FireCluster on Azure

AliHAliH
in FireCloud General

Hey people, i am trying to design my watchguard as NVA as Active/Passive in azure. As per the below doc from watchguard it seems that firecluster is not supported in azure? that's removing the clustered node ip concept? for the alternative i should be placing internal load balancer from the trusted side and public load balancer on the untrusted side?

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/firebox_cloud/firebox_cloud_differences.html#:~:text=VLANs-,FireCluster,-Bridge interfaces

Clarification on this is much appreciated !

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @AliH

    We don't support Firecluster in Azure. Technical limitations on that platform prevent Firecluster from working.

    Please see the article here, which goes over the technical details on setting the load balancers up:

    (Deploy Firebox Cloud with Azure Load Balancers)
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA1Vr0000001xAvKAI&lang=en_US

    -James Carson
    WatchGuard Customer Support

  • AliHAliH

    Hey @james.carson thanks for your reply ! i checked the guide and figured out that i will need to have a internal load balancer for the trusted side and a public one of the untrusted . One more thing do i need a heartbeat sync between the two watchguards? how the watchguards will know which one is the active and passive?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @AliH

    The heartbeat cable is only used by Firecluster, so there's no way to leverage that specific function here.

    Monitoring is done via a health probe in Azure itself. Our example uses the firewall's WebUI port (8080/tcp) to accomplish that.

    See page 14 of the guide for more info:
    https://techsearch.watchguard.com/KB/sfc/servlet.shepherd/document/download/069Vr000003Jpd0IAC

    -James Carson
    WatchGuard Customer Support

  • AliHAliH

    @james.carson so the azure load balancer will be prioritizing the traffic to the active NVA1 and the second one NVA2 will be passive? Watchguard itself doesnt need to know about that? how they gonna replicate their configurations?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @AliH
    Once the traffic makes it to the firebox, the firebox will handle the traffic based on that firewall's configured rules. The firebox doesn't know or really care about the load balancer.

    You can use whatever load balancing scheme fits your needs.

    -James Carson
    WatchGuard Customer Support

  • AliHAliH

    @james.carson but how the first firebox NVA1 will replicates to the second firebox NVA2? so my config on NVA1 is being automatically replicated to the passive one

Sign In to comment.