Creating a cluster across the network

Hi,
We currently have two M370 fireboxes that are located next to each other with a single ethernet cable connecting the cluster interfaces.
We wish to move one of the fireboxes into a different server room at the other end of the premises but still wish for them operate as a cluster.
I have found the following advice (from: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_hardware_setup_wsm.html
)
"We recommend that you do not use a switch between each member for the cluster interfaces. If you do use a switch between cluster interfaces, the cluster interfaces must be logically separated from each other on different VLANs."

However, is this worded correctly? Surely it means that the cluster interfaces must be connected by their own VLAN, separate from all other interfaces? Because otherwise how would the fireboxes communicate across the cluster interfaces?

Many thanks,
Ross

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @RossAppleby

    The cluster interfaces are the crossover cables that go between the firewalls. Those must be connected from one firewall directly to the other.

    The other interfaces (External, Trusted, Optional, Custom) will be connected to whatever equipment or switch you need to use it with.

    So long as the length of cable between the firewalls does not cause any additional latency, this type of setup will usually work. The most common pitfall customers run into is when plugging into different switches, the switches do not want to allow the MAC sharing between the firewalls. Be sure to test failover between the members to ensure this is working should you decide to do this.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    In my opinion, this older picture is a much better representation of what's going on:
    http://www.watchguard.com/help/docs/fireware/12/en-us/Content/en-US/ha/images/wsm_fc_diagram_simple.jpg

    -James Carson
    WatchGuard Customer Support

  • Hi James,
    Many thanks for your responses, it has helped to clarify the best way to take this project forward.
    Regards,
    Ross.

Sign In to comment.