Add a Cloud-Managed FireCluster

This document applies to Fireboxes you manage in WatchGuard Cloud. For information that applies to Fireboxes managed in Fireware Web UI or WatchGuard System Manager, go to:

• Configure FireCluster (Locally-managed FireCluster)

1. Reset both Fireboxes to factory-default settings. For more information, go to Reset a Firebox.
2. Log in to your WatchGuard Cloud Subscriber account.
3. Select Configure > Devices.
4. Click Add Device.
   A list of activated devices appears. If the list does not include your devices, review the requirements in Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.

5. Click Add FireCluster.
   The selection page for the first FireCluster member opens.

6. To add the first FireCluster member, click a Firebox name.
   The selection page for the second FireCluster member opens.

7. To add the second FireCluster member, do one of the following:
   • From the list of devices, click a Firebox name.
     Selected FireCluster members appear next to the device list.
   • Enter the serial number of the second FireCluster member and click Add.
     

8. Click Add FireCluster.
   A confirmation page opens.

9. From the FireCluster Management drop-down list, select Cloud Management.
   
10. Click Next.
    The Begin Setting up Your FireCluster page opens.

• Enter the FireCluster Name.
• Enter the Member1 Name.
• Enter the Member2 Name.
• Select a Time Zone. The time zone settings control the date and time that appear in the log messages and reports for your FireCluster.
• Select the device folder for your Firebox. Device Folders help you to view status and summary data for groups of devices.
  If you only have one root folder, the folder list does not appear.

11. Click Next.
12. From the Cluster Interface drop-down list, select an interface.
    Cluster members use this dedicated interface to exchange heartbeat packets and to synchronize connection and session information.

13. In the Member1 Cluster IP Address and Member2 Cluster IP Address text boxes, enter an IP address that is not in use on your network.
    To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.
14. In the Cluster ID text box, enter a number between 1 and 255. The default cluster ID is 50.
    The Cluster ID determines the virtual MAC (VMAC) addresses that cluster member interfaces use. If you add a second FireCluster to the same subnet, enter a Cluster ID that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC address conflict. For information about how the VMAC address is calculated, go to Active/Passive Cluster ID and the Virtual MAC Address.
15. (Optional) To add redundancy, select Assign Backup Cluster Interface. The FireCluster uses the backup cluster interface if the primary cluster interface fails. We recommend this option for FireCluster members separated by a switch without a direct cable connection between cluster members. For more information about this setting, go to Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.
    1. From the Backup Cluster Interface drop-down list, select an interface.
    2. In the Member1 Cluster Backup IP Address and Member2 Cluster Backup IP Address text boxes, enter an IP address that is not in use on your network. To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.

If you use both primary and backup cluster interfaces, the interfaces must be on different subnets. We recommend that you do not use a switch between each member for the cluster interfaces. If you do use a switch between cluster members, the cluster interfaces must be logically separated from each other on different VLANs. We recommend that you configure a backup cluster interface if you separate the cluster interfaces with a switch.

16. Click Next.
17. From the IP Address Configuration drop-down list, select Static, DHCP, or PPPoE.
18. If you selected Static:
    1. In the IP Address text box, enter an IP address for the external interface.
    2. In the Gateway text box, enter an IP address for the gateway.
    3. In the Public DNS Server text box, enter the IP address of a public DNS server for name resolution.

19. If you selected DHCP or PPPoE:
    1. Select Obtain an IP address automatically or Use this IP address.
    2. Enter the Client Name.
    3. Enter the Host Name.
    4. If you selected Use this IP address, enter an IP address.
20. Click Next.
21. Enter the Internal Network IP Address.
22. (Optional) Select Enable DHCP server on Internal Network.
    1. Enter a Starting IP Address.
    2. Enter an Ending IP Address.
23. In the Member1 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.
24. In the Member2 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.

25. Click Next.
26. (Optional) If your Firebox is a wireless model, on the Configure Wireless Settings page, you can enable these options:
    • Enable Wireless — If you enable this option, enter the SSID and Passphrase for your internal wireless network.
    • Enable Guest Wireless — If you enable this option, enter the SSID and Passphrase for your guest wireless network.

Click Next.

27. Enter the passwords for the built-in Status and Admin user accounts.
    • Enter a Status Password.
    • Enter an Admin Password. This password must be different than the status password.

28. To complete the FireCluster configuration, click Next.
    
29. Follow the instructions on the Connect Your FireCluster page.

1. Connect the primary cluster interface on one Firebox to the primary cluster interface on the other Firebox.
2. On both Fireboxes, connect interface 0 to an Internet connection.
3. Plug in and power on both Fireboxes.

For information about cabling and network topology, go to Connect the Hardware for a Cloud-Managed FireCluster.

30. Click Done.

1. Sign in to your WatchGuard Cloud Subscriber account.
   For Service Provider operators, from Account Manager, select My Account.
2. Select Configure > Devices.
3. Select the FireCluster.
   The Device Settings page opens.
4. In the Cloud Management section, click Change to Cloud Management.
   The Add Device wizard opens.
5. (Optional) Edit the FireCluster Name.
6. (Optional) Edit the Member1 Name.
7. (Optional) Edit the Member2 Name.
8. (Optional) Edit the Time Zone.
9. Click Next.
10. From the Cluster Interface drop-down list, select an interface.
    Cluster members use this dedicated interface to exchange heartbeat packets, and to synchronize connection and session information.
    
11. In the Member1 Cluster IP Address and Member2 Cluster IP Address text boxes, enter an IP address that is not in use on your network.
    To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.
    
12. In the Cluster ID text box, enter a number between 1 and 255.
    The Cluster ID determines the virtual MAC (VMAC) addresses used by the interfaces of the clustered devices. If you add a second FireCluster to the same subnet, set the Cluster ID to a number that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC address conflict. For information on how the VMAC address is calculated, go to Active/Passive Cluster ID and the Virtual MAC Address.
    

13. (Optional) To add redundancy, select Assign Backup Cluster Interface. The FireCluster uses the backup cluster interface if the primary cluster interface fails. We recommend this option for FireCluster configurations without a direct cable connection between cluster members. For more information about this setting, go to Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.
    1. From the Backup Cluster Interface drop-down list, select an interface.
    2. In the Member1 Cluster Backup IP Address and Member2 Cluster Backup IP Address text boxes, enter an IP address that is not in use on your network. To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.

If you use both primary and backup cluster interfaces, the interfaces must be on different subnets. We recommend that you do not use a switch between each member for the cluster interfaces. If you do use a switch between cluster members, the cluster interfaces must be logically separated from each other on different VLANs. We recommend that you configure a backup cluster interface if you separate the cluster interfaces with a switch.

14. Click Next.
15. (Optional) Edit the IP Address Configuration. From the drop-down list, select Static, DHCP, or PPPoE.
16. In the IP Address text box, enter an IP address for the external interface.
17. In the Gateway text box, enter an IP address for the gateway.
18. In the Public DNS Server text box, enter the IP address of a public DNS server for name resolution.

19. Click Next.
20. (Optional) Edit the Internal Network IP Address.
21. (Optional) Select Enable DHCP server on Internal Network.
    1. Enter a Starting IP Address.
    2. Enter an Ending IP Address.
22. In the Member1 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.
23. In the Member2 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.

24. Click Next.
25. (Optional) If your Firebox is a wireless model, on the Configure Wireless Settings page, you can enable these options:
    • Enable Wireless — If you enable this option, enter the SSID and Passphrase for your internal wireless network.
    • Enable Guest Wireless — If you enable this option, enter the SSID and Passphrase for your guest wireless network.

26. Enter the passwords for the built-in Status and Admin user accounts.
    • Enter a Status Password.
    • Enter an Admin Password. This password must be different than the status password.

27. To complete the configuration and change to cloud management, click OK.
    The confirmation page appears.

28. Click Done.

After you deploy the configuration change, the cloud-managed configuration replaces the locally-managed configuration on the Firebox. You can no longer locally manage the FireCluster in WatchGuard System Manager, Fireware Web UI, or CLI.

29. Schedule a deployment.
    For more information, go to Manage Device Configuration Deployment.
30. In WatchGuard Cloud, go to Monitor > Devices and view the Device Summary of the FireCluster to verify the connection to WatchGuard Cloud.

Only the cluster master connects to WatchGuard Cloud.

• The status of the cluster master is Connected.
• The status of the backup master is Never Connected or Not Connected because the backup master will only be connected if the current cluster master is unavailable.