FAQ

Some of the most frequently asked questions about the Firezone product and service.

General

What is Firezone?

Firezone lets organizations manage secure remote access to their most sensitive Resources. We’re an open source zero trust network access (ZTNA) solution that’s built on WireGuard®, a modern protocol that’s up to 4-6x faster than OpenVPN.

What is zero trust network access?

Zero trust network access (ZTNA) starts with the premise that users who want to access a resource on a network are untrusted. This means that any attempt to access a resource must be denied until a user 1) verifies their identity (authentication), and 2) the platform confirms that the user is allowed to access the resource (authorization).

How is Firezone different from a VPN?

While Firezone is built on WireGuard®, a VPN protocol, it differs from a traditional VPN by providing access controls that authenticate users and verify access before providing access to a specific resource. Traditional VPNs usually give users access to the entire network, and do not distinguish between different resources or access requests.

How does Firezone work?

For a complete description of how Firezone works, our architecture, and how it can help you manage access to infrastructure or shared services, check out our repository.

Where does Firezone run?

Firezone runs on your own infrastructure in just about any public, private, or cloud network. Most of our customers use Firezone to access resources in public cloud providers like AWS, Azure, Google Cloud Platform, and Digital Ocean, or on-premise networks. Because Firezone operates at layer 3 of the networking stack, it supports all application protocols without modification.

Deploying Firezone

How long does it take to set up Firezone?

Firezone can be set up in less than 10 minutes, and Gateways can be added by running a simple Docker command. Visit our docs for more information and step by step instructions.

Do I have to be technical to run Firezone?

No, deploying Firezone doesn’t require any specialized networking expertise. If you know how to run a Docker container or Linux-based VM in your network, then you should be able to deploy Firezone (check out the Quickstart Guide for step-by-step instructions).

Do I need to make any changes to my infra to run Firezone?

No. While Firezone can be deployed as you build out a network, it’s also an overlay network that can provide fine-grained access control to resources in an existing network. All you need to start giving users secure access to resources in a network, is to install a Firezone Gateway on a server or VM in that network. Gateways can also be deployed at scale using Terraform.

Do I need to disable my VPN to use Firezone?

No, you can run Firezone alongside your existing VPN, and switch over whenever you’re ready. There’s no need for any downtime or unnecessary disruptions.

Can I self-host Firezone?

Firezone uses a split control plane and data plane architecture to allow for things like key distribution, user authentication, and policy enforcement to happen out-of-band with the hot data paths. The data plane components such as the Clients and Gateway are specifically designed to be self-hosted, but the control plane, due to its complexity, security, and persistence requirements, is not.

That said, Firezone's product is 100% open source and can be found at our main repository. Our license does not prevent self-hosters from using the product as they see fit.

How do I get Firezone on an end-user device?

Users can install the Firezone Client here. After installing the Client, users simply need to enter their account ID and sign in using their email or SSO to start accessing the Resources that you (an Admin) has given them permission to access in the Firezone admin portal.

Can Firezone connect to my identity provider (IdP)?

Yes. Firezone integrates with any OIDC-compatible identity provider, including Google Workspace, Azure AD, Okta, and OneLogin. Firezone does not store or handle end-user credentials like passwords.

Where should I run my Gateway(s)?

Gateways are released as self-contained binaries for Linux that we package as a Docker image or Systemd unit, which you can run on any Linux-based server or VM (e.g. on AWS, GCP, Azure, or on-premise). You only need a single Gateway in each Site to provide secure remote access to Resources associated with that Site. However, we recommend deploying two or more Gateways for load-balancing and automatic failover.

What is a service account?

Service accounts facilitate secure connections from a server, VM or container to a Resource. Because service accounts do not involve a user, they can’t fulfill 2FA requirements, and use the Firezone Client in a non-interactive way (headless mode).

Performance

Does all my traffic go through Firezone?

Network traffic is always end-to-end encrypted, and by default, routes directly to Gateways running on your infrastructure. In rare circumstances, encrypted traffic can pass through our global relay network if a direct connection cannot be established. Firezone can never decrypt the contents of your traffic.

Can Firezone support more traffic as my company scales up?

Scaling Firezone to support your rapidly growing organization is as simple as powering up or deploying additional Gateway servers, or leveraging the Firezone API and Terraform to programmatically scale up with your network.

What protocol does Firezone use to encrypt traffic?

Firezone uses WireGuard® to encrypt all data plane traffic and TLS to encrypt all control plane traffic.

What happens if I add the same Resource to more than one Site?

The Firezone Client will automatically select the nearest Gateway, and route traffic to/from that Resource.

What happens if Firezone goes offline?

You will not be able to access the Firezone Admin Console, or make changes to your account via the API. Existing connections should remain active for approximately 5 minutes before being disconnected.

Users

How do end users get Firezone?

Windows and Linux users can download the Client from here. MacOS, iOS, iPadOS, Android, and ChromeOS users can download the Client from their device’s app store.

Do users need to interact with the Firezone Client?

The Firezone Client is designed to be unobtrusive, and once a user signs in with their credentials, it should run in the background without the need for additional interaction. Users may find it helpful to click on the Firezone app to see a list of available resources, but the app is always on and doesn’t need to be toggled. Always-on split tunneling means that accessing anything other than Firezone resources should be unaffected when using Firezone.

Admins

How can I limit access to resources?

Firezone lets admins set access control using a combination of Policies and User Groups. This means that admins can establish role-based, or any other logical group at a fine-grained Resource level.

Billing

How do you charge for Firezone?

Firezone charges per seat — visit our pricing page for more information. Accounts are billed when they start service, or at the beginning of each billing cycle. Enterprise plans are billed quarterly or annually, and can be paid via credit card, ACH, or wire transfer. Firezone does not require a credit card to get started.

To cancel or change plans, contact support@firezone.dev.

Security

What firewall ports do I have to open to use Firezone?

None. The Firezone control plane propagates connection information like public keys across your network, so Gateways and Resources don’t need to listen for inbound connections from the public internet. This means that your network remains inaccessible from the internet, with no visible entry points.

How can I be sure Firezone is secure?

Firezone helps improve organizations’ cybersecurity posture by offering a modern approach to securing access to sensitive resources in their private network.

Read our security disclosure policy


Need additional help?

Try asking on one of our community-powered support channels:

Or try searching the docs: