The cloud management function is supported by all models.
License Requirements
The cloud management function is not license-controlled.
Restrictions
If a Layer 3 device exists between the device user and FW, the FW does not support traffic statistics collection based on the device user's MAC address.
If the FW automatically connects to the cloud management platform, it cannot connect to the Internet through two links. If the FW is manually connected to the cloud management platform, it can connect to the Internet through two links.
In the plug-and-play solution, for the models that have WAN ports, the WAN ports must be used to connect to the cloud management platform. For other models that do not have WAN ports, any service port can be used to connect to the cloud management platform. In addition, in the non-plug-and-play solution, using the management interface to connect to the cloud management platform is not recommended because this may prevent some service configurations of the platform from being delivered. For details about the models that have WAN ports, see Network > Interfaces > Overview of Interfaces > Supported Interface Types in Configuration Guide.
The uplink interface and heartbeat interface of the FW cannot be configured as logical interfaces such as Eth-Trunk. Otherwise, interface configurations will be deleted by the cloud platform during interconnection with the cloud platform.
Precautions
Enabling or disabling cloud management mode may cause the FW to clear configurations and restart. Before enabling or disabling cloud management mode, back up the profile.
After the operating mode is changed to cloud management, the FW has the following changes:
The FW has a role of cloud administrator with restricted permissions (compared to the system administrator) added. This role is used only for basic network configurations, monitoring and diagnosis, and administrator configuration.
The locally changed password is valid only before the device connects to the cloud management platform. After the device successfully connects to the platform, the platform delivers an administrator password to overwrite the locally configured one. The password delivered by the platform is permanently valid. This password is the changed password of the platform device administrator. If this password has not been changed, the password delivered by the cloud management platform is a random password. For details, see the device management and maintenance section in the solution product documentation.
The alarm threshold of memory usage is adjusted to 85%.
In cloud management mode, the service functions supported by the firewall are determined by the controller, weaker than those in traditional mode. For details, see the configuration UI of the controller.
In cloud management scenarios, after the FW is managed by the Agile Controller-Campus, all configurations are delivered by the Agile Controller-Campus to the FW through the NETCONF API. To avoid configuration inconsistency between the FW and Agile Controller-Campus, the CLI and web configuration windows of the firewall provide only some network connectivity commands/operations and mandatory configuration commands/operations that cannot be delivered through the cloud platform. In addition, the web UI does not provide the CLI console.
The function of changing the password of the administrator (manager-user password-modify enable) is disabled.
In cloud management scenarios, when the controller is used to upgrade the FW, the software package needs to be stored in the CF card. If a large number of logs are stored in the CF card, the space is insufficient and the software package cannot be stored. When the CF space is insufficient, the controller delivers a log deletion command. The FW deletes some logs based on the request from the controller (deleting from the earliest logs) until the storage space in the CF card meets the space required for the system software package. The deleted logs cannot be viewed in the CF card path of the FW. If the device has a hard disk, you can view the logs in Monitor > Log.
Except the configuration for interworking with the cloud platform that needs to be delivered manually on the firewall, other service configurations need to be delivered by the cloud platform.