Use the FireCluster Setup Wizard

To configure FireCluster, you can either run the FireCluster Setup Wizard or you can configure FireCluster manually. For information about how to configure FireCluster manually, see Configure FireCluster Manually .

For a demonstration of how to use the FireCluster setup wizard to configure an active/passive cluster, see the FireCluster video tutorial (14 minutes).

In the FireCluster Setup Wizard you can get help on any step. For more information, see: FireCluster Setup Wizard Help Topics

Before you enable FireCluster:

• Make sure you have everything necessary to configure your FireCluster and that you have planned your configuration settings.
  For information, see Before You Begin.
• Make sure you understand the limitations of a FireCluster, as described in Features Not Supported for a FireCluster.
• Connect the FireCluster members to each other and to the network, as described in Connect the FireCluster Hardware.
• Make sure you understand how to configure a FireCluster with Firebox M5600 and M4600 models.
  For information, see About FireCluster with Modular Interfaces
• Make sure you understand how to set up an active/passive FireCluster with FireboxV or XTMv devices.
  For information, see Configure a FireCluster on VMware ESXi.

In an active/active FireCluster configuration, the network interfaces for the cluster have multicast MAC addresses. Before you enable an active/active FireCluster, make sure your network routers and other devices are configured to support multicast network traffic. For more information, see Switch and Router Requirements for an Active/Active FireCluster.

The primary and backup cluster interfaces must be on different subnets. If you use a switch between each member for the cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs.

Configure FireCluster

1. In WatchGuard System Manager, connect to the Firebox that has the configuration you want to use for the cluster. After you enable FireCluster, this device becomes the cluster master the first time you save the configuration.
2. Click .
   Or, select Tools > Policy Manager.
   Policy Manager opens the configuration file for the selected device.
   
3. Select FireCluster > Setup.
   The FireCluster Setup Wizard starts.

4. Click Next.
5. Select the type of cluster you want to enable:

Active/Passive cluster  

Enables the cluster for high availability, but not load sharing. If you select this option, the cluster has an active Firebox that handles all the connections and a passive Firebox that handles connections only if a failover of the first device occurs.

 Active/Active cluster

Enables the cluster for high availability and load sharing. If you select this option, the cluster balances incoming connection requests across both devices in the cluster.

6. Select the Cluster ID.
   The cluster ID uniquely identifies this cluster if you set up more than one cluster on the same layer 2 broadcast domain. If you only have one cluster, and your network does not have HSRP or VRRP devices, you can use the default value.

For an active/passive cluster, the Cluster ID determines the virtual MAC addresses used by the interfaces of the clustered devices. If you configure more than one active/passive FireCluster on the same subnet, it is important to know how to set the Cluster ID to avoid a possible virtual MAC address conflict. It is also possible that the FireCluster virtual MAC addresses can conflict with HSRP and VRRP configured devices on your network.

For more information, see Active/Passive Cluster ID and the Virtual MAC Address.

6. If you selected Active/Active cluster, select the Load-balance method.
   The load-balance method is the method used to balance connections among active cluster members. There are two options:

Least connection

If you select this option, each new connection is assigned to the active cluster member with the lowest number of open connections. This is the default setting.

Round-robin

If you select this option, new connections are distributed among the active cluster members in round-robin order. The first connection goes to one cluster member. The next connection goes to the other cluster member, and so on.

7. Select the Primary and Backup cluster interfaces. The cluster interfaces are dedicated to communication between cluster members and are not used for other network traffic. You must configure the Primary interface. For redundancy, we recommend you also configure the Backup interface.

 Primary

The device interface that you dedicate to primary communication between the cluster members. Select the interface number that you used to connect the FireCluster devices to each other.

Backup

The device interface that you dedicate to communication between the cluster members if the primary interface fails. Select the second interface number that you used to connect the FireCluster devices to each other, if any.

The primary and backup cluster interfaces must be on different subnets. If you use a switch between each member for the cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs.

8. Select the Interface for Management IP address. You use this interface to connect directly to FireCluster members for maintenance operations. This is not a dedicated interface. It also is used for other network traffic. You cannot select an external interface that uses PPPoE as the Interface for Management IP address. We recommend that you select the interface that the management computer usually connects to.
   For more information, see About FireCluster Management IP Addresses.
9. When prompted by the configuration wizard, add these FireCluster member properties for each device:

Feature Key

For each device, import or download the feature key to enable all features for the device. If you previously imported the feature key in Policy Manager, the wizard automatically uses that feature key for the first device in the cluster.

Member Name

The name that identifies each device in the FireCluster configuration.

Serial Number

The serial number of the Firebox. The serial number is used as the Member ID in the FireCluster Configuration dialog box. The wizard sets this automatically when you import or download the feature key for the Firebox.

Primary cluster interface IP address

The IP address the cluster members use to communicate with each other over the primary cluster interface. The primary FireCluster IP address for each cluster member must be an IPv4 address on the same subnet.

If both cluster members start at the same time, the cluster member with the highest IP address assigned to the primary cluster interface becomes the master.

Backup cluster interface IP address

The IP address the cluster members use to communicate with each other over the backup cluster interface. The backup FireCluster IP address for each cluster member must be an IPv4 address on the same subnet.

Do not set the Primary or Backup cluster IP address to the default IP address of any interface on the device. The default interface IP addresses are in the range 10.0.0.1–10.0.26.1. The Primary and Backup cluster IP addresses must not be used for anything else on your network, such as virtual IP addresses for Mobile VPN or the IP addresses used by remote branch office networks.

Management IP address

A unique IP address that you can use to connect to an individual Firebox while it is configured as part of a cluster. You must specify a different management IP address for each cluster member. If the interface you chose as the Interface for management IP address has IPv6 enabled, you can optionally configure an IPv6 management IP address.

The IPv4 management IP address can be any unused IP address. We recommend that you use an IP address on the same subnet as the interface you select as the Interface for management IP address. This is to make sure that the address is routable. The management IP address must be on the same subnet as the WatchGuard Log Server or syslog server that your FireCluster sends log messages to.

The IPv6 management IP address must be an unused IP address. We recommend that you use an IPv6 address with the same prefix as an IPv6 address assigned to the interface you selected as the Interface for management IP address. This is to make sure that the IPv6 address is routable.

For more information, see About FireCluster Management IP Addresses.

10. Review the configuration summary on the final screen of the FireCluster Setup Wizard. The configuration summary includes the options you selected and which interfaces are monitored for link status.

11. Click Finish.
    The FireCluster Configuration dialog box appears.
    

12. In the Interface Settings section, review the list of monitored interfaces.

The list of monitored interfaces does not include the interfaces you configured as the Primary and Backup cluster interfaces. FireCluster monitors the link status for all enabled interfaces by default. If the cluster master detects loss of link on a monitored interface, the cluster master starts the failover process for that device.

For an active/passive cluster, you can select which of the active interfaces to monitor. If you do not want to monitor the link status of an enabled interface as a criteria for failover, clear the check box for that interface in the Monitor Link column.

We recommend that you configure the FireCluster to monitor the link status of all enabled interfaces.

For an active/active FireCluster, you must disable any interfaces that are not connected to your network before you save the FireCluster configuration to the Firebox. To disable an interface:

• In Policy Manager, select Network > Configuration.
• Double-click the interface that you want to disable, and set the Interface Type to Disabled.
  

If you want the second device to be automatically discovered and added to the cluster, do not save the configuration file until you start the second device in safe mode.

14. Start the second Firebox with factory-default settings.

For any Firebox model, or an XTM 33, 25, or 26 device, reset the device to factory-default settings

Use the reset instructions for your Firebox model. For more information, see Reset a Firebox.

For any XTM device with an LCD screen, start the device in safe mode

To start in safe mode, press and hold the down arrow button on the device front panel while you power on the device. Continue to hold the down arrow button until Safe Mode Starting... appears on the LCD display. When the device is in safe mode, the model number followed by the word safe appears on the LCD display.

15. Save the configuration to the cluster master.
    The cluster is built. The cluster master automatically discovers the other device with the serial number that matches the serial number in the feature key you added to the cluster configuration.
    

After the cluster is active, you can monitor the status of the cluster members on the Firebox System Manager Front Panel tab.
For more information, see Monitor and Control FireCluster Members.

If you save the configuration to the cluster master before you start the second device in safe mode, the cluster master does not automatically discover the second device. If the second device is not automatically discovered, you can use Firebox System Manager to manually trigger device discovery as described in Discover a Cluster Member.

 

See Also

FireCluster

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.