Active/Passive Cluster Behavior

Hi to all,
I have to create an active/passive firecluster with two T80. My configuration is this:
4 WAN (2 of these will be discontinued shortly)
1 trusted
1 stack consisting of 2 switches
Each device is connected to both switches in the stack,except firewalls. ISP says their routers don't support LAGs so I'll have to enable STP to avoid loops.
Here is a simple wiring diagram (I didn't drawn down the DMZ):

My question is: if the switch to which the active firewall is connected goes faultly, would the cluster activate the passive node even if it continues to hear the other node via heartbeat? if not, my network will be isolated.

Since each firewall is connected to only one switch, how can I configure the infrastructure to support the faults of a switch? Do I connect the heartbeat interfaces to the switches so that if they fail, the firewalls can't hear anymore?

Thanks a lot


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @SDR

    -The heartbeat cables must be connected directly to each firewall.
    -In an Active/Backup cluster, only the master will respond to traffic -- the backup master effectively just waits to take over. Enabling STP on these ports may cause the switches to refuse to send traffic to the other firewall if it takes over.

    If the connection to the active firewall did go faulty, the link monitor target on it would stop responding, and the firewall would initiate a failover to the backup device.

    -James Carson
    WatchGuard Customer Support

    edited July 2022

    Thank you for the answer. If the STP may cause the switches to refuse to send traffic to the other firewall if it takes over, it is not a good idea use it.

    These possible solutions come to mind:
    A ) connect router ports directly to firewalls. This way I can't do network loops

    B ) Connect only one port of the routers to the switch. In case one switch fails, I manually move the cables to the other switch that the passive firewall is connected to

    Can both solutions work?


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @SDR

    A, If your ISP device supports it, you can do that. Otherwise, I'd suggest using a small L2 switch.

    B. Firecluster requires both members be plugged in to the same equipment at the same time -- doing this will break the cluster and cause it to not fail over properly. If you'd rather do things this way, I'd suggest just having a hot spare.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.