Step 0
Prerequisites
Before you start, gather the items below. Missing any of these will turn a 45-minute job into a half-day call to the ISP.
Hardware
- An A1Firewall appliance — any model from the HCL. The S100 (home/branch), B500 (business), E1000 (enterprise), and DC2000 (datacenter) all run identical firmware.
- A laptop with an Ethernet port (or a USB-Ethernet adapter) and a modern browser (Chrome 110+, Firefox 110+, Safari 16+, Edge 110+).
- One straight Ethernet cable (Cat5e or better, ≥ 1 m). The appliance ships with one but keep a spare.
- WAN handoff from your ISP — a working Internet drop on either an RJ45 or SFP+ port.
Information
- Your A1-Soft license key (delivered by email at checkout — looks like
A1FW-XXXX-XXXX-XXXX-XXXX).
- WAN credentials from your ISP: PPPoE username/password (DSL/fibre), static IP + gateway + netmask + DNS, or just "DHCP" if it's a plug-and-play handoff.
- A LAN IP plan — at minimum, decide which
/24 the firewall LAN will own (e.g., 10.10.10.0/24). Default is 192.168.1.0/24 but reusing it on a network where another device already owns it will silently break things.
- Timezone & NTP server (defaults are fine —
pool.ntp.org for global, time.aramco.com for Aramco supply chain customers, time.windows.com for AD-joined sites).
Optional but recommended
- A monitor with HDMI and a USB keyboard — for emergency console access if SSH/HTTPS is ever locked out.
- An IPMI/BMC cable if your appliance has out-of-band management (B500 and up).
- A UPS with at least 15 minutes of runtime — protects against unclean shutdowns that can corrupt the ZFS pool.
Before you continue: verify your laptop's Ethernet adapter is set to DHCP, not a static IP. Most "I can't reach the firewall" tickets are a static IP on the laptop in a different subnet from 192.168.1.1.
Step 1
Unbox & rack
Two minutes if you're rack-mounting, ten if you're going on a desk. The appliance is shipped with the rails attached.
1.1 Cabling
Looking at the rear of the appliance from left to right:
┌───────────────────────────────────────────────────────────────────────┐
│ [POWER] [USB×2] [VGA] [MGMT] [WAN1] [WAN2] [LAN1..LAN8] │
│ AC IN console out 1 GbE ──── WAN side ──── LAN side │
│ (only on B500+) │
└───────────────────────────────────────────────────────────────────────┘
- Power. Plug AC into the leftmost socket. Do not power on yet.
- WAN. ISP handoff into
WAN1 (the leftmost network port labelled WAN, blue ring on the front).
- LAN. Patch
LAN1 into your existing LAN switch (or directly into your laptop for the first run).
- Management. If you want a separate management network (recommended in datacenters), patch the
MGMT port into that switch.
Port labels are not arbitrary. The factory bootstrap config assigns WAN* as untrusted and LAN* as trusted with default-deny between them. Plugging WAN into a LAN port will leave you unable to dial out until you fix it in the wizard — so just match the labels.
1.2 Power-on
Press the front-panel power button. Boot takes ~90 seconds. Status LEDs progress through:
| LED | State | Meaning |
| PWR | Solid green | Power good |
| HDD | Flashing | Boot in progress (kernel → init → services) |
| HDD | Off | Boot complete |
| STATUS | Amber | Booting / no license |
| STATUS | Green | Healthy, license valid |
| STATUS | Red | Hardware fault — see troubleshooting |
| WAN1 / LAN* | Link/activity | Standard Ethernet link indication |
If the status LED is still red after 3 minutes, attach a monitor + keyboard and check the console for kernel panics. Most often it's a misseated DIMM or a failed boot drive.
Step 2
First login
Reach the management UI from a laptop on the LAN side.
Connect your laptop
- Patch your laptop's Ethernet into
LAN1.
- Wait ~15 seconds for DHCP to issue an address (the firewall runs DHCP on LAN by default in the bootstrap config).
- Confirm you got an address in
192.168.1.0/24:
laptop ~ %
# macOS / Linux
ifconfig | grep "inet "
# Windows (PowerShell)
ipconfig | findstr IPv4
You should see something like 192.168.1.100. If you instead see a 169.254.x.x (link-local) address, DHCP didn't work — see troubleshooting.
Open the UI
In your browser, go to:
URLhttps://192.168.1.1
You will see a TLS warning because the appliance ships with a self-signed certificate. Click Advanced → Proceed (Chrome/Edge) or Accept the Risk and Continue (Firefox). We replace this certificate in step 8.
Default credentials
| Field | Value |
| Username | admin |
| Password | a1firewall |
Change this immediately. The default password is well-known and the first thing every scanner tries. Don't even leave the wizard before doing 2.1 below.
2.1 Change the admin password
- Click your avatar (top-right) → Profile.
- Set a new password — minimum 14 characters, mixed case + digit + symbol. The password meter must read Strong or you can't save.
- Save. You are logged out and asked to re-authenticate. Use the new password.
Or via CLI (if you've already connected over SSH on management):
a1ctla1ctl users password admin --interactive
Step 3
Setup wizard
The wizard runs automatically on first login. It collects the bare minimum to make the appliance functional and is exited safely on every step.
Page 1 — General
| Field | Type | Required | Notes |
| Hostname | string | Required | Pick something descriptive — fw-hq-01, not firewall. Becomes part of cert subject + reports. |
| Domain | string | Required | Your DNS suffix — example.com. Used to build the FQDN. |
| Timezone | tz | Required | Auto-detected via geolocation; verify before saving. |
| Primary language | en/ar | Required | Drives the UI default. Each user can override. |
| NTP server | host | Default | Default pool.ntp.org. Override for AD-joined sites. |
| Admin email | email | Required | Receives critical alerts (license expiry, hardware faults, IDS detonation). |
Page 2 — Network
The wizard auto-detects WAN connectivity. For each WAN port that has link, you'll see one of three modes:
- DHCP — most home/business handoffs. No further input needed.
- PPPoE — most DSL/fibre handoffs. You need the username/password from your ISP.
- Static — datacenter / business-class handoffs. You need IP, mask, gateway, and ≥ 1 DNS server.
For LAN, decide:
- The LAN subnet. Defaults to
192.168.1.0/24. Change this if you have other equipment using that range — VPN routes, RFC-1918 collisions, and traceroutes all become painful otherwise.
- Whether to run DHCP on LAN (yes by default, range
192.168.1.50 – 192.168.1.250).
- Whether to run a recursive DNS resolver on LAN (yes by default — Unbound with DNSSEC, listening on
192.168.1.1:53).
Page 3 — Security baseline
Pick one of three baselines. You can refine afterwards — these are starting points.
| Baseline | For whom | What it does |
| Standard | SMB, branches | Default-deny inbound, allow LAN→WAN, IPS on, web filter for malware/phishing. |
| Strict | Banks, healthcare | + TLS inspection, geo-blocks, deep DNS filter, mandatory MFA on UI. |
| Open | Labs, QA | NAT only, no IDS, no filter — for environments where you actively don't want filtering. |
Most production deployments pick Standard and tighten from there.
Step 4
WAN configuration
After the wizard, fine-tune your WAN settings. If you have one ISP, you're done — skip to step 5. If you have two or more, do the bonding section below.
Verify primary WAN
Open Status → Interfaces → WAN1. You should see:
- State: up, link 1Gbps full duplex (or whatever your ISP gave you).
- An IPv4 address.
- A default gateway.
- Outbound ping working (the page shows a green tick next to Connectivity).
From the CLI:
a1ctl$ a1ctl wan status
Interface Mode IPv4 Gateway Link Conn
wan1 DHCP 41.235.122.18 41.235.122.1 UP OK
wan2 --- --- --- DOWN ---
wan3 --- --- --- DOWN ---
wan4 --- --- --- DOWN ---
4.1 Multi-WAN bonding
If you patched WAN2 (and beyond) into additional ISPs, configure the gateway group:
-
Create a gateway group
Network → Multi-WAN → Gateway Groups → New.
-
Pick a mode
- Failover: WAN1 active, WAN2 standby. Cuts over within 2 seconds when WAN1 fails monitoring.
- Load balance: round-robin per flow across all UP gateways.
- Weighted: send N% of flows to each gateway based on a ratio (useful for "ISP-A is 100 Mbps, ISP-B is 25 Mbps" handoffs).
-
Configure monitoring
Each gateway should monitor a remote IP via ICMP. Defaults are good (8.8.8.8, 1.1.1.1) but if your ISP blocks ICMP, switch to TCP probe to 1.1.1.1:443.
-
Set the LAN→WAN rule to use the group
In Firewall → Rules → LAN, edit the default outbound rule. In Advanced → Gateway, pick your new group. Save and apply.
Verify:
a1ctl$ a1ctl wan group show MAIN
Group MAIN (mode: failover)
wan1 tier 1 weight 1 monitor 8.8.8.8 UP avg 18ms loss 0%
wan2 tier 2 weight 1 monitor 1.1.1.1 UP avg 24ms loss 0%
Active flows: 1,247 via wan1 (tier 1)
Tip: Force a failover for testing without touching the cable: a1ctl wan force-down wan1 --duration 30s. After 30 seconds it returns to normal.
Step 5
Activate your license
Until you activate, the appliance runs in 14-day evaluation mode. After 14 days without activation, it goes into read-only "sustain" mode (existing rules keep working but you can't change them).
Online activation (the 99% case)
- System → License.
- Paste the key from your A1-Soft order email into the field.
- Click Activate. The appliance contacts
license.a1-soft.com over HTTPS, exchanges a hardware fingerprint, and receives a signed certificate.
- Within 5 seconds, the page refreshes showing your tier, expiry, and entitled features.
From CLI:
a1ctla1ctl license activate --key A1FW-XXXX-XXXX-XXXX-XXXX
a1ctl license show
Offline activation (air-gapped sites)
- From the appliance:
a1ctl license fingerprint > fw.fp. Copy this 32-byte file out via USB.
- From an Internet-connected machine, upload the fingerprint to a1-soft.com/license/offline, paste your key, get back a signed certificate file (
fw.cert).
- Carry
fw.cert back to the appliance: a1ctl license install fw.cert.
What if my license is wrong? If the activation succeeds but the wrong tier shows up (e.g., "Home" instead of "Business"), don't reactivate — contact support with your order number. Reactivating ties the key to the current hardware fingerprint, which complicates returns.
Step 6
Apply your first policy
A "policy" here is the bundle of firewall rules + NAT + web filter + IPS settings that govern what your network can and cannot do. You have two paths.
6.1 Use a bundled template (fastest)
Templates are curated configurations battle-tested in real deployments. Pick one and tweak.
| Template | Best for | What you get |
| Office | SMB, professional services | NAT, default-deny inbound, allow LAN→WAN, IPS on, malware/phishing filter, QoS profile for VoIP |
| Clinic | Healthcare | + HIPAA-aligned logging, segmented IoT VLAN for medical devices, no social media on staff network |
| School | Schools, training | + student VLAN with strict content filter (CIPA), staff VLAN with light filter, time-of-day rules |
| Hotel | Hospitality | + guest VLAN with captive portal, bandwidth caps per device, isolation between guest devices |
| Retail | Stores, branches | + POS VLAN locked to payment processor only, back-office VLAN with full Internet, public Wi-Fi guest VLAN |
| Datacenter | Servers, hosting | + DMZ subnet, default-deny everywhere, explicit pinholes per service, DDoS rate-limits |
Apply a template
- Firewall → Templates.
- Click the template that matches you. The right pane shows a preview of every rule, NAT entry, and filter that will be created.
- Click Apply. The system creates a backup of your current config (named
pre-template-YYYYMMDD-HHMMSS) before applying — so you can always roll back.
- Wait for the green "Applied" banner. New rules are live immediately.
From CLI (handy for repeatable demos):
a1ctla1ctl templates list
a1ctl templates apply office --confirm
a1ctl rules list
6.2 Build from scratch
If templates don't fit, the building blocks are:
-
Create your zones (VLANs)
Network → VLANs. Create one VLAN per security boundary — e.g., VLAN 10 staff, VLAN 20 guests, VLAN 30 CCTV. Tag your switch ports accordingly.
-
Create your aliases
Firewall → Aliases. Aliases are reusable names — OFFICE_HOURS (Mon–Fri 09:00–18:00), SOCIAL_NETS (a list of FQDNs), EXEC_LAPTOPS (a list of MACs). Use aliases everywhere; never hardcode IPs in rules.
-
Write firewall rules
Firewall → Rules → [interface]. Order matters — rules are evaluated top-to-bottom, first match wins. Best practice: deny rules near the top, allow rules below.
Example: block YouTube during work hours from staff VLAN:
YAML- action: block
interface: vlan10_staff
source: VLAN10_NET
destination: alias=YOUTUBE_DOMAINS
schedule: alias=OFFICE_HOURS
log: yes
description: "No YouTube during work hours"
-
Apply & verify
Click Apply changes. The page shows a diff of the running config vs. the candidate. Review carefully — especially deny rules above existing allow rules. Once applied, generate test traffic and watch Status → Live → Filter log to confirm rules are matching as expected.
Step 7
Verify traffic flow
Three quick checks before you walk away.
7.1 Outbound DNS & HTTP
From a LAN client:
bashnslookup a1-soft.com
curl -I https://a1-soft.com
Both should succeed. If DNS fails, check Unbound is running (a1ctl service status unbound). If HTTP fails, check the LAN→WAN rule is applied.
7.2 Inbound default-deny
From an external host (e.g., your phone on cellular):
bashnmap -p 22,80,443 <your_wan_ip>
All three ports should be filtered (no response). If any port returns "open", you've accidentally exposed it — review NAT and inbound rules now.
7.3 IPS detonation
Trigger a known-bad pattern to confirm IPS is alerting:
bashcurl http://testmyids.com/
Within 2 seconds, Security → IDS → Alerts should show one alert from rule 2100498 — GPL ATTACK_RESPONSE id check returned root. If no alert appears, IPS is misconfigured.
Step 8
Harden the box
The defaults are reasonable; these three changes turn them into production-grade.
8.1 Enable MFA on admin accounts
- System → Access → Users → click your admin user → Authentication factor: TOTP.
- Scan the QR code with Google Authenticator, 1Password, Authy, or any TOTP app.
- Type the 6-digit code to confirm.
- Save. Log out and log back in with: password + the 6-digit code.
To enforce MFA for every admin user (recommended):
a1ctla1ctl auth policy set --require-mfa --role admin
8.2 Auto updates
System → Updates → Settings:
- Channel: Stable for production, Edge only for labs.
- Auto-install: Security patches only (default — safe). Feature updates require manual approval.
- Window: pick a 4-hour window during your lowest-traffic period (e.g., 02:00–06:00 local). Updates that need a reboot are scheduled in this window only.
8.3 Configuration backups
Backups are automatic (every 24h, last 30 kept locally). Add an off-box destination:
a1ctl# Backup to your S3-compatible bucket
a1ctl backup destination add s3 \
--endpoint https://s3.eu-west-1.amazonaws.com \
--bucket fw-backups \
--access-key AKIA... \
--secret-key ... \
--encrypt-with-key A1FW-MASTER-KEY
# Or to a local NFS share
a1ctl backup destination add nfs \
--host backup.example.com \
--path /mnt/firewall-backups
Then schedule:
a1ctla1ctl backup schedule set daily 03:00 --retain 30
a1ctl backup run --now # take one immediately to verify the destination
Step 9
Monitoring & alerts
Three monitoring layers, all bundled.
9.1 Live dashboards
Dashboard shows real-time bandwidth, top talkers, top destinations, and current threat events. Refresh rate is 1 second via WebSocket — no polling.
9.2 Email alerts
System → Notifications → Email. Configure SMTP (TLS-only). Pick which alert classes go to email:
- Critical always — license expiry, hardware faults, IPS detonations on critical signatures.
- Warning recommended — WAN failover events, disk > 80%, certificate < 30 days from expiry.
- Info only if you ingest into a SIEM, otherwise too noisy.
9.3 SIEM integration
Stream every event in real time to your SIEM:
a1ctl# Wazuh
a1ctl siem connect wazuh --manager wazuh.example.com --auth-key ...
# Splunk (HEC)
a1ctl siem connect splunk --hec-url https://splunk:8088 --token ...
# Generic syslog (RFC 5424)
a1ctl siem connect syslog --host siem.example.com --port 6514 --tls --format cef
Verify events are flowing:
a1ctla1ctl siem status
# Last event sent: 2026-05-08T12:34:56Z (3s ago)
# Queue depth: 0
# Errors (1h): 0
Step 10
What's next
You have a healthy, hardened, monitored A1Firewall in production. Pick the next chapter:
Reference
Troubleshooting
The 12 most common quick-start blockers, sorted by frequency.
Can't reach https://192.168.1.1
- Confirm your laptop has a
192.168.1.x address. If it has 169.254.x.x, DHCP isn't working — check the cable into LAN1 (not WAN1) and try ipconfig /release && ipconfig /renew.
- If you have an address but the page won't load, try
http://192.168.1.1 (without TLS). If that works, your browser is rejecting the self-signed cert — accept the warning explicitly.
- If neither works, fall back to console: monitor + keyboard, login as
root, run a1ctl recover network. This re-applies the bootstrap network config.
WAN is "down" but the cable is in
a1ctl wan status — does the OS see link?
- If the link LED on the rear is dark, suspect the patch cable — swap it for a known-good one.
- If the link is up but no IP, your ISP is using PPPoE or static — but the wizard guessed DHCP. Re-run the WAN section of the wizard.
- If the IP is there but no Internet, the gateway monitor target (
8.8.8.8 by default) might be ICMP-blocked by your ISP. Switch monitoring to 1.1.1.1:443/tcp.
License activation fails
- Verify the appliance can reach
license.a1-soft.com: curl -v https://license.a1-soft.com/health.
- Check system clock — > 5 min skew rejects the TLS handshake. Force a sync:
a1ctl service restart ntpd.
- If your network blocks outbound to license.a1-soft.com, allow-list
license.a1-soft.com:443 on whatever upstream filter is in the way, or use offline activation.
I forgot the admin password
Console (monitor + keyboard), login as root (the rescue account, password is the initial license key suffix shown on the boot banner). Then:
a1ctla1ctl users password admin --interactive
If you also lost root: physical access + boot into single-user mode from the loader prompt (press 2 within 3 seconds at boot), then run passwd admin.
Browser shows "Connection reset" after login
Almost always a firewalled session — the WebSocket port (TCP 18090) is blocked between your laptop and the appliance. Add an exception, or fall back to HTTP polling: System → Settings → Realtime → Polling.
Stuck on something not in this list? Capture
a1ctl support-bundle and email it to
support@a1-soft.com — it includes config, logs, and system state, with secrets redacted. Average first-response time is 2 business hours.