Correct setup for firecluster?

Hi all

I've been trying to figure out the correct hardware configuration for our new firecluster. I'm pretty new to this, so wanted to ask for some feedback.

I want to set up a new active/active cluster. I'm pretty much there to make sure the cluster on itself works in a test setup, but of course it needs to go to our datacenter, where we have two IP adresses for our use. I tried to make up some scheme about what I think it will look like.

Can I have some feedback on how the external interfaces (int 1 and int 2 on each firewall) should be configured and if this is pretty much the right thing to do? My thoughts on the interfaces is this:
0. Management IP
1. IP address of external IP 1
2. IP address of external IP 2
4. -> I don't think this is possible though. So I guess better
5. disabled -> not needed
6. and 7 as said in the drawing.

I guess Both members of the cluster will have the exact copy (apart from cluster interfaces).



    1. & 4. - you can't have the same subnet defined to 2 different routed firewall interfaces.

    So you need to rethink the setup for these.
    I don't use Aruba switches, so I don't know the best way to set up the redundancy that you seem to be trying to create here.

  • edited March 2022

    Look at Link Aggregation, which may be what you want here:

    About Link Aggregation

  • Apparently Link Aggregation only works with an active/passive cluster ... Any idea how I will need to set up the coonfig with an active/active? We went for maximum security, that's why we have doubled every hardware component. But now I wonder if that was the smartest thing to do

  • FYI - you went for higher availability, not maximum security.

    Do you need the throughput of an A/A cluster?
    If not, consider an A/P cluster.

  • You can open a technical support incident and ask for design help for this from a WG rep.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    I would suggest setting up as an Active\Passive cluster, and then moving to an Active\Active cluster if you need that throughput.

    [Active/Backup, Active/Passive, Master/Backup are all describing the same type of cluster. You'll sometimes see them referred to interchangeably on the forums.)

    -Active/Passive clusters only require security service licensing on one of the devices if you are using them. Active/Active requires them on both.

    -Active/Active has specific switch requirements due to how it works:

    -If an Active/Active cluster has a member go down, the network will effectively be running at ~50% capacity due to the lost member, while the Active/Passive cluster will continue to operate at 100% throughput.

    If you require LAGs (Link Aggregations) you'll need to use Active/Passive.

    With Active/Passive, both members are still there, it's just the "backup" unit is waiting to take over at a moment's notice. Active/Backup isn't a less secure option -- since the network maintains 100% capacity even with one unit down for whatever reason (like backups, hardware failure, upgrades, etc.)

    Unless you specifically need the throughput and are ok with the cost of licensing the security suite for two devices instead of one, generally Active/Passive is the way to go.

    -James Carson
    WatchGuard Customer Support

  • Thanks for the help!

    @james.carson : What do you mean by the loss of capacity? So if one of the members goes down in A/A mode, it will have a loss in performance as well?

    Trying to get all the pieces together here

  • Yes. With A/A, both members are processing traffic.
    With A/P, just one member is processing traffic

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If you're running an A/A cluster, this would be 100% capacity for the cluster. If one member goes down, you'll loose that member's processing (and thus capacity.)

    In an A/P cluster, if one member goes down, the other just takes over.

    It is generally less expensive to do A/P (due to the A/A licensing requirements) to size the devices so that one firewall can handle the load of the network and the other just takes over if there is an issue. It's only really advantageous to use A/A if you specifically need the load balancing.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.