Restore a FireCluster Backup Image

When you save the backup image of a FireCluster, you can later restore that image to both cluster members to return the cluster to a known state. Backup images saved on the cluster master Firebox in Fireware 12.2.1 and higher are automatically copied to the backup master.

To restore a FireCluster backup image, you must restore the image to each cluster member one at a time. As part of the restore procedure, you make cluster members leave the cluster temporarily. When a member leaves the cluster, it remains a member, but the cluster member status changes to standby.

When you restore a backup image, you must use the cluster Management IP address to connect to each cluster member. All other interfaces on the device are inactive until the final step when the backup master rejoins the cluster.

You must connect to the cluster from a workstation that is on the same subnet as the cluster Management IP address. If the Management IP address is a public, routable IP address, you can also connect through the Internet.

For more information about the cluster Management IP address, go to About FireCluster Management IP Addresses.

To restore a backup image to members of a FireCluster we recommend that you use WatchGuard System Manager. If you use Fireware Web UI, you must use Firebox System Manager to rejoin the members to the cluster after you restore the backup image to each member.

In WatchGuard System Manager, you can use Policy Manager and Firebox System Manager to restore the backup image to the cluster members.

Make the Cluster Members Leave the Cluster

  1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to one of the cluster members.
  2. Start Firebox System Manager for the cluster member.
  3. Select Tools > Cluster > Leave.
  4. Type the administrative passphrase. Click OK.
    A message appears.
  5. Click OK.
    The cluster member leaves the cluster and reboots.
  6. Connect to the Management IP address of the second cluster member and repeat these steps to make the second cluster member leave the cluster.

Do not make configuration changes to the cluster master after the backup master has left the cluster.

Restore the Backup Image to the Cluster Members

  1. In WatchGuard System Manager, use the interface for Management IP address to connect to one of the cluster members.
  2. Start Policy Manager for the cluster member.
  3. Restore a Firebox Backup Image.
  4. Connect to the Management IP address of the second cluster member and repeat these steps to restore the same backup image.

Make the Cluster Members Rejoin the Cluster

  1. In WatchGuard System Manager, use the Management IP address to connect to the cluster master.

If the backup image you restored has a different interface for Management IP address for this cluster member or a different passphrase, use the interface for Management IP and passphrase from the backup image to reconnect to the device.

  1. Start Firebox System Manager for the cluster master.
  2. Select Tools > Cluster > Join.
  3. Type the administrative passphrase. Click OK.
    A message appears.
  4. Click OK.
    The cluster master reboots and rejoins the cluster.
  5. Connect to the Management IP address of the backup master and repeat these steps to make the backup master rejoin the cluster.

You can use Fireware Web UI to restore a backup image to each cluster member. You must use Firebox System Manager to rejoin each member to the cluster.

Restore the Backup Image to each Cluster Member

To restore the backup image to a cluster member, in Fireware Web UI:

  1. Use the FireCluster Management IP address to connect to the Fireware Web UI of one cluster member.
    You can restore the backup image to either cluster member first.
  2. Select System > Backup and Restore Image.
    The Backup and Restore Image page appears.

Screenshot of the Backup and Restore Image page.

  1. If you connected to the backup master, click Leave Cluster and Reboot.
    If you connected to the cluster master, select a backup image and click Restore. In the message that appears, click Leave Cluster and Reboot.
    The cluster member reboots in standby status. After the reboot, the other member is the cluster master.
  2. Use the cluster Management IP address for the cluster member to log back into the Web UI.
    In the Web UI, the Firebox does not appear to be a cluster member.
  3. Restore a Firebox Backup Image.
    The device restores the backup image. It restarts and uses the backup image.

Use the Management IP address of the second member to connect to the Web UI and repeat these steps to restore the same backup image to the second member.

Rejoin the Members to the Cluster

After you restore the backup image to each cluster member, use Firebox System Manager to rejoin each member to the cluster.

  1. In WatchGuard System Manager, use the Management IP address to connect to one cluster member.
    The cluster member status is standby.

If the backup image you restored has a different interface for Management IP address for this cluster member or a different passphrase, use the interface for management IP and passphrase from the backup image to reconnect to the device.

  1. Start Firebox System Manager for the cluster member.
  2. Select Tools > Cluster > Join.
  3. Type the administrative passphrase. Click OK.
    A message appears.
  4. Click OK.
    The cluster member reboots and rejoins the cluster.

Repeat these steps with the Management IP address of the second cluster member to rejoin the second member to the cluster.

Related Topics

Create a FireCluster Backup Image

Move a FireCluster Configuration to a New Device Model

FireCluster Diagnostics