Prerequisites

Before you start, gather the items below. Missing any of these will turn a 45-minute job into a half-day call to the ISP.

Hardware

• An A1Firewall appliance — any model from the HCL. The S100 (home/branch), B500 (business), E1000 (enterprise), and DC2000 (datacenter) all run identical firmware.
• A laptop with an Ethernet port (or a USB-Ethernet adapter) and a modern browser (Chrome 110+, Firefox 110+, Safari 16+, Edge 110+).
• One straight Ethernet cable (Cat5e or better, ≥ 1 m). The appliance ships with one but keep a spare.
• WAN handoff from your ISP — a working Internet drop on either an RJ45 or SFP+ port.

Information

• Your A1-Soft license key (delivered by email at checkout — looks like A1FW-XXXX-XXXX-XXXX-XXXX).
• WAN credentials from your ISP: PPPoE username/password (DSL/fibre), static IP + gateway + netmask + DNS, or just "DHCP" if it's a plug-and-play handoff.
• A LAN IP plan — at minimum, decide which /24 the firewall LAN will own (e.g., 10.10.10.0/24). Default is 192.168.1.0/24 but reusing it on a network where another device already owns it will silently break things.
• Timezone & NTP server (defaults are fine — pool.ntp.org for global, time.aramco.com for Aramco supply chain customers, time.windows.com for AD-joined sites).

Optional but recommended

• A monitor with HDMI and a USB keyboard — for emergency console access if SSH/HTTPS is ever locked out.
• An IPMI/BMC cable if your appliance has out-of-band management (B500 and up).
• A UPS with at least 15 minutes of runtime — protects against unclean shutdowns that can corrupt the ZFS pool.

Unbox & rack

Two minutes if you're rack-mounting, ten if you're going on a desk. The appliance is shipped with the rails attached.

1.1 Cabling

Looking at the rear of the appliance from left to right:

1. Power. Plug AC into the leftmost socket. Do not power on yet.
2. WAN. ISP handoff into WAN1 (the leftmost network port labelled WAN, blue ring on the front).
3. LAN. Patch LAN1 into your existing LAN switch (or directly into your laptop for the first run).
4. Management. If you want a separate management network (recommended in datacenters), patch the MGMT port into that switch.

1.2 Power-on

Press the front-panel power button. Boot takes ~90 seconds. Status LEDs progress through:

If the status LED is still red after 3 minutes, attach a monitor + keyboard and check the console for kernel panics. Most often it's a misseated DIMM or a failed boot drive.

First login

Reach the management UI from a laptop on the LAN side.

Connect your laptop

1. Patch your laptop's Ethernet into LAN1.
2. Wait ~15 seconds for DHCP to issue an address (the firewall runs DHCP on LAN by default in the bootstrap config).
3. Confirm you got an address in 192.168.1.0/24:

# macOS / Linux
ifconfig | grep "inet "
# Windows (PowerShell)
ipconfig | findstr IPv4

You should see something like 192.168.1.100. If you instead see a 169.254.x.x (link-local) address, DHCP didn't work — see troubleshooting.

Open the UI

In your browser, go to:

URLhttps://192.168.1.1

You will see a TLS warning because the appliance ships with a self-signed certificate. Click Advanced → Proceed (Chrome/Edge) or Accept the Risk and Continue (Firefox). We replace this certificate in step 8.

Default credentials

2.1 Change the admin password

1. Click your avatar (top-right) → Profile.
2. Set a new password — minimum 14 characters, mixed case + digit + symbol. The password meter must read Strong or you can't save.
3. Save. You are logged out and asked to re-authenticate. Use the new password.

Or via CLI (if you've already connected over SSH on management):

a1ctla1ctl users password admin --interactive

Setup wizard

The wizard runs automatically on first login. It collects the bare minimum to make the appliance functional and is exited safely on every step.

Page 1 — General

Page 2 — Network

The wizard auto-detects WAN connectivity. For each WAN port that has link, you'll see one of three modes:

• DHCP — most home/business handoffs. No further input needed.
• PPPoE — most DSL/fibre handoffs. You need the username/password from your ISP.
• Static — datacenter / business-class handoffs. You need IP, mask, gateway, and ≥ 1 DNS server.

For LAN, decide:

• The LAN subnet. Defaults to 192.168.1.0/24. Change this if you have other equipment using that range — VPN routes, RFC-1918 collisions, and traceroutes all become painful otherwise.
• Whether to run DHCP on LAN (yes by default, range 192.168.1.50 – 192.168.1.250).
• Whether to run a recursive DNS resolver on LAN (yes by default — Unbound with DNSSEC, listening on 192.168.1.1:53).

Page 3 — Security baseline

Pick one of three baselines. You can refine afterwards — these are starting points.

Most production deployments pick Standard and tighten from there.

WAN configuration

After the wizard, fine-tune your WAN settings. If you have one ISP, you're done — skip to step 5. If you have two or more, do the bonding section below.

Verify primary WAN

Open Status → Interfaces → WAN1. You should see:

• State: up, link 1Gbps full duplex (or whatever your ISP gave you).
• An IPv4 address.
• A default gateway.
• Outbound ping working (the page shows a green tick next to Connectivity).

From the CLI:

a1ctl$ a1ctl wan status

Interface   Mode    IPv4              Gateway          Link    Conn
wan1        DHCP    41.235.122.18     41.235.122.1     UP      OK
wan2        ---     ---               ---              DOWN    ---
wan3        ---     ---               ---              DOWN    ---
wan4        ---     ---               ---              DOWN    ---

4.1 Multi-WAN bonding

If you patched WAN2 (and beyond) into additional ISPs, configure the gateway group:

1. Create a gateway group

   Network → Multi-WAN → Gateway Groups → New.

2. Pick a mode

   • Failover: WAN1 active, WAN2 standby. Cuts over within 2 seconds when WAN1 fails monitoring.
   • Load balance: round-robin per flow across all UP gateways.
   • Weighted: send N% of flows to each gateway based on a ratio (useful for "ISP-A is 100 Mbps, ISP-B is 25 Mbps" handoffs).

3. Configure monitoring

   Each gateway should monitor a remote IP via ICMP. Defaults are good (8.8.8.8, 1.1.1.1) but if your ISP blocks ICMP, switch to TCP probe to 1.1.1.1:443.

4. Set the LAN→WAN rule to use the group

   In Firewall → Rules → LAN, edit the default outbound rule. In Advanced → Gateway, pick your new group. Save and apply.

Verify:

a1ctl$ a1ctl wan group show MAIN

Group MAIN (mode: failover)
  wan1   tier 1   weight 1   monitor 8.8.8.8     UP    avg 18ms   loss 0%
  wan2   tier 2   weight 1   monitor 1.1.1.1     UP    avg 24ms   loss 0%

Active flows: 1,247  via wan1 (tier 1)

Activate your license

Until you activate, the appliance runs in 14-day evaluation mode. After 14 days without activation, it goes into read-only "sustain" mode (existing rules keep working but you can't change them).

Online activation (the 99% case)

1. System → License.
2. Paste the key from your A1-Soft order email into the field.
3. Click Activate. The appliance contacts license.a1-soft.com over HTTPS, exchanges a hardware fingerprint, and receives a signed certificate.
4. Within 5 seconds, the page refreshes showing your tier, expiry, and entitled features.

From CLI:

a1ctla1ctl license activate --key A1FW-XXXX-XXXX-XXXX-XXXX
a1ctl license show

Offline activation (air-gapped sites)

1. From the appliance: a1ctl license fingerprint > fw.fp. Copy this 32-byte file out via USB.
2. From an Internet-connected machine, upload the fingerprint to a1-soft.com/license/offline, paste your key, get back a signed certificate file (fw.cert).
3. Carry fw.cert back to the appliance: a1ctl license install fw.cert.

Apply your first policy

A "policy" here is the bundle of firewall rules + NAT + web filter + IPS settings that govern what your network can and cannot do. You have two paths.

6.1 Use a bundled template (fastest)

Templates are curated configurations battle-tested in real deployments. Pick one and tweak.

Apply a template

1. Firewall → Templates.
2. Click the template that matches you. The right pane shows a preview of every rule, NAT entry, and filter that will be created.
3. Click Apply. The system creates a backup of your current config (named pre-template-YYYYMMDD-HHMMSS) before applying — so you can always roll back.
4. Wait for the green "Applied" banner. New rules are live immediately.

From CLI (handy for repeatable demos):

a1ctla1ctl templates list
a1ctl templates apply office --confirm
a1ctl rules list

6.2 Build from scratch

If templates don't fit, the building blocks are:

1. Create your zones (VLANs)

   Network → VLANs. Create one VLAN per security boundary — e.g., VLAN 10 staff, VLAN 20 guests, VLAN 30 CCTV. Tag your switch ports accordingly.

2. Create your aliases

   Firewall → Aliases. Aliases are reusable names — OFFICE_HOURS (Mon–Fri 09:00–18:00), SOCIAL_NETS (a list of FQDNs), EXEC_LAPTOPS (a list of MACs). Use aliases everywhere; never hardcode IPs in rules.

3. Write firewall rules

   Firewall → Rules → [interface]. Order matters — rules are evaluated top-to-bottom, first match wins. Best practice: deny rules near the top, allow rules below.

   Example: block YouTube during work hours from staff VLAN:

   YAML- action: block
     interface: vlan10_staff
     source: VLAN10_NET
     destination: alias=YOUTUBE_DOMAINS
     schedule: alias=OFFICE_HOURS
     log: yes
     description: "No YouTube during work hours"

4. Apply & verify

   Click Apply changes. The page shows a diff of the running config vs. the candidate. Review carefully — especially deny rules above existing allow rules. Once applied, generate test traffic and watch Status → Live → Filter log to confirm rules are matching as expected.

Verify traffic flow

Three quick checks before you walk away.

7.1 Outbound DNS & HTTP

From a LAN client:

bashnslookup a1-soft.com
curl -I https://a1-soft.com

Both should succeed. If DNS fails, check Unbound is running (a1ctl service status unbound). If HTTP fails, check the LAN→WAN rule is applied.

7.2 Inbound default-deny

From an external host (e.g., your phone on cellular):

bashnmap -p 22,80,443 <your_wan_ip>

All three ports should be filtered (no response). If any port returns "open", you've accidentally exposed it — review NAT and inbound rules now.

7.3 IPS detonation

Trigger a known-bad pattern to confirm IPS is alerting:

bashcurl http://testmyids.com/

Within 2 seconds, Security → IDS → Alerts should show one alert from rule 2100498 — GPL ATTACK_RESPONSE id check returned root. If no alert appears, IPS is misconfigured.

Harden the box

The defaults are reasonable; these three changes turn them into production-grade.

8.1 Enable MFA on admin accounts

1. System → Access → Users → click your admin user → Authentication factor: TOTP.
2. Scan the QR code with Google Authenticator, 1Password, Authy, or any TOTP app.
3. Type the 6-digit code to confirm.
4. Save. Log out and log back in with: password + the 6-digit code.

To enforce MFA for every admin user (recommended):

a1ctla1ctl auth policy set --require-mfa --role admin

8.2 Auto updates

System → Updates → Settings:

• Channel: Stable for production, Edge only for labs.
• Auto-install: Security patches only (default — safe). Feature updates require manual approval.
• Window: pick a 4-hour window during your lowest-traffic period (e.g., 02:00–06:00 local). Updates that need a reboot are scheduled in this window only.

8.3 Configuration backups

Backups are automatic (every 24h, last 30 kept locally). Add an off-box destination:

a1ctl# Backup to your S3-compatible bucket
a1ctl backup destination add s3 \
  --endpoint https://s3.eu-west-1.amazonaws.com \
  --bucket fw-backups \
  --access-key AKIA... \
  --secret-key ... \
  --encrypt-with-key A1FW-MASTER-KEY

# Or to a local NFS share
a1ctl backup destination add nfs \
  --host backup.example.com \
  --path /mnt/firewall-backups

Then schedule:

a1ctla1ctl backup schedule set daily 03:00 --retain 30
a1ctl backup run --now    # take one immediately to verify the destination

Monitoring & alerts

Three monitoring layers, all bundled.

9.1 Live dashboards

Dashboard shows real-time bandwidth, top talkers, top destinations, and current threat events. Refresh rate is 1 second via WebSocket — no polling.

9.2 Email alerts

System → Notifications → Email. Configure SMTP (TLS-only). Pick which alert classes go to email:

• Critical always — license expiry, hardware faults, IPS detonations on critical signatures.
• Warning recommended — WAN failover events, disk > 80%, certificate < 30 days from expiry.
• Info only if you ingest into a SIEM, otherwise too noisy.

9.3 SIEM integration

Stream every event in real time to your SIEM:

a1ctl# Wazuh
a1ctl siem connect wazuh --manager wazuh.example.com --auth-key ...

# Splunk (HEC)
a1ctl siem connect splunk --hec-url https://splunk:8088 --token ...

# Generic syslog (RFC 5424)
a1ctl siem connect syslog --host siem.example.com --port 6514 --tls --format cef

Verify events are flowing:

a1ctla1ctl siem status
# Last event sent: 2026-05-08T12:34:56Z (3s ago)
# Queue depth:     0
# Errors (1h):     0

What's next

You have a healthy, hardened, monitored A1Firewall in production. Pick the next chapter:

• Reference Architectures — if you're moving from single-node to HA pair or multi-region.
• API Reference — to automate provisioning from Terraform / Ansible / GitHub Actions.
• CLI Reference — every a1ctl command and flag.
• Compliance Mapping — to generate your first NCA-ECC / ISO 27001 / SOC 2 report.

Troubleshooting

The 12 most common quick-start blockers, sorted by frequency.

Can't reach https://192.168.1.1

1. Confirm your laptop has a 192.168.1.x address. If it has 169.254.x.x, DHCP isn't working — check the cable into LAN1 (not WAN1) and try ipconfig /release && ipconfig /renew.
2. If you have an address but the page won't load, try http://192.168.1.1 (without TLS). If that works, your browser is rejecting the self-signed cert — accept the warning explicitly.
3. If neither works, fall back to console: monitor + keyboard, login as root, run a1ctl recover network. This re-applies the bootstrap network config.

WAN is "down" but the cable is in

1. a1ctl wan status — does the OS see link?
2. If the link LED on the rear is dark, suspect the patch cable — swap it for a known-good one.
3. If the link is up but no IP, your ISP is using PPPoE or static — but the wizard guessed DHCP. Re-run the WAN section of the wizard.
4. If the IP is there but no Internet, the gateway monitor target (8.8.8.8 by default) might be ICMP-blocked by your ISP. Switch monitoring to 1.1.1.1:443/tcp.

License activation fails

1. Verify the appliance can reach license.a1-soft.com: curl -v https://license.a1-soft.com/health.
2. Check system clock — > 5 min skew rejects the TLS handshake. Force a sync: a1ctl service restart ntpd.
3. If your network blocks outbound to license.a1-soft.com, allow-list license.a1-soft.com:443 on whatever upstream filter is in the way, or use offline activation.

I forgot the admin password

Console (monitor + keyboard), login as root (the rescue account, password is the initial license key suffix shown on the boot banner). Then:

a1ctla1ctl users password admin --interactive

If you also lost root: physical access + boot into single-user mode from the loader prompt (press 2 within 3 seconds at boot), then run passwd admin.

Browser shows "Connection reset" after login

Almost always a firewalled session — the WebSocket port (TCP 18090) is blocked between your laptop and the appliance. Add an exception, or fall back to HTTP polling: System → Settings → Realtime → Polling.