To replace an existing FireCluster with a new pair of Fireboxes, you can use your existing FireCluster configuration file for the replacement FireCluster. To do this, replace the feature keys in the original cluster configuration file with the feature keys for the new Fireboxes you want to configure as a cluster. When you import a new feature key to your existing configuration file, Policy Manager automatically updates the model in the configuration file to match the Firebox model specified in the new feature key.
Before You Begin
Make sure that your two new Fireboxes are the same model. The model must support FireCluster. For a list of models that support FireCluster, go to Supported Models for FireCluster.
Before you can migrate your FireCluster configuration to new hardware, you must get the feature keys for your new Fireboxes and upgrade the Firebox OS, if necessary.
Activate and Get the Feature Key for Your New Fireboxes
First, activate your Firebox and get the feature keys for your new Fireboxes from the WatchGuard website. You need the device feature keys to upgrade software on the device (if necessary) and to configure FireCluster.
To get the feature key for your device:
- Open a web browser and go to https://myproducts.watchguard.com/manage-products.
- Log in to your WatchGuard account.
- On the Manage Products page, in the Network Security section, click View Products.
- Select a friendly name to open details for that device or product.
- Click Get Feature Key.
- Click Copy.
- Save the feature key to a local text file.
Check the OS Version on the New Devices and Upgrade, if Necessary
The OS version and build installed on the two new Fireboxes must be the same. The OS version must also be the same as or higher than the OS version installed on the FireCluster Fireboxes that you want to replace.
To find the OS version and build number on a new Firebox that has a front LCD panel:
- Power on the Firebox.
- Use the arrow keys near the LCD panel to find the installed OS version.
To find the OS version and build number installed on a new Firebox that does not have an LCD panel:
- Start the Firebox. It does not need to be connected to the Internet for this procedure.
- Use an Ethernet cable to connect your management computer to interface 1.
- In WatchGuard System Manager, connect to the device with the default device settings:
- IP Address: 10.0.1.1
- User Name: status
- Passphrase: readonly
- After you connect to the Firebox, look for the installed OS and build number in WatchGuard System Manager. The OS version and build number appear to the right of the model number (Fireware v12.5.1.B601804, for example). The number after the v is the version number. The number after the B is the build number.
What if the version or build numbers do not match?
If the Fireware version and build numbers on the two new Fireboxes do not match, or if the version of the new Fireboxes is lower than version on the existing FireCluster, you must upgrade the OS on the new Fireboxes.
To upgrade the OS on each new Firebox:
- Run the WSM Quick Setup Wizard to set up the new Firebox with temporary basic configuration.
- In the Quick Setup Wizard feature key step, paste the feature key you downloaded when you activated the device. The feature key is required for the OS upgrade.
- Upgrade the device.
For information on how to run the Quick Setup Wizard from WatchGuard System Manager, go to Run the WSM Quick Setup Wizard.
For information about how to upgrade the OS, go to Upgrade Fireware OS or WatchGuard System Manager.
Configure OS Compatibility
If the new Fireboxes run a different Fireware version than the existing FireCluster Fireboxes, you must update the OS Compatibility setting to the OS version that the new Fireboxes use.
To configure OS Compatibility, from Policy Manager:
- Select Setup OS Compatibility.
- From the For Fireware version drop-down list, select the Fireware OS version that the new Fireboxes use.
- Click OK.
Move the Configuration
To move the configuration to the new Fireboxes you must update the configuration to replace the feature keys, save the configuration to the new cluster master, and synchronize the configuration to the second cluster member.
Update the Configuration
Use Policy Manager to update the existing FireCluster configuration with the feature keys of the new Fireboxes.
You must remove the existing keys for each member of the clusters before importing the new keys.
- In Policy Manager, select Setup System and verify that the new device model is shown correctly. If the Firebox model is not correct, from the FireModel drop-down lists, select the product family and Firebox model of your new Fireboxes.
- Select FireCluster > Configure.
- Select the Members tab.
- Select a cluster member and click Edit.
- Select the Feature Key tab.
- Click Import.
- Paste the content of the feature key file for one of the new Fireboxes in the dialog box.
- Click OK to add the new feature key for this member.
- Click OK to close the member configuration.
- Select the other cluster member and click Edit .
- Repeat steps 5 through 9 to replace the current feature key with the feature key of the other new Firebox.
- Click OK to close the FireCluster Configuration dialog box.
Save the Configuration to the New Cluster Master
After you update the configuration, you can save it to one of the new Fireboxes, which becomes the initial cluster master.
To save the updated configuration to the new device:
- Connect your computer to a trusted interface on the new Firebox (interface 1 by default).
- Make sure your computer gets an IP address on the same subnet as the interface you connect to.
- In Policy Manager, select File Save To Firebox.
- In the Firebox Address or Name text box, type the IP address of the new Firebox.
- In the Administrator Passphrase text box, type the passphrase for the admin account on the new Firebox. If the new Firebox uses the default configuration, the passphrase is readwrite .
- Click OK.
- In the File Name text box, type the file name to save the configuration file.
- Click Save.
- Policy Manager displays a warning if you save a configuration to a Firebox IP address that does not match any of the IP addresses in the configuration file. Click Yes to confirm that you want to save the configuration to the new Firebox.
Add the New Backup Master
To add the new backup master to the cluster and synchronize the configuration:
- Connect the cluster interfaces of the new FireCluster devices.
For more information, go to Connect the FireCluster Hardware.
- Start the second device with factory default settings. The steps to do this vary by device model.
For more information, go toReset a Firebox.
- Connect to the new cluster master in Firebox System Manager.
- In Firebox System Manager, select Tools > Cluster > Discover Member.
When the cluster master detects a connected device with a serial number that matches the serial number in the FireCluster configuration, the cluster master synchronizes the configuration and adds the Firebox to the cluster.
For more information, go to Discover a Cluster Member.
For a summary of all steps to set up the new FireCluster, go to Quick Start — Set up a FireCluster.