You can use WatchGuard FireCluster to configure two Fireboxes as a cluster to increase network performance and scalability.
FireCluster is not supported on some device models. For more information, see Supported Models for FireCluster.
There are two configuration options available for a FireCluster: active/passive and active/active. To add redundancy, choose an active/passive cluster. To add both redundancy and load sharing to your network, select an active/active cluster.
When you enable FireCluster, you manage and monitor the two devices in the cluster as you would a single device.
- To use the FireCluster feature, you must install the same version of Fireware with a Pro upgrade on each device.
- Network latency between cluster members must be less than 100ms.
Network mode requirements
- To configure an active/passive cluster, your network interfaces must be configured in mixed routing or drop-in mode.
- To configure an active/active cluster, your network interfaces must be configured in mixed routing mode. FireCluster does not support bridge network mode.
For more information about network modes, see About Network Modes and Interfaces.
Supported Firebox Features
When FireCluster is enabled, your Fireboxes continue to support:
- Secondary networks on external, trusted, or optional interfaces
- Multi-WAN connections
(Limitation— A multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.)
- Dynamic routing
For information about features not supported for a FireCluster, see Features Not Supported for a FireCluster.
When a cluster member fails, the cluster seamlessly fails over and maintains:
- Packet filter connections
- BOVPN tunnels
- User sessions
- Access Portal user sessions
When a failover event occurs, these connections may be disconnected:
- Proxy connections
- Mobile VPN connections
- RDP and SSH connections initiated through the Access Portal
Mobile VPN users might have to manually restart the VPN connection after a failover.
For more information about FireCluster failover, see About FireCluster Failover.
To see the status of FireCluster in Firebox System Manager:
(Fireware v12.3 or higher) To see the status of FireCluster in Fireware Web UI, select System Status > FireCluster.
Use Fireware Web UI
After you have configured a cluster in Policy Manager, you can use Fireware Web UI to connect to it. You can use the Web UI to monitor the cluster and update policies and other configuration settings, but you cannot use the Web UI to modify the FireCluster settings.
When you use Fireware Web UI to connect to devices configured as a cluster, it is important to understand the cluster member roles.
The cluster master assigns network traffic flows to cluster members, and responds to all requests from external systems such as WatchGuard System Manager, SNMP, DHCP, ARP, routing protocols, and IKE. When you configure or modify the configuration of a FireCluster, you save the configuration to the cluster master. Either cluster member can be the cluster master. The first device in a cluster to power on becomes the cluster master.
The backup master synchronizes all necessary information with the cluster master, so that it can become the cluster master if the master fails. You cannot use Fireware Web UI to save configuration changes to the backup master.
To see the status of cluster members:
- Connect to the cluster with WatchGuard System Manager or Firebox System Manager.
- (Fireware v12.3 or higher) Connect to the cluster with Fireware Web UI and select System Status > FireCluster.