Building Firecluster retrospectively with one existing node already active

GrahamD

We have a single M370 Firebox currently in service and have purchased a second M370 to make a cluster. Are there any simple instructions on how to create the cluster using the config on the existing in-service node as is ( apart from adding some cluster interfaces to go between the fireboxes.)?

...or am I going to have to rebuild the cluster from scratch? (using Policy Manager - which we dont use currently)

Just wondered if anyone had any experience of building the cluster retrospectively like this?

Thanks

james.carson

Hi @GrahamD
All fireclusters start out with just one member configured, so you're absolutely fine. The only device that will need to be reset is the new one you're adding -- to make it discoverable.

Please see the quick start guide here:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_quick_start.html

There's also a video here:
https://www.watchguard.com/help/video-tutorials/Firecluster/FireCluster.mp4

GrahamD

Hi James,

thanks for the reply. So the backup firebox presumably assumes the IP addresses of all the Primary box interfaces ( outside of the configured cluster communication interfaces which are unique to each firebox) when it does failover?

That makes things easier - I thought I might have to make cluster IPs for all interfaces that can move between boxes - which would have meant I had to re-IP the current active firebox.

Thanks

Graham

james.carson

Yes,

If you're looking to use Active/Backup mode, they actually share a MAC address across the two devices as well (the master unit is just the one that replies to traffic. Most customers use active/backup due to the licensing advantages, and having a fully operational network if one unit were to go down.

If you're looking to use Active/Active mode, there are some extra switch requirements for multicast MAC that need to be set up.