WatchGuard Firebox Cloud Medium
Extending the WatchGuard Security Perimeter to the Public Cloud

Compare Models:

	Firebox Cloud Small	Firebox Cloud Medium	Firebox Cloud Large	Firebox Cloud XLarge
Throughput and Connections
Firewall throughput1	2 Gbps	4 Gbps	8 Gbps	Unrestricted
Nodes Supported	Unrestricted	Unrestricted	Unrestricted	Unrestricted
VPN and Authentication
Branch Office VPN	50	600	6,000	10,000
Mobile VPN with SSL	50	600	6,000	10,000
Mobile VPN with IPSec	50	600	6,000	10,000
Authenticated Users	500	3,000	6,000	Unrestricted

¹ Throughput rates will vary based on environment & configuration.

Feature Differences:

Because Firebox Cloud is optimized to protect servers in an AWS virtual private cloud, some setup requirements, configuration options, and available features are different from other Firebox models. This section summarizes the differences between Firebox Cloud and other Fireboxes.

Administration

You must use Fireware Web UI to administer your instance of Firebox Cloud. You can use WatchGuard Dimension to monitor the traffic and security status of the networks your Firebox protects.

You cannot use a WatchGuard Management Server, Policy Manager, or Dimension to administer your instance of Firebox Cloud.

Licensing and Services

All supported features and services are included with Firebox Cloud. Firebox Cloud supports these WatchGuard subscription services:

• Application Control
• WebBlocker
• Gateway AV
• Geolocation
• Intrusion Prevention Service (IPS)
• Reputation Enabled Defense
• Botnet Detection
• Data Loss Prevention
• APT Blocker
• Threat Detection

For the Bring Your Own License option, you must activate a license key for Firebox Cloud on the WatchGuard website, and add the feature key to your instance of Firebox Cloud.

For Firebox Cloud with a Pay As You Go license, the Threat Detection and Response service does not include Host Sensor licenses.

Network Interfaces

Firebox Cloud supports two to eight interfaces. It supports one external interface (eth0), and up to seven private interfaces (eth1-eth7). All Firebox Cloud interfaces use DHCP to request an IP address. You assign an Elastic IP (EIP) address to the external interface. The internal IP addresses are assigned based on the private networks assigned to your AWS instance.

Because AWS assigns the network interface IP addresses to the instance of Firebox Cloud, you cannot configure the network interfaces in Fireware Web UI. The Network > Interfaces configuration page is not visible in Fireware Web UI for Firebox Cloud.

Default Firebox Configuration

When you launch an instance of Firebox Cloud, it automatically starts with a default configuration. For Firebox Cloud with a BYOL license, you must get a feature key to enable configuration of all features.

The Firebox Cloud Setup Wizard runs the first time you connect to Fireware Web UI. In the wizard you accept the End User License Agreement and choose new passphrases.

After you run the setup wizard, the default configuration for Firebox Cloud is different from other Firebox models in these ways:

• All interfaces use DHCP to obtain an IPv4 primary IP addresses
• Firebox Cloud allows more than one Device Administrator to connect at the same time
• You can connect to any interface for administration with Fireware Web UI
• The default policies allow management connections and pings to Firebox Cloud, but do not allow outbound traffic from private subnets through Firebox Cloud
• Licensed subscription services are not configured by default

Feature Differences

Firebox Cloud supports most policy and security features available on other Firebox models. It supports a subset of networking features appropriate for the AWS environment. For supported features, the available configuration settings are the same as for any other Firebox. Most features and options that are not supported for Firebox Cloud do not appear in Fireware Web UI.

Networking features not supported:

• Drop-in mode and Bridge mode
• DHCP server and DHCP relay
• PPPoE
• IPv6
• Multi-WAN (includes sticky connections and policy-based routing)
• Static ARP entries
• Link Aggregation
• VLAN Bridge interface
• Modem
• FireCluster
• Gateway Wireless Controller
• Mobile VPN with SSL Bridge VPN Traffic option

Policies and Security Services not supported:

• Explicit-proxy and Proxy Auto-Configuration (PAC) files
• Quotas
• spamBlocker and Quarantine Server
• Network Discovery
• Mobile Security

Authentication features not supported:

• Hotspot
• Single Sign-On (SSO)

System Administration features not supported:

• Dimension (Dimension for monitoring is supported)
• Management by WatchGuard Management Server or Policy Manager
• Logon disclaimer for device management connections
• USB drive for backup and restore

Features you cannot configure from Fireware Web UI:

• Change the logging settings for default packet handling options
• Edit the name of an existing policy
• Add a custom address to a policy
• Use a host name (DNS lookup) to add an IP address to a policy
• Add or edit a secondary PPPoE interface

In Fireware Web UI, it is possible to configure some features, such as IPv6 routes, that are not supported for Firebox Cloud. This does not enable the unsupported feature, and does no harm.

Fireware Web UI Differences

For Firebox Cloud, some pages in Fireware Web UI includes information about the Firebox Cloud EC2 instance.

The Front Panel Dashboard

For Firebox Cloud, Front Panel dashboard includes this information about the Firebox Cloud EC2 instance:

• Instance ID
• Instance Type
• Availability Zone

The VM Information System Status Page

The VM Information System Status page in Fireware Web UI includes more details about the Firebox Cloud EC2 instance. To go to the VM Information page, select System Status > VM Information.

The VM Information page includes this information:

• Instance ID
• Instance Type
• Availability Zone
• Public Hostname
• Public IPv4 Address
• Security Group
• Public Key

The Interfaces Dashboard

The Interfaces Dashboard page in Fireware Web UI includes information about the AWS virtual network interfaces associated with each Firebox Cloud interface.

The Interfaces page includes this information:

• Interface ID - The elastic network interface (eni) ID
• Public Hostname - The public DNS host name for the external interface
• Public IPv4 address - The public IPv4 IP address for the external interface
• Local Hostname - The private DNS host name for the network interface
• Device Number - The interface number
• VPC ID - The ID of the VPC where the instance of Firebox Cloud is deployed
• Link Status - The link status of each interface (Up or Down)
• DNS Servers - The list of the DNS servers that generate the IP address for the external interface

Use Cases:

The subsequent use cases describe some of the ways Firebox Cloud can add security to your AWS virtual networks.

Protect Servers Deployed on AWS

To provide protection to one or more virtual servers that are accessible from the Internet, you can install a Firebox Cloud instance. Your instance of Firebox Cloud is then the gateway for inbound connections to your servers from the internet. You configure policies and security services on your instance of Firebox Cloud to control traffic to your virtual servers.

Branch Office VPN Gateway

You can configure your Firebox Cloud as a branch office VPN (BOVPN) gateway endpoint so you can maintain a secure VPN connection between your AWS network resources and other networks protected by a Firebox or compatible VPN gateway endpoint. Firebox Cloud supports all the same VPN features as other Firebox models.

Mobile VPN Gateway

You can also enable Firebox Cloud to accept VPN connections from SSL, IPSec, and L2TP mobile VPN clients, and configure policies to control user and group access to your protected AWS network resources.

Please note: Throughput rates are determined using multiple flows through multiple ports and will vary depending on environment and configuration.

* Firebox T10-D (DSL) is available in Europe & Australia. Supports ADSL2+VDSL2/ ADSL on WAN port with integrated modem.
**Not available on Firebox T10, T10-W, T10-D

Documentation:

Download the WatchGuard Firebox Cloud Datasheet (.PDF)