About FireCluster

To increase network performance and scalability, you can configure a FireCluster, which is the high availability (HA) solution for WatchGuard Fireboxes.

A FireCluster includes two Fireboxes configured as cluster members. If a cluster member fails, the other cluster member takes over.

FireCluster is not supported on some device models. For more information, go to Supported Models for FireCluster.

You can also enhance performance and achieve full redundancy with a FireCluster through the configuration of link aggregation. This method enables a group of physical interfaces to function as a single, logical interface, and results in a comprehensive mesh configuration. For more information, go to About Link Aggregation.

About FireCluster Types

FireCluster supports two types of cluster configurations.

Active/Passive cluster

In an active/passive cluster, one cluster member is active, and the other is passive. The active cluster member handles all network traffic unless a failover event occurs. The passive cluster member actively monitors the status of the active device. If the active device fails, the passive device takes over the connections assigned to the failed device.

For a demonstration of how to configure an active/passive cluster, see the FireCluster video tutorial (18 minutes).

Active/Active cluster  

In an active/active cluster, the cluster members share the traffic that passes through the cluster. To distribute connections between the active Fireboxes in the cluster, configure FireCluster to use a round-robin or least connections algorithm. If one member of a cluster fails, the other cluster member takes over the connections assigned to the failed member.

The same cluster member handles response traffic unless that member fails. For example, Cluster Member 1 is assigned an outbound packet from a user computer on your local network. Cluster Member 1 also handles the response traffic. This packet flow occurs because the Firebox is a stateful firewall that tracks and controls network traffic in a layer 3 session. Cluster Member 2 does not handle the response packet unless Member 1 fails.

For both active/passive and active/active clusters, all traffic for traffic interfaces on either cluster member is delivered to both cluster members. This occurs because cluster members share the same virtual mac address (VMAC).

FireCluster diagram that shows the trusted and optional networks

Failover

When a cluster member fails, FireCluster seamlessly fails over and maintains: 

  • Packet filter connections
  • BOVPN tunnels
  • User sessions
  • Access Portal user sessions

When FireCluster fails over, these connections might be disconnected:

  • Proxy connections
  • Mobile VPN connections
  • RDP and SSH connections initiated through the Access Portal

Mobile VPN users might have to manually restart the VPN connection after a failover.

For interfaces included in multi-WAN or link aggregation configurations:

  • Multi-WAN — FireCluster failover is triggered when the physical interface is down or does not respond. FireCluster failover is not triggered if multi-WAN failover occurs because of a link monitor failure.
  • Link Aggregation — FireCluster failover is triggered if all Link Aggregation member interfaces fail. FireCluster failover is not triggered if only some Link Aggregation member interfaces fail.

For more information about FireCluster failover, go to About FireCluster Failover.

Cluster Roles

It is important to understand the roles each Firebox can play in the cluster.

Cluster master

This cluster member assigns network traffic flows to cluster members, and responds to all requests from external systems such as WatchGuard System Manager, SNMP, DHCP, ARP, routing protocols, and IKE. When you configure or modify the cluster configuration, you save the cluster configuration to the cluster master. The cluster master can be either device. The first device in a cluster to power on becomes the cluster master.

Backup master

This cluster member synchronizes all necessary information with the cluster master, so that it can become the cluster master if the master fails. The Backup cluster master can be active or passive.

Active member

This can be any cluster member that actively handles traffic flow. In an active/active cluster, both devices are active. In an active/passive cluster, the cluster master is the only active device

Passive member

A Firebox in an active/passive cluster that does not handle network traffic flows unless an active device fails over. In an active/passive cluster the passive member is the backup cluster master.

Requirements

For a detailed list of FireCluster requirements, go to Before You Configure a FireCluster.

Supported Firebox Features

When FireCluster is enabled, your Fireboxes continue to support: 

  • Secondary networks on external, trusted, or optional interfaces
  • Multi-WAN connections
    A multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.
  • VLANs
  • Dynamic routing

For information about features not supported for a FireCluster, go to Features Not Supported for a FireCluster.

Configure FireCluster

To configure FireCluster, go to Configure FireCluster.

FireCluster Status

After you configure FireCluster, you can see the cluster status when you connect to the cluster with:

  • WatchGuard System Manager
  • Firebox System Manager — Go to Device Status.
  • Fireware Web UI — Select System Status > FireCluster. You Firebox must have Fireware v12.3 or higher.

After you configure a cluster in Policy Manager, you can use Fireware Web UI to connect to it. You can use the Web UI to monitor the cluster and update policies and other configuration settings, but you cannot use the Web UI to modify the FireCluster settings.

When you use Fireware Web UI to connect to devices configured as a cluster, it is important to understand the cluster member roles.

Cluster master

The cluster master assigns network traffic flows to cluster members, and responds to all requests from external systems such as WatchGuard System Manager, SNMP, DHCP, ARP, routing protocols, and IKE. When you configure or modify the configuration of a FireCluster, you save the configuration to the cluster master. Either cluster member can be the cluster master. The first device in a cluster to power on becomes the cluster master.

Backup master

The backup master synchronizes all necessary information with the cluster master, so that it can become the cluster master if the master fails. You cannot use Fireware Web UI to save configuration changes to the backup master.

FireCluster in WatchGuard Cloud

In WatchGuard Cloud, you can add a locally-managed FireCluster, initiate system actions (upgrade, reboot, and fail over), and view log messages. For more information, go to About FireCluster in WatchGuard Cloud.

Related Topics

Before You Configure a FireCluster

Use the Web UI with a FireCluster

FireCluster (Video)

Configure FireCluster

Monitor and Control FireCluster Members

FireCluster Upgrade, Downgrade, Backup, Restore, and Migration

Features Not Supported for a FireCluster

FireCluster Diagnostics