About FireCluster in WatchGuard Cloud

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

To increase network performance and scalability, you can configure a FireCluster. FireCluster is the high availability (HA) solution for WatchGuard Fireboxes.

A FireCluster includes two Fireboxes configured as cluster members. If the active cluster member fails, the passive cluster member takes over.

When you add a FireCluster to WatchGuard Cloud, you select how to manage the FireCluster:

  • Cloud-managed — With this option, you use WatchGuard Cloud for all FireCluster configuration management, monitoring, and reporting.
  • Locally-managed — With this option, you can use WatchGuard Cloud for FireCluster monitoring and reporting. You can also upgrade, fail over, and reboot the FireCluster in WatchGuard Cloud. To manage the FireCluster configuration, you must use WatchGuard System Manager, Fireware Web UI, or the CLI.

This topic explains:


Before you add a cloud-managed FireCluster, learn about the requirements and plan your configuration.

For information about FireCluster requirements, see Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.

Cluster Mode

In WatchGuard Cloud, you can add:

  • A cloud-managed FireCluster in active/passive mode
  • A locally-managed FireCluster in active/passive or active/active mode

In an active/passive cluster, one cluster member is active and the other is passive. The active cluster member handles all network traffic. The passive cluster member actively monitors the status of the active cluster member. All traffic for traffic interfaces on either cluster member is delivered to both cluster members. This occurs because cluster members share the same virtual mac address (VMAC).

If the active cluster member fails, the passive cluster member takes over the connections assigned to the failed cluster member. The passive cluster member becomes the active cluster member. This process is known as failover.

All cloud-managed FireClusters use active/passive mode. You cannot configure a cloud-managed FireCluster to use active/active mode. For information about active/active mode on a locally-managed FireCluster, see About FireCluster.


This diagram shows connections for a simple cloud-managed FireCluster configuration.

FireCluster simple network configuration diagram

This diagram shows connections for a cloud-managed FireCluster configuration and multiple internal networks.

FireCluster diagram that shows the trusted and optional networks


When a cluster member fails, the cluster fails over and maintains: 

  • Packet filter connections
  • BOVPN tunnels
  • User sessions

When failover occurs, these connections might be disconnected:

  • Proxy connections
  • Mobile VPN connections

Mobile VPN users might have to manually restart the VPN connection after a failover.

Some events cause a FireCluster to automatically fail over. For information about automatic failover for cloud-managed FireClusters, see About FireCluster Failover.

In WatchGuard Cloud, you can manually force a FireCluster to fail over. For information about manual failover, see Fail Over a FireCluster in WatchGuard Cloud.

Member Roles

It is important to understand the roles each Firebox can play in the cluster.

Cluster master

This cluster member assigns network traffic flows to cluster members and responds to all requests from external systems such as WatchGuard Cloud, SNMP, DHCP, ARP, routing protocols, and IKE. When you configure or modify the cluster configuration, you save the cluster configuration to the cluster master. The cluster master can be either device. The first device in a cluster to power on becomes the cluster master.

Backup master

This cluster member synchronizes all necessary information with the cluster master so that it can become the cluster master if the master fails. In an active/passive cluster, the backup cluster master is passive.

Active member

This can be any cluster member that actively handles traffic flow. In an active/passive cluster, the cluster master is the only active device.

Passive member

A Firebox in an active/passive cluster that does not handle network traffic flows unless an active device fails over. In an active/passive cluster, the passive member is the backup cluster master.

Supported Firebox Features

When FireCluster is enabled, your Fireboxes continue to support these features: 

  • Secondary networks on internal, external, and guest interfaces
  • Multi-WAN connections
  • VLANs

A multi-WAN failover caused by a failed connection to a link monitoring host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.

For information about features not supported for a cloud-managed FireCluster, see Unsupported Features for a Cloud-Managed FireCluster.

Add a FireCluster

You can add a cloud-managed or locally-managed FireCluster in WatchGuard Cloud. If you add a locally-managed FireCluster to WatchGuard Cloud for visibility, you can change the management type to cloud-managed at a later time.

For more information, see:

For a cloud-managed FireCluster, both Fireboxes must run Fireware v12.8.2 or higher (or v12.5.11 or higher for T30, T35, T50, M200, and M300 Fireboxes).

Manage and Monitor a FireCluster

For both cloud-managed and locally-managed FireClusters, you can use WatchGuard Cloud to:

For cloud-managed clusters, you can also edit the FireCluster settings.