Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 2

Phase 2 – Deploy the WatchGuard Firebox instance

In Part 1 of this blog post, we have deployed a new transit VPC with two subnets and a route table configured accordingly.

Now it’s time to deploy a WatchGuard FW cloud EC2 instance in the transit VPC. This is possible from the EC2 dashboard:

  • After logging on the AWS Console with my personal AWS account, I have selected Services > EC2.
  • In the EC2 Dashboard, I can easily launch a new instance by Clicking on Launch instance (easy :=)),
  • I have selected AWS Marketplace and type ‘firebox’ in the search window and have decided to pick the Watchguard Firebox Cloud (Hourly) AMI.
  • You will get the pricing details and Click Continue
  • Select the smallest available instance with free tier t2.micro instance type and click Next: Configure Instance details
  • The configure Instance Details step opens.
  • From the Network drop-down list, select your transit VPC :
  • From the Subnet drop-down list, select the public subnet to use for eth0.
    The subnet you select appears in the Network Interfaces section for eth0.
  • To add a second interface, in the Network interfaces section, click Add Device.
    Eth1 is added to the list of network interfaces.
  • Click Next: Add Storage
  • Use the default storage size (5 GB). 
  • Click Next: Add Tags
  1. Click Next: Configure Security Group. By default, the instance uses a security group that functions as a basic firewall. This security group restricts following ports: HTTPS (TCP 8080), SSH, TCP 4118 (WatchGuard Firewalls may allow remote management using WSM (WatchGuard System Manager) over ports 4117, 4118 TCP).
  1. Click Review and Launch.
    The configured information for your instance appears.
  2. Click Launch.
    The key pair settings dialog box opens.

Phase 3 – Finish configuring the instance of the Firebox

In this phase we will finish configuring the EC2 instance of our Firebox.

Once the firewall is deployed, from the EC2 Dashboard, Click on the instance option, the new instance should appear as here:

Disable Source/Destination Checks

By default, each EC2 instance completes source/destination checks. For the networks on your VPC to successfully use your instance of Firebox Cloud for NAT, you must disable the source/destination check for the network interfaces assigned to the Firebox Cloud instance.

Disabling source/destination checks for the public interface is quite simple:

  • From the EC2 Management Console, select Instances > Instances.
  • Select the instance of Firebox Cloud.
  • Select Actions > Networking > Change Source/Dest. Check. The confirmation message includes the public interface for this instance.
  • Click Yes, Disable.
    The source and destination checks are disabled for the public & private interface.

Assign an Elastic IP Address to the External Interface

You must assign an Elastic IP (EIP) address to the eth0 interface for the instance of Firebox Cloud. You can use any available EIP address. To make sure you assign it to the correct interface, find and copy the eth0 interface ID of your instance of Firebox Cloud.

To find the eth0 interface ID for your instance of Firebox Cloud:

  1. From the EC2 Management Console, select Instances.
  2. Select the instance of Firebox Cloud.
    The instance details appear.
  3. Click the eth0 network interface.
    More information about the network interface appears.
  4. Copy the Interface ID value.

To associate the Elastic IP address with the eth0 interface:

  1. From the EC2 Management Console, select Network & Security > Elastic IPs.
  2. Select an available Elastic IP address.
  1. Select Actions > Associate Elastic IP Address.
    The Associate Elastic IP Address page opens.

If you have created 2 sub-interfaces, You can associate two different publics IPs to the interface:

Run the Firebox Cloud Setup Wizard

After you deploy the Firebox Cloud instance, you can connect to Fireware Web UI through the public IP address to run the Firebox Cloud Setup Wizard. You use the wizard to set the administrative passphrases for Firebox Cloud.

  1. Connect to Fireware Web UI for your Firebox Cloud with the public IP address:
    https://<eth0_public_IP>:8080
  2. Log in with the default Administrator account user name and passphrase:
    • User name — admin
    • Passphrase — The Firebox Cloud Instance ID

The Firebox Cloud Setup Wizard welcome page opens.

  • Click Next.
    The setup wizard starts.
  • Review and accept the End-User License Agreement. Click Next.
  1. Specify new passphrases for the built-in status and admin user accounts.
  2. Click Next.
    The configuration is saved to Firebox Cloud and the wizard is complete.

This is the end of Part 2, in Part 3 we are going to configure the IPSEC route based VPN between the Firebox instance and both a native VPC and a VMC on AWS SDDC.

2 thoughts on “Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 2”

Leave a Reply

Your email address will not be published. Required fields are marked *