To increase network performance and scalability, you can configure a FireCluster, which is the high availability (HA) solution for WatchGuard Fireboxes.
A FireCluster includes two Fireboxes configured as cluster members. If a cluster member fails, the other cluster member takes over.
FireCluster is not supported on some device models. For more information, see Supported Models for FireCluster.
About FireCluster Types
FireCluster supports two types of cluster configurations.
In an active/passive cluster, one cluster member is active, and the other is passive. The active cluster member handles all network traffic unless a failover event occurs. The passive cluster member actively monitors the status of the active device. If the active device fails, the passive device takes over the connections assigned to the failed device.
For a demonstration of how to configure an active/passive cluster, see the FireCluster video tutorial (14 minutes).
In an active/active cluster, the cluster members share the traffic that passes through the cluster. To distribute connections between the active Fireboxes in the cluster, configure FireCluster to use a round-robin or least connections algorithm. If one member of a cluster fails, the other cluster member takes over the connections assigned to the failed member.
The same cluster member handles response traffic unless that member fails. For example, Cluster Member 1 is assigned an outbound packet from a user computer on your local network. Cluster Member 1 also handles the response traffic. This packet flow occurs because the Firebox is a stateful firewall that tracks and controls network traffic in a layer 3 session. Cluster Member 2 does not handle the response packet unless Member 1 fails.
For both active/passive and active/active clusters, all traffic for traffic interfaces on either cluster member is delivered to both cluster members. This occurs because cluster members share the same virtual mac address (VMAC).
When a cluster member fails, the cluster seamlessly fails over and maintains:
- Packet filter connections
- BOVPN tunnels
- User sessions
- Access Portal user sessions
When a failover event occurs, these connections might be disconnected:
- Proxy connections
- Mobile VPN connections
- RDP and SSH connections initiated through the Access Portal
Mobile VPN users might have to manually restart the VPN connection after a failover.
For more information about FireCluster failover, see About FireCluster Failover.
It is important to understand the roles each Firebox can play in the cluster.
This cluster member assigns network traffic flows to cluster members, and responds to all requests from external systems such as WatchGuard System Manager, SNMP, DHCP, ARP, routing protocols, and IKE. When you configure or modify the cluster configuration, you save the cluster configuration to the cluster master. The cluster master can be either device. The first device in a cluster to power on becomes the cluster master.
This cluster member synchronizes all necessary information with the cluster master, so that it can become the cluster master if the master fails. The Backup cluster master can be active or passive.
This can be any cluster member that actively handles traffic flow. In an active/active cluster, both devices are active. In an active/passive cluster, the cluster master is the only active device
A Firebox in an active/passive cluster that does not handle network traffic flows unless an active device fails over. In an active/passive cluster the passive member is the backup cluster master.
Supported Firebox Features
When FireCluster is enabled, your Fireboxes continue to support:
- Secondary networks on external, trusted, or optional interfaces
- Multi-WAN connections
(Limitation— A multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.)
- Dynamic routing
For information about features not supported for a FireCluster, see Features Not Supported for a FireCluster.
To configure FireCluster, see Configure FireCluster.
After you configure FireCluster, you can see the cluster status when you connect to the cluster with:
- WatchGuard System Manager
- Firebox System Manager — See Device Status.
- Fireware Web UI — Select System Status > FireCluster. You Firebox must have Fireware v12.3 or higher.
After you configure a cluster in Policy Manager, you can use Fireware Web UI to connect to it. You can use the Web UI to monitor the cluster and update policies and other configuration settings, but you cannot use the Web UI to modify the FireCluster settings.
When you use Fireware Web UI to connect to devices configured as a cluster, it is important to understand the cluster member roles.
The cluster master assigns network traffic flows to cluster members, and responds to all requests from external systems such as WatchGuard System Manager, SNMP, DHCP, ARP, routing protocols, and IKE. When you configure or modify the configuration of a FireCluster, you save the configuration to the cluster master. Either cluster member can be the cluster master. The first device in a cluster to power on becomes the cluster master.
The backup master synchronizes all necessary information with the cluster master, so that it can become the cluster master if the master fails. You cannot use Fireware Web UI to save configuration changes to the backup master.
FireCluster in WatchGuard Cloud
In WatchGuard Cloud, you can add a locally-managed FireCluster, initiate system actions (upgrade, reboot, and fail over), and view log messages. For more information, see About FireCluster in WatchGuard Cloud.