Configure a FireCluster on VMware ESXi
You can configure two FireboxV virtual machines as an active/passive FireCluster. We recommend that you complete the virtual network setup on the hypervisor before you configure the FireboxV devices you want to cluster.
On a new FireboxV virtual machine with factory-default settings, the serial number of the device is not applied until you save a feature key to the device. You must deploy and configure a new FireboxV to apply the feature key and basic settings before you can save a configuration to the FireboxV virtual machine with FireCluster enabled.
- FireboxV FireCluster Requirements
- Plan Your Configuration
- Configure Network Switches
- Configure the Cluster
- Deploy and Configure two FireboxV Virtual Machines
- Get the Feature Key for the Second Device
- Configure FireCluster Settings
- Form the Cluster
- Verify the Cluster Status
FireboxV FireCluster Requirements
Make sure that you have these items:
- Two activated WatchGuard FireboxV virtual machines of the same model
- The same version of Fireware on each FireboxV
- The feature key for each FireboxV
- Each FireboxV deployed and configured with its own feature key
- One vSwitch configured for each cluster interface
- One vSwitch for each active traffic interface
- WatchGuard System Manager, to deploy the FireCluster configuration
You must verify that your FireCluster, network, and ESXi configurations meet all requirements. FireCluster in a VMware environment does not operate as expected if these requirements are not met.
FireCluster Requirements
Requirements for an active/passive FireCluster:
- The Firebox must have at least one unused interface to use as the dedicated cluster interface.
- The Firebox must be configured in Mixed Routing or Drop-In mode.
Active/active FireCluster is not supported for VMware ESXi. You must configure an active/passive FireCluster.
Network Requirements
Make sure your network and ESXi configurations meet the requirements.
Network requirements
- Each interface type should be in the same broadcast domain across both cluster members.
The backup master broadcasts a gratuitous ARP (GARP) to become the cluster master during cluster failover. The other cluster member must be on the same broadcast domain to receive this broadcast. - All clients protected by the cluster must be able to communicate to both cluster members.
This means that you must verify that all packets destined for the FireboxV can be delivered successfully to both cluster members. VMware does not send traffic from clients on the same ESXi host as a cluster member to the other cluster member on a different ESXi host. These clients cannot pass traffic through the cluster unless they are on the same ESXi host as the active cluster member. Clients on the same ESXi host as the passive cluster member cannot pass traffic through the cluster. This behavior occurs because the ESXi host believes the virtual MAC (VMAC) address shared by the cluster members exists only on that ESXi host. As a result, the ESXi host does not forward traffic that is attempting to pass through the cluster to the active cluster member on the other ESXi host.
ESXi requirements
- For all FireboxV interfaces, the Forged Transmits setting in VMWare must be configured as Accept. This is the default setting.
- Connected vSwitches must be configured to accept MAC address changes.
- The vSwitch for the FireCluster management interface must have promiscuous mode enabled.
- The vSwitch that connects to each cluster interface must be dedicated to this purpose.
Example
For hardware and software redundancy, you could configure:
- Two ESXi hosts connected to a vSwitch with multiple physical switches between them
- FireCluster master and backup members each configured on a different ESXi host
This configuration adds redundancy because the FireCluster can fail over in the case of a software or hardware failure.
Plan Your Configuration
Before you enable FireCluster, we recommend you identify the vSwitch, network interface, and network addresses to use. A clear plan helps you configure the interface IP addresses and configure the vSwitch settings as required for each interface. For example, you could create a list that looks something like this
FireCluster Option | vSwitch Name | FireboxV Interface Number |
IP Address |
---|---|---|---|
Primary cluster interface | HA-net | 9 |
Member 1: 169.254.9.1/24 Member 2: 169.254.9.2/24 |
Interface for management IP address | Trusted-net | 1 |
Member 1: 10.10.1.2/24 Member 2: 10.10.1.3/24 |
External interface | External-net | 0 | 203.0.113.1 /24 |
Trusted interface | Trusted-net | 1 | 10.10.1.1/24 |
Configure Network Switches
You must configure a vSwitch for each interface you want to enable. We recommend you do this before you enable FireCluster. Before you enable FireCluster, make sure that the switches are configured to meet the requirements stated in the Requirements section.
For more information about switch configuration, go to Configure Resources in VMware ESXi.
Configure the Cluster
After you have planned your network and configured the vSwitches, you can set up the FireboxV virtual machines and enable FireCluster.
Deploy and Configure two FireboxV Virtual Machines
To create a FireCluster with two new FireboxV virtual machines, you must activate and deploy two FireboxV devices. If you want to enable FireCluster for an existing FireboxV virtual machine, you only need to activate and deploy one additional FireboxV virtual machine. For more information, go to Deploy FireboxV on VMware ESXi.
The FireCluster configuration requires the serial number of the FireboxV virtual machine which is not available until you save a configuration to the device with its feature key. Make sure each new FireboxV virtual machine that you want to configure in a cluster is deployed with a basic configuration and a feature key already saved to the device. You will then be able to save a configuration with FireCluster enabled to each FireboxV virtual machine as described in Configure FireCluster Settings.
Make sure you allocate the same resources (network adapters, virtual CPU, and memory) to each FireboxV virtual machine. For more information, go to Configure Resources in VMware ESXi.
Get the Feature Key for the Second Device
Copy the feature key from the second device to a text file, so that you can add it to the FireCluster configuration. To learn how to get a feature key, go to Get a Firebox Feature Key.
To copy the feature key with Policy Manager:
- In WatchGuard System Manager, connect to the virtual machine that will be the second device in the cluster.
- Select Tools > Policy Manager.
- Select Setup > Feature Keys > Details.
- Select and copy the feature key details to a text file.
Configure FireCluster Settings
The steps to configure FireCluster settings on FireboxV are the same as for any other Firebox, except that you must select Active/Passive for a virtual FireCluster.
After you run the FireCluster Setup Wizard, you save the cluster configuration to each of the virtual machines. When they reboot, the cluster forms.
To configure the FireCluster:
- In WatchGuard System Manager, connect to the FireboxV virtual machine that has the configuration you want to use for the cluster.
- Select Tools > Policy Manager.
- Select FireCluster > Setup.
The FireCluster Setup Wizard starts. - Click Next.
- Select Active/Passive cluster.
Even though you can select it, the Active/Active cluster option is not supported for FireboxV. - Select the Cluster ID.
The cluster ID uniquely identifies the cluster if you set up more than one cluster on the same layer 2 broadcast domain. If you have only one cluster, you can use the default value of 50. - Click Next.
- Select a Primary cluster interface.
Select an interface that is connected to a dedicated vSwitch. The cluster interface is dedicated to communication between cluster members and is not used for other network traffic. - (Optional) Select a Backup cluster interface.
If you select a backup cluster interface, select an interface connected to a second dedicated vSwitch. - Select the Interface for management IP address.
You use this interface to connect directly to FireCluster member devices for maintenance operations. The cluster master also uses the Management IP address of the backup master to communicate with the backup master about device status and action aggregation. This is not a dedicated interface. It also is used for other network traffic. You cannot select a VLAN interface as the Interface for Management IP address. We recommend that you select the interface that the management computer usually connects to.
Make sure that promiscuous mode is enabled on the vSwitch for the interface you configure as the Interface for management IP address.
- Click Next.
- When prompted by the configuration wizard, add these FireCluster member properties for each device:
Feature Key
For each device, import or download the feature key to enable all features for the device. If you previously imported the feature key in Policy Manager, the wizard automatically uses that feature key for the first device in the cluster.
Serial Number
The serial number of the Firebox. The serial number is used as the Member ID in the FireCluster Configuration dialog box. The wizard sets this automatically when you import or download the feature key for the Firebox.
Member Name
The name that identifies each Firebox in the FireCluster configuration.
Primary cluster interface IP address
The IP address the cluster members use to communicate with each other over the primary cluster interface. The primary cluster interface IP address for each cluster member must be an IPv4 address on the same subnet.
If both devices start at the same time, the cluster member with the highest IP address assigned to the primary cluster interface becomes the master.
Backup cluster interface IP address
(Optional) The IP address the cluster members use to communicate with each other over the backup cluster interface. The backup cluster interface IP address for each cluster member must be an IPv4 address on the same subnet.
Do not set the Primary or Backup cluster IP address to the default IP address of any interface on the device. The default interface IP addresses are in the range 10.0.0.1 - 10.0.31.1. The Primary and Backup cluster IP addresses must not be used for anything else on your network, such as virtual IP addresses for Mobile VPN, and the IP addresses used by remote branch office networks.
Management IP address
A unique IP address that you can use to connect to an individual Firebox while it is configured as part of a cluster. You must specify a different management IP address for each cluster member. If the interface you chose as the Interface for management IP address has IPv6 enabled, you can optionally configure an IPv6 management IP address.
The IPv4 management IP address can be any unused IP address. We recommend that you use an IP address on the same subnet as the interface you select as the Interface for management IP address. This is to make sure that the address is routable. The management IP address must be on the same subnet as the WatchGuard Log Server or syslog server that your FireCluster sends log messages to.
The IPv6 management IP address must be an unused IP address. We recommend that you use an IPv6 address with the same prefix as an IPv6 address assigned to the interface you selected as the Interface for management IP address. This is to make sure that the IPv6 address is routable.
- Review the configuration summary on the final screen of the FireCluster Setup Wizard. The configuration summary shows the options you selected and which interfaces are monitored for link status.
- Click Finish.
The FireCluster Configuration dialog box appears.
Form the Cluster
To form the cluster, save the configuration file to each FireboxV virtual machine.
- In Policy Manager, select File > Save > To Firebox to save the configuration to the first FireboxV virtual machine.
- In Policy Manager, select File > Save > To Firebox again, and specify the IP address of the second FireboxV virtual machine. You might have to connect to this FireboxV through the virtual environment as both Fireboxes might not be accessible on the same vSwitch.
Policy Manager displays a warning if the IP address that you save the configuration to does not exist in the configuration file. - Click Yes to confirm that you want to save the file.
Make sure your Firebox cluster interfaces and vSwitches are correctly connected within your virtual environment.
Verify the Cluster Status
To verify that the cluster has formed, connect to a configured interface IP address for the cluster in WatchGuard System Manager or the Web UI. For more information, go to Monitor and Control FireCluster Members.
If the cluster does not form, recheck the connections, particularly the connection between the primary cluster interfaces on each member. If the cluster does not form automatically after a few minutes, reboot or power cycle each virtual machine to trigger the automatic cluster formation.
To troubleshoot cluster issues, go to Troubleshoot FireCluster