Contents

Configure FireCluster

FireCluster supports two types of cluster configurations.

Active/Passive cluster

In an active/passive cluster, one cluster member is active, and the other is passive. The active cluster member handles all network traffic unless a failover event occurs. The passive cluster member actively monitors the status of the active device. If the active device fails, the passive device takes over the connections assigned to the failed device. After a failover event, all traffic for existing connections is automatically routed to the active cluster member.

Active/Active cluster  

In an active/active cluster, the cluster members share the traffic that passes through the cluster. To distribute connections between the active Fireboxes in the cluster, configure FireCluster to use a round-robin or least connections algorithm. If one member of a cluster fails, the other cluster member takes over the connections assigned to the failed member. After a failover event, all traffic for existing connections is automatically routed to the remaining active member.

For a demonstration of how to configure an active/passive cluster, see the FireCluster video tutorial (14 minutes).

FireCluster Requirements and Restrictions  

Make sure you understand these requirements and restrictions before you begin:

  • Fireboxes in a cluster must be the same model number. For a list of supported models, see Supported Models for FireCluster.
  • Each Firebox in a cluster must use the same version of Fireware.
  • Each Firebox in a cluster must have an active subscription to support services, listed in the feature key as LiveSecurity Service.
  • For an active/passive cluster, your network interfaces must be configured in mixed routing mode or drop-in mode.
  • For an active/active cluster, your network interfaces must be configured in mixed routing mode.
  • FireCluster does not support bridge network mode.
  • For an active/active cluster, we recommend all Fireboxes have active licenses for the same optional subscription services such as WebBlocker or Gateway AntiVirus.

For more information, see About Feature Keys and FireCluster.

  • For an active/active FireCluster, the external interface must be configured with a static IP address. You cannot enable an active/active FireCluster if the external interface is configured to use DHCP or PPPoE.
  • For an active/passive FireCluster, the external interface must be configured with a static IP address or can be configured to use PPPoE. In Fireware v11.12 or higher, the external interface can be configured for DHCP.
  • You must have a network switch or VLAN for each active traffic interface.
  • For an active/active cluster, all switches and routers in an active/active FireCluster broadcast domain must meet the requirements specified in Switch and Router Requirements for an Active/Active FireCluster.
  • For an active/active cluster, you must know the IP address and MAC address of each layer 3 switch connected to the cluster. Then you can add static ARP entries for these network devices to the FireCluster configuration.

For more information, see Add Static ARP Entries for an Active/Active FireCluster .

For requirements and restrictions for wireless devices, see About FireCluster on Wireless Models.

Cluster Synchronization and Status Monitoring 

When you enable FireCluster, you must dedicate at least one interface to communication between the cluster members. This is called a cluster interface. When you set up the cluster hardware, you connect the primary cluster interfaces of each Firebox to each other. For redundancy, we recommend you configure a backup cluster interface. The cluster members use the cluster interfaces to continually synchronize all information needed for load sharing and transparent failover.

FireCluster Device Roles  

When you configure devices in a cluster, it is important to understand the roles each device can play in the cluster.

Cluster master

This cluster member assigns network traffic flows to cluster members, and responds to all requests from external systems such as WatchGuard System Manager, SNMP, DHCP, ARP, routing protocols, and IKE. When you configure or modify the cluster configuration, you save the cluster configuration to the cluster master. The cluster master can be either device. The first device in a cluster to power on becomes the cluster master.

Backup master

This cluster member synchronizes all necessary information with the cluster master, so that it can become the cluster master if the master fails. The Backup cluster master can be active or passive.

Active member

This can be any cluster member that actively handles traffic flow. In an active/active cluster, both devices are active. In an active/passive cluster, the cluster master is the only active device

Passive member

A Firebox in an active/passive cluster that does not handle network traffic flows unless an active device fails over. In an active/passive cluster the passive member is the backup cluster master.

FireCluster Configuration Steps

To configure Fireboxes as a FireCluster, you must:

  1. Plan your FireCluster configuration, as described in Before You Begin.
  2. Connect the devices to the network, as described in Connect the FireCluster Hardware.
  3. Configure FireCluster in Policy Manager. You can use one of these methods:

For an active/active cluster, you must also complete these steps:

  1. Make any necessary configuration changes to your layer 3 network routers and switches to support the multicast MAC addresses used by the FireCluster.

For more information, see Switch and Router Requirements for an Active/Active FireCluster.

  1. Add static ARP entries for each of the layer 3 network routers and switches that connect to the FireCluster.

For more information, see Add Static ARP Entries for an Active/Active FireCluster .

See Also

FireCluster

FireCluster Diagnostics

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search