Add a Cloud-Managed FireCluster

Applies To: Cloud-managed Fireboxes

You can manage a FireCluster in WatchGuard Cloud.

To add a cloud-managed FireCluster, use one of these methods:

  • Method 1 — Add two Fireboxes with factory-default settings as a cloud-managed FireCluster.
  • Method 2 — Change a locally-managed active/passive FireCluster to cloud management.

You cannot change a cloud-managed Firebox to a cloud-managed FireCluster member directly. You must first remove the device from cloud management so that it is locally managed, configure a locally-managed cluster, add the FireCluster to WatchGuard Cloud as a locally-managed cluster with visibility, and then change the FireCluster to cloud management. For more information, go to Change a Cloud-managed Firebox to a Cloud-managed FireCluster Member.

After you add a cloud-managed FireCluster, you can manage the configuration only in WatchGuard Cloud. You cannot manage the FireCluster with WatchGuard System Manager, Fireware Web UI, or the Command Line Interface (CLI).

Cloud-managed FireClusters use active/passive mode. You cannot add a cloud-managed FireCluster in active/active mode.

Change a Cloud-managed Firebox to a Cloud-managed FireCluster Member

To change a single cloud-managed Firebox to a cloud-managed FireCluster member, you must:

  1. Remove the device from cloud management so that it is locally managed.
  2. Configure a locally-managed cluster.
  3. Add the FireCluster in WatchGuard Cloud as a locally-managed cluster with visibility, and then change the FireCluster to cloud management.

The deployment history of a cloud-managed Firebox is no longer available after you add the device to a cloud-managed FireCluster. This means that when you complete the configuration of a cloud-managed FireCluster, you cannot revert to earlier deployment versions of the cloud-managed Firebox.

For information about how FireCluster works, see About FireCluster in WatchGuard Cloud.

Before You Begin

Before you add a cloud-managed FireCluster, learn about requirements and plan your configuration. For information about FireCluster requirements, see Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.

Both Fireboxes must run Fireware v12.8.2 or higher (or v12.5.11 or higher for T30, T35, T50, M200, and M300 Fireboxes).

Method 1 — Add a New Cloud-Managed FireCluster

If you have two Fireboxes that you have not yet configured as a FireCluster, use the method described in this section. Both Fireboxes must have factory-default settings.

If you previously added a locally-managed FireCluster to WatchGuard Cloud for visibility, use Method 2.

Add the FireCluster

  1. Reset both Fireboxes to factory-default settings. For more information, see Reset a Firebox.
  2. Log in to your WatchGuard Cloud Subscriber account.
  3. Select Configure > Devices.
  4. Click Add Device.
    A list of activated devices appears. If the list does not include your devices, review the requirements in Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.

Screen shot of the Add Device Wizard for FireCluster (first page)

  1. Click Add FireCluster.
    The selection page for the first FireCluster member opens.

Screen shot of the Add Device Wizard device list for FireCluster

  1. To add the first FireCluster member, click a Firebox name.
    The selection page for the second FireCluster member opens.

Screen shot of the Add Device Wizard (Member2)

  1. To add the second FireCluster member, do one of the following:
    • Enter the serial number of the second FireCluster member and click Add.
    • From the list of devices, click a Firebox name.
      Selected FireCluster members appear next to the device list.

Screen shot of the Add Device Wizard (both members selected)

  1. Click Add FireCluster.
    A confirmation page opens.

Screen shot of the Add Device Wizard confirmation page for FireCluster

  1. From the FireCluster Management drop-down list, click Cloud Management.
  2. Click Next.
  3. Enter the FireCluster Name.
  4. Enter the Member1 Name.
  5. Enter the Member2 Name.
  6. Select a Time Zone. The time zone settings control the date and time that appear in the log messages and reports for your FireCluster.
  7. Select the device folder for your Firebox. Device Folders help you to see status and summary data for device groups.
    If you only have one root folder, the folder list does not appear.
  8. Click Next.
  9. From the Cluster Interface drop-down list, select an interface.
    Cluster members use this dedicated interface to exchange heartbeat packets and to synchronize connection and session information.
  10. In the Member1 Cluster IP Address and Member2 Cluster IP Address text boxes, enter an IP address that is not in use on your network.
    To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.
  11. In the Cluster ID text box, enter a number between 1 and 255. The default cluster ID is 50.
    The Cluster ID determines the virtual MAC (VMAC) addresses that cluster member interfaces use. If you add a second FireCluster to the same subnet, enter a Cluster ID that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC address conflict. For information about how the VMAC address is calculated, see Active/Passive Cluster ID and the Virtual MAC Address.

Screen shot of the FireCluster interface settings

  1. (Optional) To add redundancy, select Assign Backup Cluster Interface. The FireCluster uses the backup cluster interface if the primary cluster interface fails. We recommend this option for FireCluster configurations without a direct cable connection between cluster members. For more information about this setting, see Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.
    1. From the Backup Cluster Interface drop-down list, select an interface.
    2. In the Member1 Cluster Backup IP Address and Member2 Cluster Backup IP Address text boxes, enter an IP address that is not in use on your network. To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.

The primary and backup cluster interfaces must be on different subnets. We recommend that you do not use a switch between each member for the cluster interfaces. If you do use a switch between cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs. We recommend that you configure a backup cluster interface if you separate the cluster interfaces with a switch.

Screen shot of a FireCluster configuration with a Backup Cluster Interface

  1. Click Next.
  2. From the IP Address Configuration drop-down list, select Static, DHCP, or PPPoE.
  3. If you selected Static:
    1. In the IP Address text box, enter an IP address for the external interface.
    2. In the Gateway text box, enter an IP address for the gateway.
    3. In the Public DNS Server text box, enter the IP address of a public DNS server for name resolution.

Screen shot of the external interface settings for FireCluster

  1. If you selected DHCP or PPPoE:
    1. Select Obtain an IP address automatically or Use this IP address.
    2. Enter the Client Name.
    3. Enter the Host Name.
    4. If you selected Use this IP address, enter an IP address.
  2. Click Next.
  3. Enter the Internal Network IP Address.
  4. (Optional) Select Enable DHCP server on Internal Network.
    1. Enter a Starting IP Address.
    2. Enter an Ending IP Address.
  5. In the Member1 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.
  6. In the Member2 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.

Screen shot of the internal interface settings for FireCluster

  1. Click Next.
  2. (Optional) If your Firebox is a wireless model, on the Configure Wireless Settings page, you can enable these options:
    • Enable Wireless — If you enable this option, enter the SSID and Passphrase for your internal wireless network.
    • Enable Guest Wireless — If you enable this option, enter the SSID and Passphrase for your guest wireless network.

Screen shot of the Configure Wireless Settings page

  1. Enter a Status Password.
  2. Enter an Admin Password. This password must be different than the status password.

Screen shot of the Password Configuration page

  1. To complete the configuration and change to cloud management, click OK.
    The configuration change deploys automatically.
  2. If you selected the static IP address option, before you click Done:
    1. Follow the instructions on the Connect Your FireCluster page. For more information, see Complete the Configuration (Static IP Address).
    2. To use a USB drive, you must click Download the connection settings file on the Connect Your FireCluster page now. You cannot return to this page later.

Screen shot of the last page of the Add Device Wizard

Configure the Connection to WatchGuard Cloud (Static IP Address)

If you selected the static IP address option in the Add Device Wizard, you must connect locally to one of the Fireboxes to configure a connection between the Firebox and WatchGuard Cloud. Use one of these methods:

  • Web Setup Wizard — Manually specify the connections settings in the Web Setup Wizard, which is part of the local operating system on the Firebox.
  • USB drive — Download and save a preconfigured connection settings file to a USB drive. The Firebox uses the file to automatically configure the connection settings. The USB drive must be formatted with the FAT or FAT32 file system. If the USB drive has more than one partition, Fireware only uses the first partition.
  1. Connect the primary cluster interface on one Firebox to the primary cluster interface on the other Firebox.
  2. On both Fireboxes, connect interface 0 to an Internet connection.
  3. On one of the Fireboxes, connect interface 1 to your computer.
  4. Plug in and power on both Fireboxes.
  5. On the Firebox connected to your computer, open a web browser and go to https://10.0.1.1:8080.
  6. Log in with the default credentials:
    • User name: admin
    • Password: readwrite
  7. In the Web Setup Wizard, select Cloud-Managed.
  8. Configure the external interface for DHCP, PPPoE, or a static IP address.
    The Firebox automatically connects to WatchGuard Cloud to get a configuration. The cluster automatically forms in WatchGuard Cloud.
  1. In WatchGuard Cloud, on the last page of the Add Device Wizard, click Download the connection settings file.
  2. Save the file to a USB drive.
  3. Connect the USB drive to the Member1 Firebox, which is the first Firebox that you added to WatchGuard Cloud.
  4. Connect the primary cluster interface on one Firebox to the primary cluster interface on the other Firebox.
  5. On both Fireboxes, connect interface 0 to an Internet connection.
  6. Plug in and power on the Member1 Firebox.
    The Firebox automatically uses the connection settings file to connect to WatchGuard Cloud and get a configuration.
  7. Plug in and power on the Member2 Firebox.
    The Firebox automatically uses the connection settings file to connect to WatchGuard Cloud and get a configuration. The cluster automatically forms in WatchGuard Cloud.

Complete the Cable Configuration

After you add the FireCluster, complete the cable configuration:

  1. Remove the interface 1 cable from your computer.
  2. Connect the interface 1 cable to your network equipment. For information about cabling and network topology, see Connect the Hardware for a Cloud-Managed FireCluster.

Verify the Connection to WatchGuard Cloud

After you complete the cable configuration, verify the FireCluster connection to WatchGuard Cloud. For more information, see the Device Summary page.

Screen shot of the Device Summary page for a Firebox with FireCluster status

Only the cluster master connects to WatchGuard Cloud. The status of the cluster master is Connected. The status of the backup master is Never Connected or Not Connected.

Method 2 — Change a Locally-Managed FireCluster to a Cloud Management

If you previously added a locally-managed FireCluster to WatchGuard Cloud for visibility, you can change the FireCluster to cloud management.

After you change the management type and deploy the change, the cloud-managed configuration replaces the locally-managed configuration on the Firebox. You can no longer locally manage the FireCluster in WatchGuard System Manager or Fireware Web UI.

  1. Sign in to your WatchGuard Cloud Subscriber account.
    For Service Provider operators, from Account Manager, select My Account.
  2. Select Configure > Devices.
  3. Select the FireCluster.
    The Device Settings page opens.
  4. In the Cloud Management section, click Change to Cloud Management.
    The Add Device wizard opens.
  5. (Optional) Edit the FireCluster Name.
  6. (Optional) Edit the Member1 Name.
  7. (Optional) Edit the Member2 Name.
  8. (Optional) Edit the Time Zone.
  9. Click Next.
  10. From the Cluster Interface drop-down list, select an interface.
    Cluster members use this dedicated interface to exchange heartbeat packets, and to synchronize connection and session information.
  11. In the Member1 Cluster IP Address and Member2 Cluster IP Address text boxes, enter an IP address that is not in use on your network.
    To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.
  12. In the Cluster ID text box, enter a number between 1 and 255.
    The Cluster ID determines the virtual MAC (VMAC) addresses used by the interfaces of the clustered devices. If you add a second FireCluster to the same subnet, set the Cluster ID to a number that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC address conflict. For information on how the VMAC address is calculated, see Active/Passive Cluster ID and the Virtual MAC Address.

Screen shot of the FireCluster interface settings

  1. (Optional) To add redundancy, select Assign Backup Cluster Interface. The FireCluster uses the backup cluster interface if the primary cluster interface fails. We recommend this option for FireCluster configurations without a direct cable connection between cluster members. For more information about this setting, see Before You Configure a Cloud-Managed FireCluster in WatchGuard Cloud.
    1. From the Backup Cluster Interface drop-down list, select an interface.
    2. In the Member1 Cluster Backup IP Address and Member2 Cluster Backup IP Address text boxes, enter an IP address that is not in use on your network. To avoid conflicts with routable IP addresses, we recommend APIPA addresses or IP addresses from a dedicated private subnet.

The primary and backup cluster interfaces must be on different subnets. We recommend that you do not use a switch between each member for the cluster interfaces. If you do use a switch between cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs. We recommend that you configure a backup cluster interface if you separate the cluster interfaces with a switch.

Screen shot of a FireCluster configuration with a Backup Cluster Interface

  1. Click Next.
  2. (Optional) Edit the IP Address Configuration. From the drop-down list, select Static, DHCP, or PPPoE.
  3. In the IP Address text box, enter an IP address for the external interface.
  4. In the Gateway text box, enter an IP address for the gateway.
  5. In the Public DNS Server text box, enter the IP address of a public DNS server for name resolution.

Screen shot of the external interface settings for FireCluster

  1. Click Next.
  2. (Optional) Edit the Internal Network IP Address.
  3. (Optional) Select Enable DHCP server on Internal Network.
    1. Enter a Starting IP Address.
    2. Enter an Ending IP Address.
  4. In the Member1 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.
  5. In the Member2 Communication IP Address text box, type an IP address that is on the same subnet as your internal network. Your Dimension or syslog server must also be on this network.

Screen shot of the internal interface settings for FireCluster

  1. Click Next.
  2. (Optional) If your Firebox is a wireless model, on the Configure Wireless Settings page, you can enable these options:
    • Enable Wireless — If you enable this option, enter the SSID and Passphrase for your internal wireless network.
    • Enable Guest Wireless — If you enable this option, enter the SSID and Passphrase for your guest wireless network.

Screen shot of the Configure Wireless Settings page

  1. Enter a Status Password.
  2. Enter an Admin Password. This password must be different than the status password.

Screen shot of the Password Configuration page

  1. To complete the configuration and change to cloud management, click OK.
    The confirmation page appears.

Screen shot of the final page of the Add Device Wizard for FireCluster

  1. Click Done.

After you deploy the configuration change, the cloud-managed configuration replaces the locally-managed configuration on the Firebox. You can no longer locally manage the FireCluster in WatchGuard System Manager or Fireware Web UI.

  1. Schedule a deployment.
  2. To verify the FireCluster connection to WatchGuard Cloud, see the Device Summary page.

Screen shot of the Device Summary page for a Firebox with the FireCluster status

Only the cluster master connects to WatchGuard Cloud. The status of the cluster master is Connected. The status of the backup master is Not Connected.

Manage the FireCluster

After you add a cloud-managed FireCluster, you can:

Related Topics

About FireCluster in WatchGuard Cloud

Change the FireCluster Management Type

Remove a FireCluster from WatchGuard Cloud

Configure an RMA Replacement for a Cloud-Managed FireCluster Member

Copy Configuration Settings from a Cloud-Managed Device