Before You Configure a FireCluster
Before you configure a FireCluster, make sure you understand the requirements and restrictions.
- Verify the Requirements
- Hardware and Cable Requirements
- Verify the External Interface Configuration
- Verify Network Router and Switch Configurations
- Select IP Addresses for Cluster Interfaces
After you verify all requirements, you can Configure FireCluster.
Verify the Requirements
Verify that the Fireboxes you want to configure in a FireCluster and your network environment meet these requirements:
General Requirements
Network latency between cluster members must be less than 100ms.
Features Not Supported
For information about features not supported with FireCluster, go to Features Not Supported for a FireCluster.
Network Mode Requirements
- To configure an active/passive cluster, your network interfaces must be configured in mixed routing or drop-in mode.
- To configure an active/active cluster, your network interfaces must be configured in mixed routing mode. FireCluster does not support bridge network mode.
For more information about network modes, go to About Network Modes and Interfaces.
Fireware, Feature Key, and License Requirements
- Make sure the same version of Fireware is installed on each Firebox.
If you have a brand new Firebox with factory-default settings, the version of Fireware that is installed on the Firebox is indicated on a sticker on the device.
- Make sure you have the feature key for each Firebox saved in a local file. For more information, go to Get a Firebox Feature Key.
- For an active/passive FireCluster, only one of the devices needs licenses for subscription services.
- For an active/active cluster, each Firebox must have active licenses for the same optional subscription services such as WebBlocker or Gateway AntiVirus.
- For service providers and partners, you can use a Not for Resale (NFR) Firebox in a FireCluster with another NFR or non-NFR Firebox. Note that the activation of a High Availability SKU on an NFR device requires another non-NFR device of the same model in your account not already paired with a High Availability SKU.
For more information, go to About Feature Keys and FireCluster.
Hardware and Cable Requirements
Make sure that you have:
- Two activated Fireboxes with the same model number. The Firebox model must be one of the Supported Models for FireCluster.
- The same number and type of interface modules installed in the same slots on each Firebox.
- An Ethernet cable for each cluster interface. You can use a straight or crossover cable. If you configure a backup cluster interface, you must use two cables.
- One network switch for each enabled trusted, optional, custom, or external interface.
- Ethernet cables to connect the interfaces of both devices to the network switches.
- If the Fireboxes you want to cluster have modular interfaces, when the cluster is first formed, you must use a built-in interface to connect the two cluster members together. For more information, go to About FireCluster with Modular Interfaces.
- On an M5600, the only built-in interface that you can use for the cluster connection when the device is using default settings is interface 32.
- On an M470, M570, M590, M670, M690, M4600, T80, and T85, the eight built-in interfaces are interfaces 0 through 7.
- For more information on how to connect your Fireboxes in the FireCluster, go to Connect the FireCluster Hardware.
For wireless Fireboxes:
- When wireless is enabled, you can configure FireCluster only in active/passive mode.
- FireCluster is not supported when the Firebox has wireless enabled as an external interface.
- If the FireCluster Interface for management IP address is on an interface that is bridged to a wireless network you cannot use a wireless connection to manage the device.
- The External Guest Authentication hotspot type is not supported for a wireless FireCluster.
- For additional requirements and restrictions for wireless devices, go to About FireCluster on Wireless Models.
For FireClusterV virtual machine requirements:
- FireCluster in a VMware environment operates as expected only if all requirements are met. For information, go to Configure a FireCluster on VMware ESXi.
- FireCluster is not supported for Hyper-V.
- All clients protected by the cluster must be able to communicate to both cluster members. VMware does not send traffic from clients on the same ESXi host as a cluster member to the other cluster member on a different ESXi host. For more information, go to Configure a FireCluster on VMware ESXi.
Verify the External Interface Configuration
Before you can configure a FireCluster, you must make sure that the external interface configuration is compatible with the type of FireCluster you want to use.
- Active/Passive FireCluster — Each external interface can use a static IP address, DHCP address, or PPPoE.
- Active/Active FireCluster — Each external interface must have a static IP address. You cannot enable an active/active FireCluster if the external interface is configured to use DHCP or PPPoE.
Verify Network Router and Switch Configurations
Verify these network configuration considerations before you begin:
- You must have a network switch or VLAN for each active traffic interface.
- If you use a switch between each member for the cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs.
We strongly recommend you use direct connections for the cluster interfaces. Additional network equipment such as switches introduce additional points of failure and latency.
Verify these network configuration considerations if you configure an active/active FireCluster:
- In an active/active FireCluster configuration, the network interfaces for the cluster use multicast MAC addresses. Before you enable an active/active FireCluster, make sure your network routers and other devices are configured to correctly route traffic to and from the multicast MAC addresses. All switches and routers in an active/active FireCluster broadcast domain must meet the requirements specified in Switch and Router Requirements for an Active/Active FireCluster.
- For an active/active cluster, and if required by your switches, add static ARP entries to the Firebox configuration for each layer 3 network switch that connects to the FireCluster. For more information, go to Add Static ARP Entries for an Active/Active FireCluster . This step is not necessary for an active/passive cluster because an active/passive cluster does not use multicast MAC addresses.
Select IP Addresses for Cluster Interfaces
We recommend you make a table with the network addresses you plan to use for the cluster interfaces and interface for management IP address. To avoid conflict with routable IP addresses, we recommend you allocate a dedicated private subnet to each cluster interface or use APIPA (link-local) IP addresses. If you use link-local IP addresses, which begin with 169.254, you might find it useful to define your cluster interface IP addresses like this:
169.254.<interface number>.<member number>/30
The FireCluster setup wizard asks you to configure these settings individually for each cluster member. If you plan the interfaces and IP addresses in advance, it is easier to configure these interfaces with the wizard. For example, your IP addressing plan could look like this:
Interface # and IP addresses for a FireCluster | |||
---|---|---|---|
Interface # | IP address for Member 1 | IP address for Member 2 | |
Primary cluster interface | 5 | 169.254.5.1/30 | 169.254.5.2/30 |
Backup cluster interface | 6 | 169.254.6.1/30 | 169.254.6.2/30 |
Management interface | 1 | 10.0.10.100/30 | 10.0.10.102/30 |
- Primary Cluster Interface — This is the interface that you dedicate to communication between the cluster members. This interface is not used for regular network traffic. If you have an interface configured as a dedicated VLAN interface, do not choose that interface as a dedicated cluster interface.
- The primary cluster interface IP addresses for both cluster members must be on the same subnet.
- For a Firebox M5600 FireCluster, we recommend you select interface 32 as the primary cluster interface. For more information, go to About FireCluster with Modular Interfaces.
- Backup Cluster Interface (optional, but recommended) — This is a second interface that you dedicate for backup communication between the cluster members. The cluster members use the backup cluster interface to communicate if the primary cluster interface is not available
- For redundancy, we recommend you use two cluster interfaces (primary and backup).
- The backup cluster interface IP addresses for both cluster members must be on the same subnet, but not on the same subnet as the primary cluster interface.
- Interface for Management IP Address — This is an interface that you use to make a direct connection to a cluster device from any WatchGuard management application. For the Firebox to send logs to a local Dimension or Syslog server, the Interface for management IP address must be on the same subnet as the Dimension or Syslog server. To achieve this, we recommend that you move your log server to the subnet used by the Interface for management IP address.
- The management IP address for each cluster member must be an unused IP address on the same subnet as the address assigned to the interface configured as the Interface for management IP address.
- If the Interface for management IP address has IPv6 enabled, you can also configure an IPv6 management IP address for each cluster member.
- For more information, go to About FireCluster Management IP Addresses.
- For wireless devices, the primary cluster interface, backup cluster interface, and interface for management IP address cannot be an interface that is bridged to a wireless network. For more information, go to About FireCluster on Wireless Models.
After you configure a FireCluster, RADIUS authentication requests from users on your network can come from either the FireCluster management IP address or the Firebox interface IP address. This occurs because the routing table uses different factors to determine which IP address is used.
If your authentication server expects to receive RADIUS authentication requests from a specific IP address, we recommend the following:
- Enable the Enable configuration of policies for traffic generated by the Firebox global setting. For information about this setting, go to Define Firebox Global Settings.
- Add a policy for Firebox-generated traffic. For information about this type of policy, go to About Policies for Firebox-Generated Traffic.
- In the policy, set the source IP address so that any traffic that uses the policy shows the specified address as the source.
Configure FireCluster with the Setup Wizard
Configure FireCluster Manually