the Default RouteTo enable Firebox Cloud to control outbound traffic from the private network connected to eth1, youmustchange the route table for the private subnet so that it uses Firebox Cloud as the default gateway.

To find the network interface ID of the private network:

1. On the EC2 dashboard, select Network & Security > Network Interfaces.

2. Find the private network interface for your instance ID. It is the interface that does not have a public IPaddress assigned.

3. Copy the network interface ID.

To edit the route table:

1. Select Services > VPC.

2. Select Route Tables.

3. To find the interface for the private network, select each route table for your VPC one at a time.The route table details appear, with the interface information for each route table.

4. To see the routes for each network, select the Routes tab.For the private interface, the default route status isBlackHole because the NAT target was set by the VPCWizard to the NATinstance you terminated.

5. On the Routes tab for the private network, click Edit.

6. In the Target text box, paste the network interface ID for the private network interface.The route status changes from BlackHole to Active.

7. Click Save.




Verify the Instance StatusAfter you finish all the steps to deploy your instance of Firebox Cloud, review the instance details on theEC2 Instances page to verify that:

n Public IP address and Public DNS server are assigned

n The security group to allow all traffic is assigned

Activate your Firebox Cloud License (BYOL Only)For Firebox Cloud with a BYOL license, youmust activate the Firebox Cloud serial number in theWatchGuard portal. Before you can activate Firebox Cloud, youmust have the Firebox Cloud serial numberyou received fromWatchGuard and youmust know the Firebox Cloud Instance ID.

To activate your Firebox Cloud license:

1. Go to www.watchguard.com.

2. Click Support.

3. Click Activate Products.

4. Log in to yourWatchGuard Customer or Partner portal account. If you do not have an account, you cancreate one.

5. If necessary, navigate to the Support Center and select My WatchGuard > Activate Product.

6. When prompted, provide your Firebox Cloud serial number and Instance ID.

7. When activation is complete, copy the feature key and save it to a local file.


Run the Firebox Cloud Setup WizardAfter you deploy Firebox Cloud, you can connect to FirewareWebUI through the public IP address to runthe Firebox Cloud SetupWizard. You use the wizard to set the administrative passphrases for FireboxCloud.

To run the Firebox Cloud SetupWizard:

1. Connect to FirewareWebUI for your Firebox Cloud with the public IP address:https://<eth0_public_IP>:8080

2. Log in with the default Administrator account user name and passphrase:n User name — admin

n Passphrase — The Firebox Cloud Instance ID

The FireboxCloud SetupWizard welcome page appears.

3. Click Next.The setup wizard starts.

4. Review and accept the End-User License Agreement. Click Next.

5. Specify new passphrases for the built-in status and admin user accounts.

6. Click Next.The configuration is saved to FireboxCloud and the wizard is complete.




Connect to Fireware Web UITo connect to FirewareWebUI and administer Firebox Cloud:

1. Open a web browser and go to the public IP address for your instance of Firebox Cloud at:https://<eth0_public_IP>:8080

2. Log in with the admin user account. Make sure to specify the passphrase you set in the Firebox CloudSetupWizard.

By default, Firebox Cloud allows more than one user with Device Administrator credentials to log in at thesame time. To prevent changes by more than one administrator at the same time, the configuration is

locked by default. To unlock the configuration so you canmake changes, click .

If you prefer to allow only one Device Administrator to log in at the same time, select System > GlobalSettings and clear the Enable more than one Device Administrator to log in at the same time checkbox.


Add the Feature Key (BYOL Only)If you activated a Firebox Cloud license in theWatchGuard portal, your feature key is available directly fromWatchGuard. Youmust add this feature key to the Firebox Cloud configuration to enable all functionalityand configuration options on Firebox Cloud.

After you add the feature key, Firebox Cloud automatically reboots with a new serialnumber.

To add the feature key, from FirewareWebUI:

1. Select System > Feature Key.The Feature KeyWizard page appears.

2. To unlock the configuration file, click .

3. To download and install the feature key, click Next.

4. On the Summary page, verify that your feature key was successfully installed.When your feature keyhasbeen installed, Feature KeyRetrievalSuccessappears on the Summarypage.




5. Click Next.Thewizard completesand FireboxCloud rebootswith a new serial number.

Next StepsAfter you run the setup wizard and add the feature key you can use FirewareWebUI or Policy Manager toconfigure the settings for Firebox Cloud.

Enable Feature Key SynchronizationEnable Firebox Cloud to automatically check for feature key updates when services are about to expire.

To enable feature key synchronization, in FirewareWebUI:

1. Select System > Feature Key.


3. Click Save.

To enable feature key synchronization, in Policy Manager:



3. Select System > Feature Keys.


5. Click Save.

Configure Firebox Cloud to Send Feedback to WatchGuardTo enable Firebox Cloud to send feedback, in FirewareWebUI:

1. Select System > Global Settings.



To enable Firebox Cloud to send feedback, in Policy Manager:



3. Select Setup > Global Settings.




Configure Firewall Policies and ServicesThe default WatchGuard andWatchGuardWebUI policies allow management connections from anycomputer on the trusted, optional, or external networks. If you do not want to allow managementconnections from the external network, edit theWatchGuard andWatchGuardWebUI policies to removethe Any-External alias from the From list. To allow management from only a specific computer on theexternal network, you can add the address of that management computer to the From list in these policies.

Configure other policies and services as you would for any other Firebox.

Firebox Cloud does not support every Fireware feature. For a summary of thedifferences between Firebox Cloud and other Firebox models, see Firebox CloudFeature Differences.



Firebox Cloud Feature Differences

Because Firebox Cloud is optimized to protect servers in a virtual private cloud, some setup requirements,configuration options, and available features are different from other Firebox models. This sectionsummarizes the differences between Firebox Cloud and other Fireboxes.

AdministrationYou use FirewareWebUI orWatchGuard SystemManager to manage a Firebox Cloud instance. You canuseWatchGuard Cloud orWatchGuard Dimension tomonitor the traffic and security status of the networksyour Firebox protects. You can use Dimension Command tomanage a Firebox Cloud instance that runsFireware v11.12.4 or higher.

To add a Firebox Cloud instance toWatchGuard Cloud, theWatchGuard Cloud instancemust have a BYOLlicense.

Tomanage Firebox Cloud from Policy Manager or aWatchGuardManagement Server youmust installWatchGuard SystemManager v12.2 or higher.

Licensing and ServicesFor Firebox Cloud with a BYOL license, youmust activate a license key for Firebox Cloud on theWatchGuard website, and add the feature key to your instance of Firebox Cloud. For more information, seeDeploy Firebox Cloud on AWS or Deploy Firebox Cloud onMicrosoft Azure.

Most supported features and services are included with Firebox Cloud. Some security services aresupported only for Firebox Cloud with a BYOL license. For information about license options and supportedservices, see Firebox Cloud LicenseOptions.

Network InterfacesFirebox Cloud supports two to eight interfaces. It supports one external interface (eth0), and up to sevenprivate interfaces (eth1–eth7). All Firebox Cloud interfaces use DHCP to request an IP address.

For Firebox Cloud on AWS, you assign an Elastic IP (EIP) address to the external interface. For FireboxCloud on Azure, you can configure the external interface with a dynamic or static IP address. The internal IPaddresses are assigned based on the private networks assigned to your Firebox Cloud instance.

Firebox Cloud supports a secondary network IP address on the external interface inFireware v12.1 and higher.


Because youmust configure all network interface IP addresses and settings in AWS or Azure, you cannotconfigure the network interfaces in FirewareWebUI. The Network > Interfaces configuration page is notvisible in FirewareWebUI for Firebox Cloud.

Default Firebox ConfigurationWhen you launch an instance of Firebox Cloud, it automatically starts with a default configuration. ForFirebox Cloud with a BYOL license, youmust get a feature key to enable configuration of all features.

The Firebox Cloud SetupWizard runs the first time you connect to FirewareWebUI. In the wizard youaccept the End User License Agreement and choose new passphrases.

After you run the setup wizard, the default configuration for Firebox Cloud is different from other Fireboxmodels in these ways:

n All interfaces use DHCP to obtain an IPv4 primary IP addresses

n Firebox Cloud allows more than one Device Administrator to connect at the same time

n You can connect to any interface for administration with FirewareWebUI

n The default policies allow management connections and pings to Firebox Cloud, but do not allowoutbound traffic from private subnets through Firebox Cloud

n Licensed subscription services are not configured by default

The default WatchGuard andWatchGuardWebUI policies allow management connections from anycomputer on the trusted, optional, or external networks. If you do not want to allow managementconnections from the external network, edit theWatchGuard andWatchGuardWebUI policies to removethe Any-External alias from the From list. To allow management from only a specific computer on theexternal network, you can add the address of that management computer to the From list in these policies.

Fireware FeaturesFirebox Cloud supports most policy and security features available on other Firebox models. It supports asubset of networking features appropriate for the AWS environment. For supported features, the availableconfiguration settings are the same as for any other Firebox. Most features and options that are notsupported for Firebox Cloud do not appear in FirewareWebUI.

Networking features not supported:

n Drop-in mode and Bridgemode

n DHCP server and DHCP relay (all interfaces are DHCP clients)

n PPPoE

n IPv6

n Multi-WAN (includes sticky connections and policy-based routing)

n ARP entries

n Link Aggregation

n VLANs




n FireCluster

n Bridge interfaces

Policies and Security Services not supported:

n Explicit-proxy and Proxy Auto-Configuration (PAC) files

n Quotas

n DNSWatch

n Network Discovery

n Mobile Security

Authentication features not supported:

n Hotspot

Firebox Cloud supports Single Sign-On (SSO) in Fireware v12.2 or higher.

System Administration features not supported:

n Logon disclaimer for devicemanagement connections

n USB drive for backup and restore

Other features not supported:

n Gateway Wireless Controller

n Mobile VPN with SSL Bridge VPN Traffic option

Features you cannot configure from FirewareWebUI:

n Change the logging settings for default packet handling options

n Edit the name of an existing policy

n Add a custom address to a policy

n Use a host name (DNS lookup) to add an IP address to a policy

n Add or edit a secondary PPPoE interface

It is possible to configure some features, such as IPv6 routes, that are not supported forFirebox Cloud. This does not enable the unsupported feature, but does no harm.


See Firebox Cloud VM Information

You can see information about the Firebox Cloud virtual machine in FirewareWebUI and Firebox SystemManager.

VM Information in Fireware Web UIFor Firebox Cloud, some pages in FirewareWebUI include information about the Firebox Cloud virtualmachine and virtual interfaces.

The Front Panel DashboardFor Firebox Cloud, the Front Panel dashboard page includes this information about the Firebox Cloudinstance:

n Instance ID — The virtual machine identifier

n Instance Type — The type of AWS or Azure virtual machine instance

n Availability Zone — The AWS Availability Zone or Azure region where the Firebox Cloud virtual machineis deployed

The VM Information System Status PageThe System Status > VM Information page includes more details about the Firebox Cloud virtual machine.

The VM Information for Firebox Cloud for AWS includes:


n Instance Type — The type of AWS virtual machine instance

n Availability Zone — The AWS Availability Zone

n Public Hostname — The public host name of the Firebox Cloud virtual machine

n Public IPv4 Address — The public IPv4 address for the external interface

n Security Group — The AWS security group

n Public Key — The public key for this Firebox Cloud virtual machine

The VM Information for Firebox Cloud for Azure includes:

n VM ID — The virtual machine ID. This is the same as the Instance ID on the Front Panel.

n VM Size — The Azure VM size. This is the same as the Instance Type on the Front Panel.

n Location — The Azure region. This is the same as the Availability Zone on the Front Panel.

n Public Hostname — The host name for the Firebox Cloud instance external interface





The Interfaces DashboardThe Interfaces Dashboard page includes information about the status of virtual network interfacesassociated with each Firebox Cloud interface. The content shown in the Detail tab varies slightly forFirebox Cloud on AWS or Azure.

For Firebox Cloud on AWS, the Interfaces Dashboard page includes this information:

n Interface ID — The elastic network interface (eni) ID

n Public Hostname — The public DNS host name for the external interface

n Public IPv4 address — The public IPv4 address for the external interface

n Local Hostname — The private DNS host name for the network interface

n Device Number — The interface number

n VPC ID — The ID of the VPC where the instance of Firebox Cloud is deployed

n Link Status — The link status of each interface (Up or Down)

n DNS Servers — The list of DNS servers that generate the public IPv4 address

The InterfacesDashboard for a FireboxCloud instance on AWS


For Firebox Cloud on Azure, the Interfaces Dashboard page includes this information:

n Public IPv4 address — The public IPv4 address for the external interface

n Local IPv4 address — The private IPv4 address for the external interface

n Device Number — The interface number

n Link Status — The link status of each interface (Up or Down)

n DNS Servers — The list of DNS servers that generate the public IPv4 address

The InterfacesDashboard for a FireboxCloud instance on Azure

You can also see some information about the virtual machine in Firebox SystemManager, as described inthe next section.

VM Information in Firebox System ManagerTo use Firebox SystemManager to monitor Firebox Cloud, youmust install WatchGuard SystemManager v12.2 or higher. When you use Firebox SystemManager to manage Firebox Cloud, theVM Information tab shows information about the Firebox Cloud virtual machine.

The VM Information for Firebox Cloud for AWS includes:


n Instance Type — The type of AWS virtual machine instance

n Availability Zone — The AWS Availability Zone



Use Firebox Cloud to Protect a Web Server

n Public Hostname — The public host name of the Firebox Cloud virtual machine


n Security Group — The AWS security group

n Public Key — The public key for this Firebox Cloud virtual machine

The VM Information for Firebox Cloud for Azure includes:

n VM ID — The virtual machine ID. This is the same as the Instance ID on the Front Panel.

n VM Size — The Azure VM size. This is the same as the Instance Type on the Front Panel.

n Location — The Azure region. This is the same as the Availability Zone on the Front Panel.

n Public Hostname — The host name for the Firebox Cloud instance external interface



You can configure the proxy policies and subscription services in your Firebox Cloud configuration file toprotect a web server on the virtual network connected to your Firebox Cloud instance.

For more information about Firebox Cloud features, see:

n Introduction to Firebox Cloudn Firebox Cloud Feature Differences

Step 1 — Launch an Instance of Firebox CloudTo protect a web server with Firebox Cloud, youmust launch an instance of Firebox Cloud in the samevirtual network as the web server you want to protect. Youmust assign a public IP address to eth0 of theFirebox Cloud instance. This is the public IP address of Firebox Cloud. The web server to protect must beon the private subnet of the virtual network where you deploy the instance of Firebox Cloud.

For detailed steps to launch and configure a Firebox Cloud instance on AWS or Azure, see:

n Deploy Firebox Cloud on AWSn Deploy Firebox Cloud onMicrosoft Azure

After you deploy the instance of Firebox Cloud, connect to it with FirewareWebUI at the public IP addressof the Firebox external interface:

https://<eth0_public_IP>:8080

After you have connected to FirewareWebUI for your instance of Firebox Cloud, you can configure yourFirebox Cloud.


Step 2 — Add A Static NAT ActionAdd a static NAT action for traffic from the external interface to the internal IP address of the web server.You can then use the static NAT action in policies that allow traffic to your web server.

To add a static NAT action, from FirewareWebUI:

1. Select Firewall > SNAT.

2. Add a static NAT action that allows traffic from the external interface to the private IP address of theweb server. In Fireware v12.2 or higher, you can also specify an FQDN in the static NAT action.

3. Click Save.




Step 3 — Add HTTP and HTTPS Proxy PoliciesAfter you add the static NAT action, to allow HTTP and HTTPS traffic to the web server, you can add proxypolicies that use the new static NAT action. You also clone the predefined proxy actions for each policy andcreate user-defined proxy actions that you can edit.

Add an HTTP-Proxy PolicyTo allow HTTP traffic through Firebox Cloud to the web server over port 80, youmust add an HTTP-proxypolicy to the Firebox Cloud configuration.

To add the HTTP-Proxy policy, from FirewareWebUI:

1. Select Firewall > Firewall Policies.

2. Click Add Policy.

3. Select Proxies.

4. Select the HTTP-proxy and the HTTP-Server.Standard proxy action.

5. Click Add Policy.Bydefault, the policy allows traffic from Any-External to Any-Trusted.

6. From the policy To list, remove Any-Trusted, then click Add.

7. From theMember type drop-down list, select Static NAT and select the static NAT action you added.Click OK.The staticNAT action is added to the policy.


To select a user-defined proxy action for HTTP traffic:

1. Select the Proxy Action tab.

2. From the Proxy Action drop-down list, select Clone the current proxy action.Auser-defined proxyaction based on the predefined proxyaction is created and assigned to the policy. The cloned proxyactionhasa number appended to the name. For example, HTTP-Server.Standard.1.

3. Click Save.

Add an HTTPS-Proxy PolicyTo allow secure web traffic (HTTPS) to your web server, youmust also add an HTTPS-proxy policy thatallows HTTPS connections to the server over port 443. In the proxy configuration, you clone the predefinedHTTPS proxy action and enable inspection of HTTPS content.

To add the HTTPS-proxy policy, from FirewareWebUI:

1. Select Firewall > Firewall Policies.

2. Click Add Policy.

3. Select Proxies.

4. Select the HTTPS-proxy and the HTTPS-Server.Standard proxy action.

5. Click Add Policy.Bydefault, the policy allows traffic from Any-External to Any-Trusted.

6. From the To list, remove Any-Trusted, then click Add.

7. From theMember type drop-down list, select Static NAT and select the static NAT action you added.Click OK.The staticNAT action is added to the policy.




To select a user-defined proxy action and enable inspection of HTTPS content:

1. Select the Proxy Action tab.

2. From the Proxy Action drop-down list, select Clone the current proxy action.Auser-defined proxyaction based on the predefined proxyaction is created and assigned to the policy. The cloned proxyactionhasa number appended to the name. For example, HTTPS-Server.Standard.1.

3. In the HTTPS Proxy Action Settings section, select the Content Inspection tab.

4. Select the Enable Content Inspection check box.

5. From the Proxy Action drop-down list, select the user-defined HTTP proxy action you created whenyou cloned the HTTP proxy action in the HTTP-Proxy policy. For example, select HTTP-Server.Standard.1.

6. Click Save.


Import a Proxy Server CertificateIf you enable inspection of HTTPS content, the HTTPS proxy intercepts the HTTPS request and starts anew connection to the destination HTTPS server on behalf of the client. The HTTPS proxy in your FireboxCloud configuration sends a self-signed certificate to the client that originated the connection. To avoidcertificate errors in the web browser for users that connect to the server with HTTPS, youmust get theproxy server certificate and key pair from the web server and import it to Firebox Cloud as a proxy servercertificate.

To import the certificate, from FirewareWebUI:

1. Select System > Certificates.

2. Select Import Certificate.

3. For the Certificate Function, select Proxy Server.

4. Import the certificate file from your web server.

5. Save the configuration.

For more information, seeManage Device Certificates (WebUI) in Fireware Help.



https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_manage_with_webui_web.html


Step 4 — Enable Subscription ServicesFirebox Cloud includes activated subscription services you can use to control network traffic. Follow theinstructions in these procedures to enable subscription services for the HTTP and HTTPS proxy policies.

Enable Gateway AntiVirusGateway AntiVirus works with the SMTP, POP3, HTTP, FTP, and TCP-UDP proxies. When a new virus isidentified, the features that make the virus unique are recorded. These recorded features are known as thesignature. Gateway AntiVirus uses these signatures to find viruses when content is scanned by the proxy.

To enable Gateway AntiVirus in the user-defined HTTP-proxy action assigned to your HTTP-proxy policy,from FirewareWebUI:

1. Select Subscription Services > Gateway AV.TheGatewayAntiVirusActivationWizard starts automatically if GatewayAntiVirus is not alreadyenabled.

2. Complete the wizard.

Enable Intrusion Prevention Service (IPS)Intrusion Prevention Service (IPS) provides real-time protection from threats, such as spyware, SQLinjections, cross-site scripting, and buffer overflows.

To enable IPS, from FirewareWebUI:

1. Select Subscription Services > IPS.

2. Select the Enable Intrusion Prevention check box.

3. Make sure that IPS is enabled in the HTTP-proxy and HTTPS-proxy policies you added.

Enable Botnet DetectionThe Botnet Detection subscription service uses a feed of known botnet site IP addresses gathered byReputation Enabled Defense (RED). These known botnet sites are added to the Blocked Sites List thatenables Firebox Cloud to block these sites at the packet level.

To enable Botnet Detection, from FirewareWebUI:

1. Select Subscription Services > Botnet Detection.

2. Select the Block traffic from suspected botnet sites check box.

3. Click Save.


Enable Data Loss PreventionThe Data Loss Prevention (DLP) service enables you to detect, monitor, and prevent accidentalunauthorized transmission of confidential information outside your network or across network boundaries.You can use the built-in PCI Audit or HIPAA Audit sensors, or create your own sensor.

For example, to enable Data Loss Prevention for PCI compliance, from FirewareWebUI:

1. Select Subscription Services > Data Loss Prevention.

2. Select the Enable Data Loss Prevention check box.

3. Select the Policies tab.

4. Configure the HTTP-proxy and HTTPS-proxy to use the PCI Audit Sensor.

5. Click Save.

The default Data Loss Prevention sensors monitor and send logmessages when they detect data thatmatches the rules enabled in the sensor. To change the action for the sensor, you can clone the sensor andthen edit the settings in the new sensor.

Configure Threat Detection and ResponseThreat Detection and Response (TDR) is a cloud-based service hosted by WatchGuard. Your ThreatDetection and Response account in the cloud collects and analyzes forensic data received from Fireboxesand Host Sensors on your network. You log into your TDR account on theWatchGuard Portal to configureaccount settings, Host Sensor settings, and tomonitor andmanage security threats.

Before you can enable Threat Detection and Response in your Firebox Cloud configuration, youmust log into Threat Detection and Response and get your TDR Account UUID.

For more information, see Log In to the TDR WebUI in Fireware Help.

To find your Account UUID:

1. Log in to the TDR webUI as a user with Operator credentials.

2. Select Devices > Firebox.The Account UUID appears at the top of the page.

3. Copy the Account UUID.

To enable Threat Detection and Response, from FirewareWebUI:

1. Select Subscription Services > Threat Detection.

2. Select the Enable Threat Detection & Response check box.

3. In the Account UUID and Confirm text boxes, paste your Account UUID.

4. Click Save.

For more information, see Enable TDR on a Firebox in Fireware Help.



https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_log_in.html

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_firebox_enable_c.html

Enable Logging for Firebox Cloud

Configure GeolocationTheGeolocation subscription service uses a database of IP addresses and countries to identify thegeographic location of connections through the Firebox. Geolocation is enabled by default. You canconfigure Geolocation to block connections to or from specific regions.

If your internal network configuration includes IP addresses outside the reservedprivate IP address ranges defined in RFC 1918, RFC 5737, or RFC 3330, make sureto look up the geolocation of the IP addresses in your network before you block acountry.

To look up the geolocation of an IP address, from FirewareWebUI:

1. Select Dashboard > Geolocation > Lookup.

2. Specify the IP address to look up.

To select the countries to block, from FirewareWebUI:

1. Select Subscription Services > Geolocation.

2. Select the Enable Geolocation check box.

3. Select countries to block on amap or from a list.

4. If there are sites you want to allow in the blocked countries, configure exceptions.

5. Save the configuration.

For more information about how to select countries and configure exceptions, see Configure Geolocation inFireware Help.


You can enable Firebox Cloud to send logmessages toWatchGuard Cloud orWatchGuard Dimension™.BothWatchGuard Cloud and Dimension are virtual visibility andmanagement solutions you can use to seeFirebox log data in real-time, track it across your network, view the source and destination of the traffic,view logmessage details of the traffic, monitor threats to your network, and view reports of the traffic.

Configure Logging to WatchGuard CloudTo enable Firebox Cloud to send logmessages toWatchGuard Cloud, you can add your Firebox Cloud toWatchGuard Cloud. When you enableWatchGuard Cloud, the Firebox sends logmessages toWatchGuardCloud in addition to any other log servers you configure. After you activate a Firebox Cloud license on theWatchGuard portal, you can add the Firebox Cloud instance to yourWatchGuard Cloud account.

For more information, see Add a Firebox toWatchGuard Cloud.


https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/geo/geo_config_c.html

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/device_add_to_cloud.html

Firebox Cloud is not supported forWatchGuard Cloud with a PAYG license.

Configure Logging to DimensionIf you have an instance of Dimension, you can configure Firebox Cloud to send logmessages toDimension.

To configure Firebox Cloud to send logmessages to your instance of Dimension:

1. Select System > Logging.

2. Select the Send log messages to these WatchGuard Log Servers check box.

3. In the Log Servers list, add the IP address of your instance of Dimension.If your instance of Dimension is behind another Firebox, specify the external IP address of the Fireboxthat protects your instance of Dimension.

4. Type and confirm the Authentication Key for your instance of Dimension.

5. Click Save.

If your instance of Dimension is behind another Firebox, make sure that the configuration file of the Fireboxthat protects Dimension includes aWG-Logging policy to allow traffic from the external interface to a staticNAT action that translates the public IP address of the Firebox to the private IP address of Dimension. Foran example of how to set up this policy, see the Video Tutorial Getting Started withWatchGuardDimension.

For more information about how to configure the logging settings, see Fireware Help,



https://www.watchguard.com/help/video-tutorials/Dimension/index.html

https://www.watchguard.com/help/video-tutorials/Dimension/index.html

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/_intro/fireware_help_front.html

Changes that Require a Firebox Cloud Reboot

Changes that Require a Firebox Cloud Reboot

If you change the configuration of the network interfaces assigned to your Firebox Cloud instance in AWS orAzure. a reboot might be required for the Firebox to recognize the change. You can restart Firebox Cloudfrom the AWS console, or from FirewareWebUI.

If you add interfaces to a Firebox Cloud instance, youmust reboot Firebox Cloud twicefor new interfaces to receive IP addresses.

The types of changes that require a reboot depend on the version of Fireware.

Fireware v12.4 and HigherIn Fireware v12.4 and higher, youmust reboot the Firebox after you add or remove a networkinterface.

If youmake changes to an interface that Firebox Cloud already uses, a reboot is not required.Firebox Cloud detects the change within fiveminutes after you save the change in AWS or Azure.

Fireware v12.3.x and LowerIn Fireware v12.3.x and lower, youmust reboot the Firebox after you:

n Add or remove a network interface

n Change interface configuration

n Manually assign an elastic IP address to an interface

To restart Firebox Cloud from FirewareWebUI:

1. Connect to FirewareWebUI.

2. On the Front Panel page, click Reboot.

If you added an interface, repeat these steps to restart Firebox Cloud a second time.


Administer Firebox Cloud with the CLI

Formost Firebox Cloud administration tasks, we recommend that you use FirewareWebUI. You can alsouse the Fireware command line interface (CLI) to administer your instance of Firebox Cloud. To connect tothe Fireware CLI youmust have a terminal client that supports SSH2 and public key authentication.

If you did not specify a key pair when you launched your instance of Firebox Cloud,you cannot connect to Firebox Cloud with the Fireware CLI.

To connect to your Firebox Cloud with the Fireware CLI, use an SSH terminal client and specify thesesettings:

n User name — The Device Administrator user name that you use to log in to FirewareWebUI

n Private key — The private key file for your instance of Firebox Cloud

n Address — The public IP address of Eth0 for your instance of Firebox Cloud

n Port — 4118

For information about how to use the CLI to manage Fireware, see the Command Line Interface Referenceon the Product Documentation page at https://www.watchguard.com/help/documentation/.

Reset the Firebox to Factory-Default SettingsIf you want to run theWeb SetupWizard again for a Firebox Cloud instance, you can use the CLI to resetthe virtual machine to factory default settings.

To reset the Firebox to factory-default settings:

1. Log in to the CLI with the admin account.

2. Run the command restore factory-default.

When you reset a Firebox Cloud instance with a BYOL license to factory-defaultsettings, this also resets the Firebox serial number. To restore the serial number, youmust add the device feature key to the Firebox configuration.

Administer Firebox Cloud with the CLI


https://www.watchguard.com/help/documentation/

Additional Resources

This guide described how to set up a Firebox Cloud on AWS orMicrosoft Azure. After you launch andsuccessfully connect to your instance of Firebox Cloud, use these resources to learnmore about how toconfigure the supported features and services.

n Fireware Help — From FirewareWebUI, click for context-sensitive help, or go toWatchGuardHelp Center.

n Complete Fireware documentation — For the complete set of documentation for Fireware and relatedsoftware go to theWatchGuard Technical Documentation page.


https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/_intro/home.html

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/_intro/home.html

https://www.watchguard.com/wgrd-support/find-answers/technical-documentation

firebox cloud deployment guide - watchguard · aboutaws...

Documents