Before You Configure a FireCluster
- Verify requirements
- Verify the external interface configuration
- Verify network router and switch configurations
- Select IP addresses for cluster interfaces
For information about features not supported for a FireCluster, see Features Not Supported for a FireCluster.
Network latency between cluster members must be less than 100ms.
Network Mode Requirements
- To configure an active/passive cluster, your network interfaces must be configured in mixed routing or drop-in mode.
- To configure an active/active cluster, your network interfaces must be configured in mixed routing mode. FireCluster does not support bridge network mode.
For more information about network modes, see About Network Modes and Interfaces.
Fireware, Feature Key, and License Requirements
- Make sure the same version of Fireware is installed on each Firebox.
- Make sure you have the feature key for each Firebox saved in a local file. For more information, see Get a Firebox Feature Key.
- For an active/active cluster, we recommend all Fireboxes have active licenses for the same optional subscription services such as WebBlocker or Gateway AntiVirus.
For more information, see About Feature Keys and FireCluster.
Hardware and Cable Requirements
Make sure that you have:
- Two activated Fireboxes with the same model number. The Firebox model must be one of the Supported Models for FireCluster.
- The same interface modules installed on each Firebox (M4600 and M5600 only).
- An Ethernet cable for each cluster interface. You can use a straight or crossover cable. If you configure a backup cluster interface, you must use two cables.
- One network switch for each enabled trusted, optional, custom, or external interface.
- Ethernet cables to connect the interfaces of both devices to the network switches.
If the Fireboxes you want to cluster have modular interfaces or a model upgrade, see About FireCluster with Modular Interfaces.
For requirements and restrictions for wireless devices, see About FireCluster on Wireless Models.
Virtual Machine (VM) Requirements
FireCluster in a VMware environment operates as expected only if all requirements are met. For information, see Configure a FireCluster on VMware ESXi.
FireCluster is not supported for Hyper-V.
All clients protected by the cluster must be able to communicate to both cluster members. VMware does not send traffic from clients on the same ESXi host as a cluster member to the other cluster member on a different ESXi host. For more information, see Configure a FireCluster on VMware ESXi.
Before you can configure a FireCluster, you must make sure that the external interface configuration is compatible with the type of FireCluster you want to use.
- Active/active FireCluster — Each external interface must have a static IP address. You cannot enable an active/active FireCluster if the external interface is configured to use DHCP or PPPoE.
Active/passive FireCluster — Each external interface must have a static IP address, or be configured for PPPoE or DHCP.
For more information about how to configure the external interface, see Configure an External Interface.
In an active/active FireCluster configuration, the network interfaces for the cluster use multicast MAC addresses. Before you enable an active/active FireCluster, make sure your network routers and other devices are configured to correctly route traffic to and from the multicast MAC addresses.
You must have a network switch or VLAN for each active traffic interface.
The primary and backup cluster interfaces must be on different subnets. If you use a switch between each member for the cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs.
For an active/active cluster, all switches and routers in an active/active FireCluster broadcast domain must meet the requirements specified in Switch and Router Requirements for an Active/Active FireCluster.
For an active/active cluster, you must know the IP address and MAC address of each layer 3 switch connected to the cluster. Then you can add static ARP entries for these network devices to the FireCluster configuration. For more information, see Add Static ARP Entries for an Active/Active FireCluster .
This step is not necessary for an active/passive cluster because an active/passive cluster does not use multicast MAC addresses.
We recommend you make a table with the network addresses you plan to use for the cluster interfaces and interface for management IP address. To avoid conflict with routable IP addresses, we recommend you allocate a dedicated private subnet to each cluster interface, or use link-local IP addresses that begin with 169.254. If you use link-local IP addresses, you might find it useful to define your cluster interface IP addresses like this:
169.254.<interface number>.<member number>/24
The FireCluster setup wizard asks you to configure these settings individually for each cluster member. If you plan the interfaces and IP addresses in advance, it is easier to configure these interfaces with the wizard. For example, something like this:
|Interface # and IP addresses for a FireCluster|
|Interface #||IP address for Member 1||IP address for Member 2|
|Primary cluster interface||5||169.254.5.1/24||169.254.5.2/24|
|Backup cluster interface||6||169.254.6.1/24||169.254.6.2/24|
Primary cluster interface
This is the interface that you dedicate to communication between the cluster members. This interface is not used for regular network traffic. If you have an interface configured as a dedicated VLAN interface, do not choose that interface as a dedicated cluster interface.
The primary interface IP addresses for both cluster members must be on the same subnet.
For a Firebox M5600 FireCluster, we recommend you select interface 32 as the primary cluster interface. For more information, see About FireCluster with Modular Interfaces.
Backup cluster interface (optional, but recommended)
This is a second interface that you dedicate for communication between the cluster members. The cluster members use the backup cluster interface to communicate if the primary cluster interface is not available. For redundancy, we recommend you use two cluster interfaces.
The backup interface IP addresses for both cluster members must be on the same subnet.
Do not set the Primary or Backup cluster IP address to the default IP address of any interface on the device. The default interface IP addresses are in the range 10.0.0.1–10.0.26.1. The Primary and Backup cluster IP addresses must not be used for anything else on your network, such as virtual IP addresses for Mobile VPN or the IP addresses used by remote branch office networks. When cluster failover occurs, one cluster member very briefly goes into safe mode before it takes over. If your cluster interface is configured to use one of the factory-default interface IP addresses, a conflict can occur during this brief period, which can cause the failover to fail.
Interface for management IP address
This is an interface that you use to make a direct connection to a cluster device from any WatchGuard management application. It must be on the same subnet as the server the Firebox sends log messages to.
The management IP address for each cluster member must be an unused IP address on the same subnet as the address assigned to the interface configured as the Interface for management IP address.
If the Interface for management IP address has IPv6 enabled, you can also configure an IPv6 management IP address for each cluster member.
For more information, see About FireCluster Management IP Addresses.
For wireless devices, the primary cluster interface, backup cluster interface, and interface for management IP address cannot be an interface that is bridged to a wireless network. For more information, see About FireCluster on Wireless Models.
After you verify all requirements, you can Configure FireCluster.