Add a Cloud-Managed FireCluster

1. Reset both Fireboxes to factory-default settings. For more information, go to Reset a Firebox.
2. Log in to your WatchGuard Cloud Subscriber account.
3. Select Configure > Devices.
4. Click Add Device.
   A list of activated devices appears. If the list does not include your devices, review the requirements in Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.

5. Click Add FireCluster.
   The selection page for the first FireCluster member opens.

6. To add the first FireCluster member, click a Firebox name.
   The selection page for the second FireCluster member opens.

7. To add the second FireCluster member, do one of the following:
   • Enter the serial number of the second FireCluster member and click Add.
   • From the list of devices, click a Firebox name.
     Selected FireCluster members appear next to the device list.
     

8. Click Add FireCluster.
   A confirmation page opens.

9. From the FireCluster Management drop-down list, click Cloud Management.
   
10. Click Next.
11. Enter the FireCluster Name.
12. Enter the Member1 Name.
13. Enter the Member2 Name.
14. Select a Time Zone. The time zone settings control the date and time that appear in the log messages and reports for your FireCluster.
15. Select the device folder for your Firebox. Device Folders help you to see status and summary data for device groups.
    If you only have one root folder, the folder list does not appear.
16. Click Next.
17. From the Cluster Interface drop-down list, select an interface.
    Cluster members use this dedicated interface to exchange heartbeat packets and to synchronize connection and session information.
    
18. In the Member1 Cluster IP Address and Member2 Cluster IP Address text boxes, enter an IP address that is not in use on your network.
    To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.
19. In the Cluster ID text box, enter a number between 1 and 255. The default cluster ID is 50.
    The Cluster ID determines the virtual MAC (VMAC) addresses that cluster member interfaces use. If you add a second FireCluster to the same subnet, enter a Cluster ID that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC address conflict. For information about how the VMAC address is calculated, go to Active/Passive Cluster ID and the Virtual MAC Address.

20. (Optional) To add redundancy, select Assign Backup Cluster Interface. The FireCluster uses the backup cluster interface if the primary cluster interface fails. We recommend this option for FireCluster configurations without a direct cable connection between cluster members. For more information about this setting, go to Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.
    1. From the Backup Cluster Interface drop-down list, select an interface.
    2. In the Member1 Cluster Backup IP Address and Member2 Cluster Backup IP Address text boxes, enter an IP address that is not in use on your network. To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.

The primary and backup cluster interfaces must be on different subnets. We recommend that you do not use a switch between each member for the cluster interfaces. If you do use a switch between cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs. We recommend that you configure a backup cluster interface if you separate the cluster interfaces with a switch.

21. Click Next.
22. From the IP Address Configuration drop-down list, select Static, DHCP, or PPPoE.
23. If you selected Static:
    1. In the IP Address text box, enter an IP address for the external interface.
    2. In the Gateway text box, enter an IP address for the gateway.
    3. In the Public DNS Server text box, enter the IP address of a public DNS server for name resolution.

24. If you selected DHCP or PPPoE:
    1. Select Obtain an IP address automatically or Use this IP address.
    2. Enter the Client Name.
    3. Enter the Host Name.
    4. If you selected Use this IP address, enter an IP address.
25. Click Next.
26. Enter the Internal Network IP Address.
27. (Optional) Select Enable DHCP server on Internal Network.
    1. Enter a Starting IP Address.
    2. Enter an Ending IP Address.
28. In the Member1 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.
29. In the Member2 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.

30. Click Next.
31. (Optional) If your Firebox is a wireless model, on the Configure Wireless Settings page, you can enable these options:
    • Enable Wireless — If you enable this option, enter the SSID and Passphrase for your internal wireless network.
    • Enable Guest Wireless — If you enable this option, enter the SSID and Passphrase for your guest wireless network.

32. Enter a Status Password.
33. Enter an Admin Password. This password must be different than the status password.

34. To complete the configuration and change to cloud management, click OK.
    The configuration change deploys automatically.

If you selected the static IP address option, before you click Done:

1. Follow the instructions on the Connect Your FireCluster page.
2. To use a USB drive, you must click Download the connection settings file on the Connect Your FireCluster page now. You cannot return to this page later.

1. Sign in to your WatchGuard Cloud Subscriber account.
   For Service Provider operators, from Account Manager, select My Account.
2. Select Configure > Devices.
3. Select the FireCluster.
   The Device Settings page opens.
4. In the Cloud Management section, click Change to Cloud Management.
   The Add Device wizard opens.
5. (Optional) Edit the FireCluster Name.
6. (Optional) Edit the Member1 Name.
7. (Optional) Edit the Member2 Name.
8. (Optional) Edit the Time Zone.
9. Click Next.
10. From the Cluster Interface drop-down list, select an interface.
    Cluster members use this dedicated interface to exchange heartbeat packets, and to synchronize connection and session information.
    
11. In the Member1 Cluster IP Address and Member2 Cluster IP Address text boxes, enter an IP address that is not in use on your network.
    To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.
    
12. In the Cluster ID text box, enter a number between 1 and 255.
    The Cluster ID determines the virtual MAC (VMAC) addresses used by the interfaces of the clustered devices. If you add a second FireCluster to the same subnet, set the Cluster ID to a number that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC address conflict. For information on how the VMAC address is calculated, go to Active/Passive Cluster ID and the Virtual MAC Address.
    

13. (Optional) To add redundancy, select Assign Backup Cluster Interface. The FireCluster uses the backup cluster interface if the primary cluster interface fails. We recommend this option for FireCluster configurations without a direct cable connection between cluster members. For more information about this setting, go to Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.
    1. From the Backup Cluster Interface drop-down list, select an interface.
    2. In the Member1 Cluster Backup IP Address and Member2 Cluster Backup IP Address text boxes, enter an IP address that is not in use on your network. To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.

The primary and backup cluster interfaces must be on different subnets. We recommend that you do not use a switch between each member for the cluster interfaces. If you do use a switch between cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs. We recommend that you configure a backup cluster interface if you separate the cluster interfaces with a switch.

14. Click Next.
15. (Optional) Edit the IP Address Configuration. From the drop-down list, select Static, DHCP, or PPPoE.
16. In the IP Address text box, enter an IP address for the external interface.
17. In the Gateway text box, enter an IP address for the gateway.
18. In the Public DNS Server text box, enter the IP address of a public DNS server for name resolution.

19. Click Next.
20. (Optional) Edit the Internal Network IP Address.
21. (Optional) Select Enable DHCP server on Internal Network.
    1. Enter a Starting IP Address.
    2. Enter an Ending IP Address.
22. In the Member1 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.
23. In the Member2 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.

24. Click Next.
25. (Optional) If your Firebox is a wireless model, on the Configure Wireless Settings page, you can enable these options:
    • Enable Wireless — If you enable this option, enter the SSID and Passphrase for your internal wireless network.
    • Enable Guest Wireless — If you enable this option, enter the SSID and Passphrase for your guest wireless network.

26. Enter a Status Password.
27. Enter an Admin Password. This password must be different than the status password.

28. To complete the configuration and change to cloud management, click OK.
    The confirmation page appears.

29. Click Done.

After you deploy the configuration change, the cloud-managed configuration replaces the locally-managed configuration on the Firebox. You can no longer locally manage the FireCluster in WatchGuard System Manager, Fireware Web UI, or CLI.

30. Schedule a deployment.
    For more information, go to Manage Device Configuration Deployment.
31. To verify the FireCluster connection to WatchGuard Cloud, go to the Device Summary page.

Only the cluster master connects to WatchGuard Cloud.

• The status of the cluster master is Connected.
• The status of the backup master is Never Connected (has not yet connected to WatchGuard Cloud for the first time), or Not Connected (is not currently connected to WatchGuard Cloud).