About FireCluster Failover

Applies To: Cloud-managed Fireboxes

Some of the features described in this topic are only available to participants in the WatchGuard Cloud Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

Each cluster member maintains state and session information at all times. When failover occurs, the packet filter connections, branch office VPN (BOVPN) tunnels, and user sessions from the failed Firebox fail over automatically to the other Firebox in the cluster.

One Firebox is the cluster master and the other Firebox is the backup master. The backup master uses the primary cluster interface to synchronize connection and session information with the cluster master.

If you configure a backup cluster interface, and if the primary cluster interface fails or is disconnected, the backup master uses the backup cluster interface to communicate with the cluster master in some cases. We recommend a backup cluster interface only if you use a switch between cluster interfaces.

The cluster master uses both the primary and backup cluster interfaces to send a heartbeat packet once per second to the backup master.

For information about backup cluster interface best practices, go to Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.

Events that Trigger a Failover

For a cloud-managed FireCluster, these events trigger the cluster master to fail over:

Health index is too low

Each cluster member has a Weighted Average Index (WAI) that indicates the overall health of the Firebox. The WAI for a cluster member is a weighted average of the System Health Index (SHI) and Monitored Ports Health Index (MPHI) for that device. If the WAI of the cluster master is lower than the WAI of the backup master, the cluster master fails over.

The Hardware Health Index (HHI) is disabled for cloud-managed FireClusters.

For information about how to see the health index values for a FireCluster, go to Monitor FireClusters.

Lost heartbeat

The cluster master sends a heartbeat packet through the primary and backup cluster interfaces once per second. If the backup master does not receive three consecutive heartbeats from the cluster master, this triggers failover of the cluster master. The threshold for lost heartbeats is three.

Manual failover initiated

In WatchGuard Cloud, when you select Configure > Devices> Fail Over Master, you force the cluster master to fail over to the backup master.

For more information about manual failover, go to Fail Over a FireCluster in WatchGuard Cloud.

For interfaces included in multi-WAN or link aggregation configurations:

  • Multi-WAN — FireCluster failover is triggered when the physical interface is down or does not respond. FireCluster failover is not triggered if multi-WAN failover occurs because of a link monitor failure.
  • Link Aggregation — FireCluster failover is triggered if all Link Aggregation member interfaces fail. FireCluster failover is not triggered if only some Link Aggregation member interfaces fail.

What Happens When a Failover Occurs

When cluster master fails over, the backup master becomes the cluster master. The original cluster master rejoins the cluster as the backup master. The cluster maintains all packet filter connections, branch office VPN (BOVPN) tunnels, and user sessions.

If the backup master fails, connections and sessions are not interrupted because traffic is not assigned to the backup master in an active/passive FireCluster.

Connection/Session Type Impact of a Failover Event
Packet filter connections Connections fail over to the other cluster member.
Branch office VPN (BOVPN) tunnels Tunnels fail over to the other cluster member.
User sessions Sessions fail over to the other cluster member.
Proxy connections Connections assigned to the failed Firebox (master or backup master) must be restarted. Connections assigned to the other Firebox are not interrupted.
Mobile VPN with SSL If either Firebox fails over, all sessions must be restarted.
Mobile VPN with IKEv2 If the cluster master fails over, all sessions must be restarted.
If the backup master fails, only the sessions assigned to the backup master must be restarted.
Sessions assigned to the cluster master are not interrupted.

Monitor a FireCluster Failover

On the Device Settings page, you can see which cluster member is the cluster master. Cloud-managed FireClusters use active/passive mode only, which means only the cluster master connects to WatchGuard Cloud. The status of the cluster master is Connected. The status of the backup master is Not Connected. For more information about the Device Settings page, go to Configure Device Settings in WatchGuard Cloud.

On the Live Status > FireCluster page, you can see a list of cluster events, which includes cluster failover events. For more information about the FireCluster Live Status page, go to Monitor FireClusters.

FireCluster Failover and Subscription Services

If you enable licensed subscription services for your FireCluster, the services continue to operate after failover. For a cloud-managed FireCluster, you must enable the subscription services in the feature key for only one cluster member. The active cluster member uses the subscription services that are active in the feature key of either cluster member.

For more information about feature keys and FireCluster, go to About Feature Keys and FireCluster.

Related Topics

About FireCluster in WatchGuard Cloud

Manage FireCluster Logging in WatchGuard Cloud

Configure an RMA Replacement for a Cloud-Managed FireCluster Member