Configure a FireCluster on VMware ESXi
You can configure two FireboxV virtual machines as an active/passive FireCluster. We recommend that you complete the virtual network setup on the hypervisor before you configure the FireboxV devices you want to cluster.
This topic explains the Requirements and shows the planning and configuration steps:
- Plan Your Configuration
- Configure Network Switches
- Configure the Cluster
- Deploy and Provision two FireboxV Virtual Machines
- Get the Feature Key for the Second Device
- Configure FireCluster Settings
- Form the Cluster
Make sure that you have these items:
- Two WatchGuard FireboxV virtual machines of the same model
The same version of Fireware on each device
- The feature key for each virtual machine
- One vSwitch configured for each cluster interface
- One vSwitch for each active traffic interface
- WatchGuard System Manager, to edit the FireCluster configuration
You must verify that your FireCluster, network, and ESXi configurations meet all requirements. FireCluster in a VMware environment does not operate as expected if these requirements are not met.
Active/active FireCluster is not supported for VMware ESXi. You must configure an active/passive FireCluster.
Make sure your network and ESXi configurations meet the requirements.
- Each interface type should be in the same broadcast domain across both cluster members.
The backup master broadcasts a gratuitous ARP (GARP) to become the cluster master during cluster failover. The other cluster member must be on the same broadcast domain to receive this broadcast.
- All clients protected by the cluster must be able to communicate to both cluster members.
This means that you must verify that all packets destined for the FireboxV can be delivered successfully to both cluster members. VMware does not send traffic from clients on the same ESXi host as a cluster member to the other cluster member on a different ESXi host. These clients cannot pass traffic through the cluster unless they are on the same ESXi host as the active cluster member. Clients on the same ESXi host as the passive cluster member cannot pass traffic through the cluster. This behavior occurs because the ESXi host believes the virtual MAC (VMAC) address shared by the cluster members exists only on that ESXi host. As a result, the ESXi host does not forward traffic that is attempting to pass through the cluster to the active cluster member on the other ESXi host.
- GARP must be enabled on the vSwitches.
After a cluster failover, the new cluster master sends a GARP. The vSwitches use information in the GARP to learn how to route traffic after the cluster failover.
- For all FireboxV interfaces, the Forged Transmits setting in VMWare must be configured as Accept. This is the default setting.
- The vSwitch for the external interface must be configured to accept MAC address changes.
- The vSwitch for the FireCluster management interface must have promiscuous mode enabled.
- The vSwitch that connects to each cluster interface must be dedicated to this purpose.
For hardware and software redundancy, you could configure:
- Two ESXi hosts connected to a vSwitch with multiple physical switches between them
- FireCluster master and backup members each configured on a different ESXi host
This configuration adds redundancy because the FireCluster can fail over in the case of a software or hardware failure.
Before you enable FireCluster, we recommend you identify the vSwitch, network interface, and network addresses to use. For FireCluster, the external interface must use a static IP address. A clear plan helps you configure the interface IP addresses and configure the vSwitch settings as required for each interface. For example, you could create a list that looks something like this
|FireCluster Option||vSwitch Name||FireboxV or XTMv
|Primary cluster interface||HA-net||9||
Member 1: 10.10.5.1/24
Member 2: 10.10.5.2/24
|Interface for management IP address||Trusted-net||1||
Member 1: 10.10.1.2/24
Member 2: 10.10.1.3/24
|External interface||External-net||0||203.0.113.2 /24|
You must configure a vSwitch for each interface you want to enable. We recommend you do this before you enable FireCluster. Before you enable FireCluster, make sure that the switches are configured to meet the requirements stated in the Requirements section.
For more information about switch configuration, see Configure Resources in VMware ESXi.
After you have planned your network and configured the vSwitches, you can set up the FireboxV virtual machines and enable FireCluster.
To create a FireCluster with two new FireboxV virtual machines, use the procedure in the previous section to deploy and activate two FireboxV devices. If you want to enable FireCluster for an existing FireboxV virtual machine, deploy and activate one additional FireboxV virtual machine. For more information, see Deploy FireboxV or XTMv on VMware ESXi.
Allocate the same resources (network adapters, virtual CPU, and memory) to each FireboxV virtual machine. For more information, see Configure Resources in VMware ESXi.
Copy the feature key from the second device to a text file, so that you can add it to the FireCluster configuration.
To copy the feature key with Policy Manager:
- In WatchGuard System Manager, connect to the virtual machine that will be the second device in the cluster.
- Select Tools > Policy Manager.
- Select Setup > Feature Keys > Details.
- Select and copy the feature key details to a text file.
The steps to configure FireCluster settings on FireboxV are the same as for any other Firebox, except that you must select Active/Passive for a virtual FireCluster.
After you run the FireCluster Setup Wizard, you save the cluster configuration to each of the virtual machines. When they reboot, the cluster forms.
To configure the FireCluster:
- In WatchGuard System Manager, connect to the FireboxV or XTMv virtual machine that has the configuration you want to use for the cluster.
- Select Tools > Policy Manager.
- Select FireCluster > Setup.
The FireCluster Setup Wizard starts.
- Click Next.
- Select Active/Passive cluster.
Even though you can select it, the Active/Active cluster option is not supported for FireboxV.
- Select the Cluster ID.
The cluster ID uniquely identifies the cluster if you set up more than one cluster on the same layer 2 broadcast domain. If you have only one cluster, you can use the default value of 1.
- Click Next.
- Select a Primary cluster interface.
Select an interface that is connected to a dedicated vSwitch. The cluster interface is dedicated to communication between cluster members and is not used for other network traffic.
- (Optional) Select a Backup cluster interface.
If you select a backup cluster interface, select an interface connected to a second dedicated vSwitch.
- Select the Interface for management IP address.
You use this interface to connect directly to FireCluster member devices for maintenance operations. The cluster master also uses the Management IP address of the backup master to communicate with the backup master about device status and action aggregation. This is not a dedicated interface. It also is used for other network traffic. You cannot select a VLAN interface as the Interface for Management IP address. We recommend that you select the interface that the management computer usually connects to.
Make sure that promiscuous mode is enabled on the vSwitch for the interface you configure as the Interface for management IP address.
- Click Next.
- When prompted by the configuration wizard, add these FireCluster member properties for each device:
For each Firebox, add the feature key to get the device serial numbers and to enable all features. For the first cluster member, the wizard automatically uses the feature key that exists in the configuration file.
The name that identifies each Firebox in the FireCluster configuration.
Primary cluster interface IP address
The IP address the cluster members use to communicate with each other over the primary cluster interface. The primary cluster interface IP address for each cluster member must be an IPv4 address on the same subnet.
If both devices start at the same time, the cluster member with the highest IP address assigned to the primary cluster interface becomes the master.
Backup cluster interface IP address
(Optional) The IP address the cluster members use to communicate with each other over the backup cluster interface. The backup cluster interface IP address for each cluster member must be an IPv4 address on the same subnet.
Do not set the Primary or Backup cluster IP address to the default IP address of any interface on the device. The default interface IP addresses are in the range 10.0.0.1 - 10.0.17.1. The Primary and Backup cluster IP addresses must not be used for anything else on your network, such as virtual IP addresses for Mobile VPN, and the IP addresses used by remote branch office networks.
Management IP address
A unique IP address that you can use to connect to an individual Firebox while it is configured as part of a cluster. You must specify a different management IP address for each cluster member. If the interface you chose as the Interface for management IP address has IPv6 enabled, you can optionally configure an IPv6 management IP address.
The IPv4 management IP address can be any unused IP address. We recommend that you use an IP address on the same subnet as the interface you select as the Interface for management IP address. This is to make sure that the address is routable. The management IP address must be on the same subnet as the WatchGuard Log Server or syslog server that your FireCluster sends log messages to.
The IPv6 management IP address must be an unused IP address. We recommend that you use an IPv6 address with the same prefix as an IPv6 address assigned to the interface you selected as the Interface for management IP address. This is to make sure that the IPv6 address is routable.
- Review the configuration summary on the final screen of the FireCluster Setup Wizard. The configuration summary shows the options you selected and which interfaces are monitored for link status.
- Click Finish.
The FireCluster Configuration dialog box appears.
To form the cluster, save the configuration file to each FireboxV virtual machine.
- In Policy Manager, select File > Save > To Firebox to save the configuration to the first FireboxV or XTMv virtual machine.
- In Policy Manager, select File > Save > To Firebox again, and specify the IP address of the second FireboxV virtual machine.
Policy Manager displays a warning if the IP address that you save the configuration to does not exist in the configuration file.
- Click Yes to confirm that you want to save the file.
The cluster forms automatically. To verify whether a cluster has formed, connect to the device in WatchGuard System Manager and refresh the status periodically. If the cluster does not form automatically after a few minutes, reboot or power cycle each virtual machine to trigger automatic cluster formation.