Contents

Related Topics

Quick Start — Set Up a FireCluster

You can configure two Fireboxes of the same model as a FireCluster. There are two FireCluster configuration options: active/passive and active/active. To add redundancy, configure an active/passive cluster. To add both redundancy and load sharing, configure an active/active cluster.

This topic summarizes how to plan and configure a FireCluster. If you are not familiar with FireCluster, we recommend you read these topics as an introduction before you begin.

If the Fireboxes you want to include in a cluster have modular interfaces or a model upgrade, see these topics for specific requirements:

Use these steps to plan and configure your FireCluster.

Step 1 — Verify prerequisitesClosed

Before you configure a FireCluster, make sure that you have these components:

  • Two activated Fireboxes with the same model number
  • The same version of Fireware installed on each Firebox
  • The same interface modules installed on each Firebox (M4600 and M5600 only)
  • The feature key for each Firebox, saved in a local file; for more information, see Get a Firebox Feature Key
  • One crossover cable (red) for each cluster interface (If you configure a backup cluster interface, you must use two crossover cables.)
  • One network switch for each enabled trusted, optional, custom, or external interface
  • Ethernet cables to connect the interfaces of both devices to the network switches

To make sure that both Fireboxes run the same version of Fireware OS, it might be necessary to set up the second Firebox separately with a basic configuration, add the feature key, and upgrade Fireware OS to the same version as the first Firebox. When you form the cluster, you reset the second device to factory-default settings. The reset process resets the configuration to factory-default settings and removes the feature key, but does not change the installed version of Fireware OS.

Before you enable FireCluster, you configure one Firebox with the network and policy settings you want the cluster to use. Make sure the configuration settings meet the requirements for the type of FireCluster you want to enable.

Requirements for an active/passive FireClusterClosed
  • The Firebox must have at least one unused interface to use as the dedicated cluster interface.
  • The Firebox must be configured in Mixed Routing Mode or Drop-In mode.
  • The external interface must have a static IP address, or be configured for PPPoE. In Fireware v11.12 or higher, the external interface can be configured for DHCP.
  • All unused interfaces must be disabled.
Requirements for an active/active FireCluster:Closed
  • The Firebox must have at least one unused interface to use as the cluster interface.
  • The Firebox must be configured in Mixed Routing Mode.
  • The external interface must have a static IP address.
  • All unused interfaces must be disabled.
  • Wireless must be disabled on the Firebox. (you can use a connected WatchGuard wireless AP device)
  • Switches and routers must be configured to route traffic with multicast MAC addresses. For more information, see Switch and Router Requirements for an Active/Active FireCluster.
  • If required by your switches, add static ARP entries to the Firebox configuration for each layer 3 network switch. For more information, see Add Static ARP Entries for an Active/Active FireCluster .
  • Subscription services must be activated for both cluster members. For more information, see About Feature Keys and FireCluster.

There are a few configuration limitations for a FireCluster. Before you enable a FireCluster, see Features Not Supported for a FireCluster.

Step 2 — Plan your FireCluster configurationClosed

Identify the cluster ID, interfaces, and IP addresses you will use in the FireCluster configuration.

  • Cluster ID — For each FireCluster, you must configure a Cluster ID. For an active/passive FireCluster, the Cluster ID is used to generate virtual MAC addresses for the interfaces. If your network has more than one FireCluster, or has devices that use HSRP or VRRP, make sure to select a Cluster ID that does not create a MAC address conflict. For more information, see Active/Passive Cluster ID and the Virtual MAC Address.
  • Cluster Interfaces — Identify which interfaces to use as primary and backup cluster interfaces. Each cluster interface is dedicated to communication between the cluster members. The backup cluster interface is optional. For each cluster interface, you configure an IP address on the same subnet for each cluster member. We recommend you assign IP addresses on a dedicated private subnet, or use link-local IP addresses. You might find it useful to define your cluster interfaces with link-local IP addresses like this: 169.254.<interface number>.<member number>/24
  • Cluster Management Interfaces — Identify the interface you usually use to connect to the Firebox for management. Often this is a trusted interface. For each cluster member, you must configure a Management IP address for that interface. We recommend you select IP addresses on the same subnet as the interface IP address.

The cluster management interfaces are used by the cluster master to manage the cluster. Make sure the cluster management interface of both cluster members are connected to a common switch at all times. For more information, see About FireCluster Management IP Addresses.

As an example, your planned FireCluster configuration settings could look like this:

Planned FireCluster Configuration Settings
Cluster ID: 10 Interface # IP address for Member 1 IP address for Member 2
Primary cluster interface 5 169.254.5.1/24 169.254.5.2/24
Backup cluster interface 6 169.254.6.1/24 169.254.6.2/24
Management interface
(IP address: 10.0.10.1)		 1 10.0.10.101/24 10.0.10.102/24

For more information about these settings, see Before You Begin.

Step 3 — Connect the hardwareClosed

With the second device powered off, connect the two devices to each other and to your network switches. This diagram shows connections for a FireCluster with one cluster interface, one trusted interface, and one external interface.

FireCluster simple network configuration diagram

To connect your FireCluster hardware:

  1. Power off the Firebox you want to add to the cluster.
  2. Use a crossover Ethernet cable (red) to connect the primary cluster interface on one Firebox to the primary cluster interface on the other Firebox.
  3. If you plan to enable a backup cluster interface, use a second crossover Ethernet cable to connect the backup cluster interfaces.
  4. Connect the external interface of each Firebox to a network switch or VLAN. If you use Multi-WAN, connect the second external interface of each Firebox to another network switch.
  5. Connect the trusted interface of each Firebox to an internal network switch or VLAN.
  6. Connect each of the other enabled trusted or optional network interfaces on each Firebox to a network switch or VLAN.
    You must connect each pair of enabled interfaces to a separate switch.
  7. Connect your computer to the switch on the trusted network.

If interface 1 has the default IP address 10.0.1.1, do not connect interface 1 of the second device to the switch until after the cluster is successfully formed. This avoids a temporary IP address conflict when you start the second device with factory-default settings.

Step 4 — Run the FireCluster Setup WizardClosed

Use the FireCluster Setup Wizard in Policy Manager to enable FireCluster and configure your planned settings. Make sure you have the feature key for both devices in a text file before you start the wizard.

  1. In WatchGuard System Manager, connect to the configured Firebox that you want enable as the first FireCluster member.
  2. Start Policy Manager.
  3. Select FireCluster > Setup to start the FireCluster Setup Wizard.
  4. Select the type of cluster you want to enable (Active/Active or Active/Passive)
  5. Select the Cluster ID.
  6. If you selected Active/Active, select the Load-balance method.
    • Least connection assigns new connections to the member with the lowest number of connections.
    • Round-robin assigns new connections alternately to each of the two members.
  7. Select the interfaces to use as the Primary and Backup cluster interfaces.
    These are the interfaces you directly connected with the crossover cable.
  8. Select the Interface for Management IP address.
  9. For each Firebox, configure these properties, that are unique to each member:
    • Feature Key — For the first member, the device feature key is included automatically. For the second device, paste the feature key text into the wizard.
    • Member Name — Identifies each device. The default names are Member1 and Member2
    • IP addresses — Use the cluster interface and management IP addresses you planned earlier.
  1. Click Finish.
    The FireCluster Configuration dialog box appears.
  2. In the Interface Settings section, review the list of monitored interfaces.
    We recommend that you monitor the link status of all enabled interfaces.
  3. For an active/active FireCluster, disable any interfaces that are not connected to your network. 

Do not save the configuration to the Firebox yet.

Step 5 — Make the second cluster member discoverable Closed

For the cluster master to discover the second Firebox, you must reset the second Firebox to factory-default settings. The reset process resets the configuration and removes the feature key, but does not change the installed version of Fireware OS.

To reset a Firebox T10, T15, T30, T35, T50, T55, or T70 to factory-default settings:Closed
  1. Power off the Firebox.
  2. Press and hold the Reset button on the back of the Firebox.
  3. While you continue to hold the Reset button, power on the Firebox.
  4. Continue to press the Reset button until the Attn indicator begins to flash.
  5. Release the Reset button. Do not power off the Firebox yet.
  6. Wait for the reset process to complete. This can take as long as 70 seconds. When the reset is complete, the Attn indicator stays lit and does not flash.
  7. Power off the Firebox.
  8. Power on the Firebox.
    The Firebox restarts with factory-default settings.
To reset a Firebox M200 or M300 to factory-default settings:Closed
  1. Power on the Firebox.
  2. Wait until the Arm indicator ( Shield symbol ) is green.
  3. Press and hold the Reset button on the front of the device.
    After five seconds, the Arm indicator is red.
  4. Continue to hold the Reset button while the Arm indicator is red or is not lit.
    After 40 seconds, the Arm indicator starts to flash green.
  5. Continue to hold the Reset button while the Arm indicator flashes green once per second.
  6. After the Arm indicator starts to flash green twice per second, release the Reset button.
  7. Wait until the Arm indicator starts to flash red.
  8. Press and hold the Reset button for five seconds to reboot the device.
    The Firebox restarts with factory-default settings.
To reset a Firebox M370, M400, M470, M500, M570, M670, M4600, or M5600 to factory-default settings:Closed

Before you reset a Firebox M5600, make sure you have an interface module installed in slot A. For more information, see About Modular Interfaces.

  1. Power on the Firebox.
  2. Wait until the Arm indicator ( Shield symbol ) is green.
  3. Press and hold the Power button on the front of the device for five seconds to power it off.
  4. Press and hold the Reset button on the front left of the device, and briefly press the Power button on the front of the device to power it on.
    The Arm indicator is red.
  5. Continue to hold the Reset button while the Arm indicator is red.
    The Arm indicator starts to flash green.
  6. Continue to hold the Reset button while the Arm indicator flashes green once per second.
  7. After the Arm indicator starts to flash green twice per second, release the Reset button.
  8. Wait until the Arm indicator starts to flash red.
  9. Press and hold the Power button for five seconds to power off the device.
  10. Briefly press the Power button on the front of the device to power it on.
    The Firebox restarts with factory-default settings.
To reset a Firebox M440 to factory-default settings:Closed
  1. Power on the Firebox.
  2. Wait until the Arm indicator ( Shield symbol ) is green.
  3. Press and hold the Power button on the front of the device for three seconds to power it off.
  4. Press and hold the Reset button on the front left of the device, and briefly press the Power button on the front of the device to power it on.
  5. Continue to hold the Reset button until the Attn indicator begins to flash.
  6. Release the Reset button.
  7. Wait until the Attn indicator stays lit and does not flash.
  8. Press and hold the Power button for three seconds to power off the device.
  9. Briefly press the Power button on the front of the device to power it on.
    The Firebox restarts with factory-default settings.
To reset any XTM device with an LCD display to factory-default settings (safe mode):Closed
  1. Power off the XTM device.
  2. Press and hold the down arrow button on the device front panel while you power on the device.
  3. Continue to press the down arrow button until the message Safe Mode starting appears on the LCD display.

When an XTM device is started in safe mode, the LCD display shows the model number followed by the word safe. When you start a device in safe mode:

  • The device temporarily uses the factory-default network and security settings. In safe mode, the IP address of interface 1 is 10.0.1.1.
  • The current feature key is not removed. If you run the Quick Setup Wizard to create a new configuration, the wizard uses the feature key previously installed on the device.
  • Your current configuration is deleted only when you save a new configuration file to the XTM device. If you restart the device before you save a new configuration, the device uses your current configuration
To reset an XTM 21, 22, or 23 to factory-default settings:Closed
  1. Disconnect the power supply.
  2. Press and hold the Reset button on the back of the device.
  3. While you continue to hold the Reset button, reconnect the power supply or power on the device.
  4. Continue to press the Reset button for one minute, or until the Attn indicator begins to flash. Then release the button. Do not disconnect the power to the device yet.
    For some XTM 2 Series devices, the Attn indicator does not flash.
  5. Wait three minutes for the reset process to complete. When the reset is complete, the Attn indicator stays lit and does not flash.
  6. Disconnect the power supply.
  7. Reconnect the power supply.
    The Firebox restarts with factory-default settings.
To reset an XTM 25 or XTM 26 to factory-default settings:Closed
  1. Disconnect the power supply.
  2. Press and hold the Reset button on the back of the device.
  3. While you continue to hold the Reset button, reconnect the power supply or power on the device.
  4. Continue to press the Reset button for 30 seconds, or until the Attn indicator begins to flash. Then release the button. Do not disconnect the power to the device yet.
    For some XTM 2 Series devices, the Attn indicator does not flash.
  5. Wait two minutes for the reset process to complete. When the reset is complete, the Attn indicator stays lit and does not flash.
  6. Disconnect the power supply.
  7. Reconnect the power supply.
    The Firebox restarts with factory-default settings.
To reset an XTM 33 to factory-default settings:Closed
  1. Disconnect the power supply.
  2. Press and hold the Reset button on the back of the device.
  3. While you continue to hold the Reset button, reconnect the power supply or power on the device.
  4. Continue to press the Reset button for 30 seconds, or until the Attn indicator begins to flash. Then release the button. Do not disconnect the power to the device yet.
    For some XTM 33 devices, the Attn indicator does not flash.
  5. Wait three and a half minutes for the reset process to complete. When the reset is complete, the Attn indicator stays lit and does not flash.
  6. Disconnect the power supply.
  7. Reconnect the power supply.
    The Firebox restarts with factory-default settings.

For any XTM device that has an LCD screen, start the device in safe mode.

  1. Press and hold the down arrow button on the device front panel while you power on the XTM device.
  2. Continue to hold the down arrow button until Safe Mode Starting... appears on the LCD display.
    When the XTM device is in safe mode, the model number followed by the word safe appears on the LCD display.
Step 6 — Save the configuration to the FireboxClosed

In Policy Manager, select File > Save > To Firebox.

When you save the configuration with FireCluster enabled to the Firebox, that Firebox becomes the cluster master. When FireCluster is first enabled, the cluster master uses the cluster interface to automatically discover the other cluster member.

When the cluster master discovers a connected device with factory-default settings, it verifies that the serial number matches the serial number in the FireCluster configuration, and then sends the cluster configuration to the second device. The second device then joins the cluster and synchronizes all cluster status with the cluster master. 

Step 7 — Verify FireCluster StatusClosed

After you enable FireCluster, use Firebox System Manager to verify the status of cluster members. If necessary, you can manually trigger discovery of the second cluster member.

  1. Connect to the cluster with Firebox System Manager.
  2. On the Front Panel tab, expand the cluster to see the status of cluster members. For more information, see Monitor and Control FireCluster Members.

If the second Firebox is not automatically added to the cluster:

  1. Make sure the primary cluster interfaces of both devices are connected.
  2. Make sure the second Firebox is started with factory-default settings.
  3. Select Tools > Cluster > Discover Member to manually trigger discovery of the second cluster member. For more information, see Discover a Cluster Member.

See Also

About Feature Keys and FireCluster

Supported Models for FireCluster

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.