To increase network performance and scalability, you can configure a FireCluster. FireCluster is the high availability (HA) solution for WatchGuard Fireboxes.
A FireCluster includes two Fireboxes configured as cluster members. If the active cluster member fails, the passive cluster member takes over.
When you add a FireCluster to WatchGuard Cloud, you select how to manage the FireCluster:
- Cloud-managed — With this option, you use WatchGuard Cloud for all FireCluster configuration management, monitoring, and reporting.
- Locally-managed — With this option, you can use WatchGuard Cloud for FireCluster monitoring and reporting. You can also upgrade, fail over, and reboot the FireCluster in WatchGuard Cloud. To manage the FireCluster configuration, you must use WatchGuard System Manager, Fireware Web UI, or the CLI.
This topic explains:
- Cluster configurations
- Member roles
- Supported Firebox features
- How to add a FireCluster
- How to manage and Monitor a FireCluster
Before you add a cloud-managed FireCluster, learn about the requirements and plan your configuration.
For information about FireCluster requirements, see Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.
In WatchGuard Cloud, you can add:
- A cloud-managed FireCluster in active/passive mode
- A locally-managed FireCluster in active/passive or active/active mode
In an active/passive cluster, one cluster member is active and the other is passive. The active cluster member handles all network traffic. The passive cluster member actively monitors the status of the active cluster member. All traffic for traffic interfaces on either cluster member is delivered to both cluster members. This occurs because cluster members share the same virtual mac address (VMAC).
If the active cluster member fails, the passive cluster member takes over the connections assigned to the failed cluster member. The passive cluster member becomes the active cluster member. This process is known as failover.
All cloud-managed FireClusters use active/passive mode. You cannot configure a cloud-managed FireCluster to use active/active mode. For information about active/active mode on a locally-managed FireCluster, see About FireCluster.
This diagram shows connections for a simple cloud-managed FireCluster configuration.
This diagram shows connections for a cloud-managed FireCluster configuration and multiple internal networks.
When a cluster member fails, the cluster fails over and maintains:
- Packet filter connections
- BOVPN tunnels
- User sessions
When failover occurs, these connections might be disconnected:
- Proxy connections
- Mobile VPN connections
Mobile VPN users might have to manually restart the VPN connection after a failover.
Some events cause a FireCluster to automatically fail over. For information about automatic failover for cloud-managed FireClusters, see About FireCluster Failover.
In WatchGuard Cloud, you can manually force a FireCluster to fail over. For information about manual failover, see Fail Over a FireCluster in WatchGuard Cloud.
It is important to understand the roles each Firebox can play in the cluster.
This cluster member assigns network traffic flows to cluster members and responds to all requests from external systems such as WatchGuard Cloud, SNMP, DHCP, ARP, routing protocols, and IKE. When you configure or modify the cluster configuration, you save the cluster configuration to the cluster master. The cluster master can be either device. The first device in a cluster to power on becomes the cluster master.
This cluster member synchronizes all necessary information with the cluster master so that it can become the cluster master if the master fails. In an active/passive cluster, the backup cluster master is passive.
This can be any cluster member that actively handles traffic flow. In an active/passive cluster, the cluster master is the only active device.
A Firebox in an active/passive cluster that does not handle network traffic flows unless an active device fails over. In an active/passive cluster, the passive member is the backup cluster master.
When FireCluster is enabled, your Fireboxes continue to support these features:
- Secondary networks on internal, external, and guest interfaces
- Multi-WAN connections
A multi-WAN failover caused by a failed connection to a link monitoring host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.
For information about features not supported for a cloud-managed FireCluster, see Unsupported Features for a Cloud-Managed FireCluster.
You can add a cloud-managed or locally-managed FireCluster in WatchGuard Cloud. If you add a locally-managed FireCluster to WatchGuard Cloud for visibility, you can change the management type to cloud-managed at a later time.
For more information, see:
- Add a Cloud-Managed FireCluster
- Add a Locally-Managed FireCluster to WatchGuard Cloud
- Change the FireCluster Management Type
For a cloud-managed FireCluster, both Fireboxes must run Fireware v12.8.2 or higher (or v12.5.11 or higher for T30, T35, T50, M200, and M300 Fireboxes).
For both cloud-managed and locally-managed FireClusters, you can use WatchGuard Cloud to:
- Upgrade a FireCluster in WatchGuard Cloud
- Reboot a Cluster Member in WatchGuard Cloud
- Fail Over a FireCluster in WatchGuard Cloud
- Monitor a FireCluster
- Manage FireCluster Logging in WatchGuard Cloud
- Change the FireCluster Management Type
- Remove a FireCluster from WatchGuard Cloud
For cloud-managed clusters, you can also edit the FireCluster settings.