Posted on by Mac User

How to Backup your WatchGuard

Backing Up Your WatchGuard Firewall Configuration

WatchGuard firewalls (such as Firebox models) allow you to create backup images that include the full configuration file, certificates, passphrases, feature keys, and other device-specific data. This is essential before upgrades, major changes, or for recovery purposes.

Backups can be created via the Fireware Web UI, Policy Manager (part of WatchGuard System Manager or WSM), WatchGuard Cloud (for Fireware v12.5.2+), or even CLI. Automatic backups are generated during Fireware OS upgrades starting from v12.2.1.

Before carrying out a backup its recommend you make sure the watchGuard is on the latest OS update. This will help with any restore or transfer to a new device.

Below, I’ll outline the primary methods. Always note your management IP addresses and admin passphrases separately, as they may not be fully recoverable from the backup. Backups are typically saved as .backup or .xml files (sometimes zipped).

Using Fireware Web UI (Recommended for Quick, Local Backups,USB)

This is the simplest browser-based approach for locally managed Fireboxes.

  1. Open a web browser and navigate to the Firebox’s management IP address (e.g., https://<Firebox-IP>). Use HTTPS for security.
  2. Log in with your admin credentials.
  3. Go to System > Backup (in Fireware v12.3+).
  4. Select Backup or Download Backup Image.
  5. Choose a save location on your computer. The file will download automatically (often as a .zip containing the .backup file).
  6. Extract the .zip if needed to access the configuration XML inside for auditing or manual review.

For Fireware v12.2 and lower, the menu might be under System > Configuration > Backup.

Above is fine for a factory reset of a WatchGuard or a hardware replacement like for like. When doing this make use both devices are on the same OS otherwise it won’t work.

For a new device (new Model) you need to get the xml file of the old WatchGuard under configuration tab inside system. Unlock (Padlock) Click the download configuration file for the XML. On the new machine import the xml file from the same menu. On a reboot make sure the WatchGuard is online. If it has a fixed IP is may not work if you configuring off site. You make have to take the details change it to DHCP let it talk to the internet once done revert to back to the fixed IP address for on site deployment.