Quick Start — Set Up a Cloud-Managed FireCluster

Applies To: Cloud-managed Fireboxes

This document applies to Fireboxes you manage in WatchGuard Cloud. For information that applies to Fireboxes managed in Fireware Web UI or WatchGuard System Manager, go to:

Overview

You can add and manage an active/passive cloud-managed FireCluster in WatchGuard Cloud.

  • If you have two cloud-managed Fireboxes that you have not yet configured as a FireCluster, use the method described in this section.
  • Both Fireboxes must have factory-default settings.

Before you add a cloud-managed FireCluster, learn about the requirements and plan your configuration. For more information, go to Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.

  1. Reset both Fireboxes to factory-default settings. For more information, go to Reset a Firebox.
  2. Log in to your WatchGuard Cloud Subscriber account.
  3. Select Configure > Devices.
  4. Click Add Device.
    A list of activated devices appears. If the list does not include your devices, review the requirements in Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.

Screen shot of the Add Device Wizard for FireCluster (first page)

  1. Click Add FireCluster.
    The selection page for the first FireCluster member opens.

Screen shot of the Add Device Wizard device list for FireCluster

  1. To add the first FireCluster member, click a Firebox name.
    The selection page for the second FireCluster member opens.

Screen shot of the Add Device Wizard (Member2)

  1. To add the second FireCluster member, do one of the following:
    • Enter the serial number of the second FireCluster member and click Add.
    • From the list of devices, click a Firebox name.
      Selected FireCluster members appear next to the device list.

Screen shot of the Add Device Wizard (both members selected)

  1. Click Add FireCluster.
    A confirmation page opens.

Screen shot of the Add Device Wizard confirmation page for FireCluster

  1. From the FireCluster Management drop-down list, select Cloud Management.
  2. Click Next.

Screen shot of the Add Device Wizard name, time zone, and folder configuration page for FireCluster

  • Enter the FireCluster Name.
  • Enter the Member1 Name.
  • Enter the Member2 Name.
  • Select a Time Zone. The time zone settings control the date and time that appear in the log messages and reports for your FireCluster.
  • Select the device folder for your Firebox. Device Folders help you to view status and summary data for groups of devices.
    If you only have one root folder, the folder list does not appear.

Click Next.

  1. From the Cluster Interface drop-down list, select an interface.
    Cluster members use this dedicated interface to exchange heartbeat packets and to synchronize connection and session information.
  2. In the Member1 Cluster IP Address and Member2 Cluster IP Address text boxes, enter an IP address that is not in use on your network.
    To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.
  3. In the Cluster ID text box, enter a number between 1 and 255. The default cluster ID is 50.
    The Cluster ID determines the virtual MAC (VMAC) addresses that cluster member interfaces use. If there is another FireCluster or any devices that use the VRRP protocol on the same subnet, enter a Cluster ID that is different from the Cluster ID of another FireCluster to avoid a virtual MAC address conflict. For information about how the VMAC address is calculated, go to Active/Passive Cluster ID and the Virtual MAC Address.

Screen shot of the FireCluster interface settings

  1. (Optional) To add redundancy, select Assign Backup Cluster Interface. The FireCluster uses the backup cluster interface if the primary cluster interface fails. We recommend this option for FireCluster configurations without a direct cable connection between cluster members. For more information about this setting, go to Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.
    1. From the Backup Cluster Interface drop-down list, select an interface.
    2. In the Member1 Cluster Backup IP Address and Member2 Cluster Backup IP Address text boxes, enter an IP address that is not in use on your network. To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.

    If you use both primary and backup cluster interfaces, the interfaces must be on different subnets. We recommend that you do not use a switch between each member for the cluster interfaces. If you do use a switch between cluster members, the cluster interfaces must be logically separated from each other on different VLANs. We recommend that you configure a backup cluster interface if you separate the cluster interfaces with a switch.

Screen shot of a FireCluster configuration with a Backup Cluster Interface

  1. Click Next.
  2. From the IP Address Configuration drop-down list, select Static, DHCP, or PPPoE.
  3. If you selected Static:
    1. In the IP Address text box, enter an IP address for the external interface.
    2. In the Gateway text box, enter an IP address for the gateway.
    3. In the Public DNS Server text box, enter the IP address of a public DNS server for name resolution.

Screen shot of the external interface settings for FireCluster

  1. If you selected DHCP or PPPoE:
    1. Select Obtain an IP address automatically or Use this IP address.
    2. Enter the Client Name.
    3. Enter the Host Name.
    4. If you selected Use this IP address, enter an IP address.
  2. Click Next.
  3. Enter the Internal Network IP Address.
  4. (Optional) Select Enable DHCP server on Internal Network.
    1. Enter a Starting IP Address.
    2. Enter an Ending IP Address.
  5. In the Member1 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.
  6. In the Member2 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.

Screen shot of the internal interface settings for FireCluster

  1. Click Next.
  2. (Optional) If your Firebox is a wireless model, on the Configure Wireless Settings page, you can enable these options:
    • Enable Wireless — If you enable this option, enter the SSID and Passphrase for your internal wireless network.
    • Enable Guest Wireless — If you enable this option, enter the SSID and Passphrase for your guest wireless network.

Screen shot of the Configure Wireless Settings page

  1. Enter a Status Password.
  2. Enter an Admin Password. This password must be different than the status password.

Screen shot of the Password Configuration page

  1. To complete the FireCluster configuration, click Next.
  2. Follow the instructions on the Connect Your FireCluster page.

For information about cabling and network topology, go to Step 3 — Connect the Hardware.

Screen shot of the finish page of the Add Device Wizard for FireCluster

  1. Click Done.
  • Follow the instructions on the Connect Your FireCluster page.
  • To use a USB drive, you must click Download the connection settings file on the Connect Your FireCluster page now. You cannot return to this page later.

Screen shot of the finish page of the Add Device Wizard for FireCluster with static IP address

You must connect locally to one of the Fireboxes to configure a connection between the Firebox and WatchGuard Cloud. Use one of these methods:

  • Web Setup Wizard — Manually specify the connections settings in the Web Setup Wizard, which is part of the local operating system on the Firebox.
  • USB drive — Download and save a preconfigured connection settings file to a USB drive. The Firebox uses the file to automatically configure the connection settings. The USB drive must be formatted with the FAT or FAT32 file system. If the USB drive has more than one partition, Fireware only uses the first partition.

After you add the FireCluster, complete the cable configuration:

  1. Remove the interface 1 cable from your computer.
  2. Connect the interface 1 cable to your network equipment. For information about cabling and network topology, go to Connect the Hardware for a Cloud-Managed FireCluster.

Step 3 — Connect the Hardware

To connect two Fireboxes in a cloud-managed FireCluster configuration:

  1. Use an Ethernet cable to connect the cluster interface on one Firebox to the cluster interface on the other Firebox. You can use a straight or crossover cable.

    We strongly recommend you use direct connections for the cluster interfaces between each cluster member. Network equipment between the cluster interfaces such as switches introduce additional points of failure and latency. If cluster members are separated by a switch, the cluster interfaces must be on the same broadcast domain.

  1. (Optional) If you configure the backup cluster interface, use a second Ethernet cable to connect the backup cluster interfaces.
    The primary and backup cluster interfaces must be on different subnets.

    If you use both primary and backup cluster interfaces, the interfaces must be on different subnets. We recommend that you do not use a switch between each member for the cluster interfaces. If you do use a switch between cluster members, the cluster interfaces must be logically separated from each other on different VLANs. We recommend that you configure a backup cluster interface if you separate the cluster interfaces with a switch.

  1. Connect the external interface of each Firebox to a network switch or VLAN. If you use Multi-WAN, connect the second external interface of each Firebox to another network switch.
  2. Connect the trusted interface of each device to an internal network switch or VLAN.
  3. For each Firebox, connect the other trusted or optional network interfaces to the internal network switch for that Firebox.

You must connect each pair of network interfaces to a separate local network or VLAN.

WARNING: If any interface on the Firebox configuration uses the IP address 10.0.1.1, do not connect the trusted and optional network interfaces of the second device to the switches until after the cluster has been formed. This avoids an IP address conflict when you start the second device with factory-default settings. The devices use the cluster interfaces to form the cluster. After the you save the configuration to the cluster master, and the cluster is active, connect each of the trusted and optional interfaces of the second device to the appropriate switches.

This diagram shows connections for a simple cloud-managed FireCluster configuration.

Diagram of a simple FireCluster setup

In this example, the FireCluster has one external and one trusted interface connected to network switches. The cluster interfaces are connected by an Ethernet cable.

In WatchGuard Cloud, go to Monitor > Devices and view the Device Summary of the FireCluster to verify the connection to WatchGuard Cloud.

Only the cluster master connects to WatchGuard Cloud.

  • The status of the cluster master is Connected.
  • The status of the backup master is Never Connected or Not Connected because the backup master will only be connected if the current cluster master is unavailable.

Screen shot of the Device Summary page for a Firebox with FireCluster status

Related Topics

About FireCluster in WatchGuard Cloud

Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud

Remove a FireCluster from WatchGuard Cloud

Troubleshoot a FireCluster in WatchGuard Cloud