Some Firebox models support user-installable interface modules. Because the number of interface modules installed on these models can vary, these models have additional FireCluster configuration requirements.
For more information about the interface modules, go to About Modular Interfaces.
Hardware Configuration Requirements
Both members of a FireCluster must be the same device model, and must have the same number and type of interface modules installed in the same slots. The cluster cannot form if the hardware configuration for both devices does not match exactly.
Interface Connection Requirements
When the cluster is first formed, you must use a built-in interface to connect the two cluster members together. You can connect the built-in interfaces directly, or through a switch, as long as they are on the same network. When you enable FireCluster on one device, that device uses the built-in interfaces to discover the second cluster member. The cluster master cannot discover the second member through the modular interfaces, because the modular interfaces are not enabled on the second device when it is started with factory-default settings.
- On an M5600, the only built-in interface is interface 32
- On an M470, M570, M590, M670, M690, M4600, and T80, the eight built-in interfaces are interfaces 0 through 7
If possible, we recommend that you select a built-in interface as the primary cluster interface. With this configuration, you directly connect the built-in interfaces of the two members, and member discovery can happen through that interface.
If you prefer to use a modular interface as the primary cluster interface, you must also configure a backup cluster interface that uses a built-in interface. After an upgrade or a FireCluster configuration change, the primary member uses the built-in interface to discover the secondary member. Discovery cannot occur over a modular interface. If you do not configure a backup cluster interface that uses a built-in interface, the backup member resets to factory default because the primary member cannot locate the secondary member.
In some cases it might be necessary to use an alternate method of cluster formation when you need to bypass the default FireCluster discovery process.
- If you want to use the network module interface of a Firebox instead of the built-in network interfaces to form the cluster.
- To troubleshoot cluster members that do not join the cluster with the traditional discovery method because of network or other issues.
With this method, you save the FireCluster configuration separately to each Firebox:
- Enable FireCluster on a single Firebox that is already installed on your network.
- Use Policy Manager to save the same cluster configuration to the second cluster member.
- After FireCluster is separately enabled on both members, you can connect the second Firebox to the first Firebox and to the network.
To configure a FireCluster with the alternate method:
- Use Policy Manager to enable and configure FireCluster on the first Firebox. To configure the FireCluster you must have the feature key for both cluster members. For more information, see steps 1 through 4 in Quick Start — Set Up a FireCluster.
- In Policy Manager, save the configuration to the IP address of the first Firebox.
- Connect your management computer to the second Firebox.
- In Policy Manager, save the configuration to the IP address of the second Firebox.
When you save the configuration to the second Firebox, Policy Manager displays a warning if the IP address you specify does not exist in the configuration file. Because you want to replace the existing configuration, click Yes to confirm that you want to save the file.
- Connect the cluster members to each other and to the network switches. For more information, see Connect the FireCluster Hardware.
The cluster forms automatically.
To verify that the cluster has formed, connect to a configured interface IP address for the cluster in WatchGuard System Manager. For more information, see Monitor and Control FireCluster Members. If the cluster does not form, recheck the connections, particularly the connection between the primary cluster interfaces on each member.
Install or Remove Interface Modules for a FireCluster
When you install or remove interface modules for a FireCluster you must disconnect both members from power while you remove or install interface modules. Each Firebox automatically detects installed interface modules when you power it on.
Before you remove an interface module, you must disable the interfaces in the Firebox configuration. If an enabled interface is not installed, you cannot connect to the Firebox to modify the configuration.
Interface modules are not hot-swappable. It is important to completely disconnect the power from each Firebox before you install or remove interface modules. For complete information about interface modules and how to safely install them, see the Hardware Guide for your Firebox.
To add, remove, or replace an interface module for a FireCluster:
- Use Policy Manager to disable all interfaces on the interface module you will remove.
- In the FireCluster settings, make sure that the primary and backup cluster interfaces are not assigned to interfaces you will remove.
- Save the configuration to a file and also to the cluster master.
- If you changed the cluster interface, connect the new cluster interfaces together after you save the configuration.
- If you changed the cluster interface, make sure that the cluster has reformed after you save the configuration.
- Power off and disconnect the power from both cluster members.
- Add, remove, or replace the same interface modules to both members. See the Hardware Guide for detailed interface module installation instructions.
- Power on both cluster members.
- Each Firebox detects the installed interfaces, and the cluster forms automatically.
After the new interface module is installed and cluster has reformed, you can update the configuration to use the newly installed interfaces.
- You can change the FireCluster primary or backup cluster interfaces to any installed modular interface. If you change the cluster interface, make sure to connect the new cluster interfaces together after you save the configuration.
- In the Network configuration settings, enable and configure any newly installed modular interfaces.
- In the FireCluster settings, you can change the management interface to any enabled interface.