About FireCluster in WatchGuard Cloud
Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
To increase network performance and scalability, you can configure a FireCluster. FireCluster is the high availability (HA) solution for WatchGuard Fireboxes.
For quick start instructions on how to add an active/passive FireCluster in WatchGuard Cloud, go to Quick Start — Set Up a Cloud-Managed FireCluster.
- A FireCluster includes two Fireboxes configured as cluster members.
- If the active cluster member fails, the passive cluster member takes over.
When you add a FireCluster to WatchGuard Cloud, you select how to manage the FireCluster:
- Cloud-managed — With this option, you use WatchGuard Cloud for all FireCluster configuration management, monitoring, and reporting.
- Locally-managed — With this option, you can use WatchGuard Cloud for FireCluster monitoring and reporting. You can also upgrade, fail over, and reboot the FireCluster in WatchGuard Cloud. To manage the FireCluster configuration, you must use WatchGuard System Manager, Fireware Web UI, or the CLI.
This topic explains:
- Requirements
- Cluster Types
- Failover
- Member roles
- Supported Firebox features
- How to add a FireCluster
- How to manage and Monitor a FireCluster
Requirements
Before you add a cloud-managed FireCluster, learn about the requirements and plan your configuration. For information about FireCluster requirements, go to Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.
Cluster Types
In WatchGuard Cloud, you can add:
- A cloud-managed FireCluster in active/passive mode
- A locally-managed FireCluster in active/passive or active/active mode
In an active/passive cluster, one cluster member is active and the other is passive. The active cluster member handles all network traffic. The passive cluster member actively monitors the status of the active cluster member. All traffic for traffic interfaces on either cluster member is delivered to both cluster members. This occurs because cluster members share the same virtual mac address (VMAC).
If the active cluster member fails, the passive cluster member takes over the connections assigned to the failed cluster member. The passive cluster member becomes the active cluster member. This process is known as failover.
All cloud-managed FireClusters use active/passive mode. You cannot configure a cloud-managed FireCluster to use active/active mode. For information about active/active mode on a locally-managed FireCluster, go to About FireCluster.
About FireCluster and Link Aggregation
Some of the features described in this topic are only available to participants in the WatchGuard Cloud Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.
You can also enhance performance and achieve full redundancy with a FireCluster through the configuration of link aggregation. This method enables a group of physical interfaces to function as a single, logical interface.
For more information, go to About Link Aggregation and Configure Link Aggregation for a FireCluster in WatchGuard Cloud.
FireCluster failover is triggered if all LAG interfaces fail. FireCluster failover is not triggered if only some LAG interfaces fail.
Topology
This diagram shows connections for a simple cloud-managed FireCluster configuration.
This diagram shows connections for a cloud-managed FireCluster configuration and multiple internal networks.
Failover
When a cluster member fails, the cluster fails over and maintains:
- Packet filter connections
- BOVPN tunnels
- User sessions
When failover occurs, these connections might be disconnected:
- Proxy connections
- Mobile VPN connections
Mobile VPN users might have to manually restart the VPN connection after a failover.
Some events cause a FireCluster to automatically fail over. For information about automatic failover for cloud-managed FireClusters, go to About FireCluster Failover.
In WatchGuard Cloud, you can manually force a FireCluster to fail over. For information about manual failover, go to Fail Over a FireCluster in WatchGuard Cloud.
Member Roles
It is important to understand the roles each Firebox can play in the cluster.
Cluster master
This cluster member assigns network traffic flows to cluster members and responds to all requests from external systems such as WatchGuard Cloud, SNMP, DHCP, ARP, routing protocols, and IKE. When you configure or modify the cluster configuration, you save the cluster configuration to the cluster master. The cluster master can be either device. The first device in a cluster to power on becomes the cluster master.
Backup master
This cluster member synchronizes all necessary information with the cluster master so that it can become the cluster master if the master fails. In an active/passive cluster, the backup cluster master is passive.
Active member
This can be any cluster member that actively handles traffic flow. In an active/passive cluster, the cluster master is the only active device.
Passive member
A Firebox in an active/passive cluster that does not handle network traffic flows unless an active device fails over. In an active/passive cluster, the passive member is the backup cluster master.
Supported Firebox Features
When FireCluster is enabled, your Fireboxes continue to support these features:
- Secondary networks on internal, external, and guest interfaces
- VLANs
- Link aggregation — FireCluster failover is triggered if all Link Aggregation member interfaces fail. FireCluster failover is not triggered if only some Link Aggregation member interfaces fail.
- Multi-WAN connections — FireCluster failover is not triggered if multi-WAN failover occurs because of a link monitor failure. FireCluster failover is triggered when the physical interface is down or does not respond.
For information about features not supported for a cloud-managed FireCluster, go to Unsupported Features for a Cloud-Managed FireCluster.
Add a FireCluster
You can add a cloud-managed or locally-managed FireCluster in WatchGuard Cloud. If you add a locally-managed FireCluster to WatchGuard Cloud for visibility, you can change the management type to cloud-managed at a later time.
For more information, go to:
- Add a Cloud-Managed FireCluster
- Add a Locally-Managed FireCluster to WatchGuard Cloud
- Change the FireCluster Management Type
Manage and Monitor a FireCluster
For both cloud-managed and locally-managed FireClusters, you can use WatchGuard Cloud to:
- Upgrade a FireCluster in WatchGuard Cloud
- Reboot a Cluster Member in WatchGuard Cloud
- Fail Over a FireCluster in WatchGuard Cloud
- Monitor a FireCluster
- Troubleshoot a FireCluster
- Manage FireCluster Logging in WatchGuard Cloud
- Change the FireCluster Management Type
- Remove a FireCluster from WatchGuard Cloud
For cloud-managed clusters, you can also: