Before You Configure a FireCluster
- Verify requirements
- Verify the external interface configuration
- Verify network router and switch configurations
- Select IP addresses for cluster interfaces
For information about features not supported for a FireCluster, see Features Not Supported for a FireCluster.
Network latency between cluster members must be less than 100ms.
Network Mode Requirements
- To configure an active/passive cluster, your network interfaces must be configured in mixed routing or drop-in mode.
- To configure an active/active cluster, your network interfaces must be configured in mixed routing mode. FireCluster does not support bridge network mode.
For more information about network modes, see About Network Modes and Interfaces.
Fireware, Feature Key, and License Requirements
- Make sure the same version of Fireware is installed on each Firebox.
- Make sure you have the feature key for each Firebox saved in a local file. For more information, see Get a Firebox Feature Key.
- For an active/active cluster, each Firebox must have active licenses for the same optional subscription services such as WebBlocker or Gateway AntiVirus.
For more information, see About Feature Keys and FireCluster.
Hardware and Cable Requirements
Make sure that you have:
- Two activated Fireboxes with the same model number. The Firebox model must be one of the Supported Models for FireCluster.
- The same number and type of interface modules installed in the same slots on each Firebox.
- An Ethernet cable for each cluster interface. You can use a straight or crossover cable. If you configure a backup cluster interface, you must use two cables.
- One network switch for each enabled trusted, optional, custom, or external interface.
- Ethernet cables to connect the interfaces of both devices to the network switches.
If the Fireboxes you want to cluster have modular interfaces or a model upgrade, see About FireCluster with Modular Interfaces.
For requirements and restrictions for wireless devices, see About FireCluster on Wireless Models.
Virtual Machine (VM) Requirements
FireCluster in a VMware environment operates as expected only if all requirements are met. For information, see Configure a FireCluster on VMware ESXi.
FireCluster is not supported for Hyper-V.
All clients protected by the cluster must be able to communicate to both cluster members. VMware does not send traffic from clients on the same ESXi host as a cluster member to the other cluster member on a different ESXi host. For more information, see Configure a FireCluster on VMware ESXi.
Before you can configure a FireCluster, you must make sure that the external interface configuration is compatible with the type of FireCluster you want to use.
- Active/active FireCluster — Each external interface must have a static IP address. You cannot enable an active/active FireCluster if the external interface is configured to use DHCP or PPPoE.
- Active/passive FireCluster — Each external interface must have a static IP address, or be configured for PPPoE or DHCP.
For more information about how to configure the external interface, see Configure an External Interface.
In an active/active FireCluster configuration, the network interfaces for the cluster use multicast MAC addresses. Before you enable an active/active FireCluster, make sure your network routers and other devices are configured to correctly route traffic to and from the multicast MAC addresses.
You must have a network switch or VLAN for each active traffic interface.
The primary and backup cluster interfaces must be on different, unused subnets. Make sure that you use subnets that do not overlap with local or VPN subnets. To avoid IP address conflicts with routable IP addresses, we recommend that you use Automatic Private IP Addressing (APIA) subnets, also known as link-local addresses (169.254.0.1–169.254.255.254 with subnet mask 255.255.0.0).
If you use a switch between each member for the cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs.
For an active/active cluster, all switches and routers in an active/active FireCluster broadcast domain must meet the requirements specified in Switch and Router Requirements for an Active/Active FireCluster.
For an active/active cluster, you must know the IP address and MAC address of each layer 3 switch connected to the cluster. Then you can add static ARP entries for these network devices to the FireCluster configuration. For more information, see Add Static ARP Entries for an Active/Active FireCluster .
This step is not necessary for an active/passive cluster because an active/passive cluster does not use multicast MAC addresses.
We recommend you make a table with the network addresses you plan to use for the cluster interfaces and interface for management IP address. To avoid conflict with routable IP addresses, we recommend you allocate a dedicated private subnet to each cluster interface or use APIA (link-local) IP addresses. If you use link-local IP addresses, which begin with 169.254, you might find it useful to define your cluster interface IP addresses like this:
169.254.<interface number>.<member number>/30
The FireCluster setup wizard asks you to configure these settings individually for each cluster member. If you plan the interfaces and IP addresses in advance, it is easier to configure these interfaces with the wizard. For example, your IP addressing plan could look like this:
|Interface # and IP addresses for a FireCluster|
|Interface #||IP address for Member 1||IP address for Member 2|
|Primary cluster interface||5||169.254.5.1/30||169.254.5.2/30|
|Backup cluster interface||6||169.254.6.1/30||169.254.6.2/30|
Primary cluster interface
This is the interface that you dedicate to communication between the cluster members. This interface is not used for regular network traffic. If you have an interface configured as a dedicated VLAN interface, do not choose that interface as a dedicated cluster interface.
The primary interface IP addresses for both cluster members must be on the same subnet.
For a Firebox M5600 FireCluster, we recommend you select interface 32 as the primary cluster interface. For more information, see About FireCluster with Modular Interfaces.
Backup cluster interface (optional, but recommended)
This is a second interface that you dedicate for communication between the cluster members. The cluster members use the backup cluster interface to communicate if the primary cluster interface is not available. For redundancy, we recommend you use two cluster interfaces.
The backup interface IP addresses for both cluster members must be on the same subnet, but not on the same subnet as the primary cluster interface.
Do not set the Primary or Backup cluster IP address to the default IP address of any interface on the Firebox. By default, the Firebox uses 10.0.x.0/24 subnets for interface IP addresses, which means we recommend that you avoid using 10.0.x.0/24 addresses for cluster IP addresses. The Primary and Backup cluster IP addresses must not be used for anything else on your network, such as virtual IP addresses for mobile VPN or the IP addresses used by remote branch office networks. When cluster failover occurs, one cluster member very briefly goes into safe mode before it takes over. If your cluster interface is configured to use one of the factory-default interface IP addresses, a conflict can occur during this brief period, which can cause the failover to fail.
Interface for management IP address
This is an interface that you use to make a direct connection to a cluster device from any WatchGuard management application. For the Firebox to send logs to a local Dimension or Syslog server, the Interface for management IP address must be on the same subnet as the Dimension or Syslog server. To achieve this, we recommend that you move your log server to the subnet used by the Interface for management IP address.
The management IP address for each cluster member must be an unused IP address on the same subnet as the address assigned to the interface configured as the Interface for management IP address.
If the Interface for management IP address has IPv6 enabled, you can also configure an IPv6 management IP address for each cluster member.
For more information, see About FireCluster Management IP Addresses.
For wireless devices, the primary cluster interface, backup cluster interface, and interface for management IP address cannot be an interface that is bridged to a wireless network. For more information, see About FireCluster on Wireless Models.
IP Addresses and Authentication
After you configure a FireCluster, RADIUS authentication requests from users on your network can come from either the FireCluster management IP address or the Firebox interface IP address. This occurs because the routing table uses different factors to determine which IP address is used.
If your authentication server expects to receive RADIUS authentication requests from a specific IP address, we recommend the following:
- Enable the Enable configuration of policies for traffic generated by the Firebox global setting. For information about this setting, see Define Firebox Global Settings.
- Add a policy for Firebox-generated traffic. For information about this type of policy, see About Policies for Firebox-Generated Traffic.
- In the policy, set the source IP address so that any traffic that uses the policy shows the specified address as the source.
After you verify all requirements, you can Configure FireCluster.