Has anyone deployed 2 x M470/Fire cluster. One at a DC and one at DR site with internet failover?

WAN has multi-casting enabling on the core switches with dedicated VLANs, manual fail overs from Master to backup are tested and working fine what do I need to ensure on a networking level or WG firebox configuration that if the data centre site goes offline, how does the firewall or can the firebox re-route the internet via a secondary internet connection at the DR site.

Is this possible or are the firecluster's only designed for failover at one site for just the firewalls only and not with internet re-routing in mind? Hope that makes sense or let me know if this needs more context.


  • Options

    There is a heartbeat which goes between the 2 HA firewalls.
    If there is too long a delay, then the backup will think that the other end is down.
    So you would need a very low latency for the heartbeat connection.

    About FireCluster Failover

  • Options

    Bruce, thanks for responding. My networking knowledge isn't great so I will try explain what we want to try and setup.

    We have 1Gbps fiber circuits to each site and I haven't mentioned there is a Site C as well. Testing the fail overs has worked for , cluster interface being unplugged, powering off the box and if either of the other interfaces goes offline.

    I dont have a diagram at the moment but can pencil one in a bit but just to describe the network;

    Imagine a triangle, Site A Data Centre is the top point (DC + FW01 + Primary Internet breakout)
    Site B is the point to the left (DR + FW02 + to be installed a backup Internet breakout)
    Site C is the point to the right (Head Quarters)

    Normal network direction the traffic flows is Site B to A and Site C to A.
    In the event of a circuit failure, for example B > A goes down, I believe our core switches will detect the port is down and spanning tree will close that port and enable a port on the Site B Core switch to point traffic to Site C (HQ).
    So Site B (DR) will now access internet via Site C (HQ) to Site A (DC)

    So in the scenario of the Data Centre going completely down, will WG Firecluster failover and internet traffic automatically as well?

    What I need to get my head around is that if we install internet breakout at (DR), will the external interface pick up re-routed traffic out to the backup internet breakout ok? because what my concern is iF we are using a different carrier wouldn't we have to have different IP Address details on the external interface?

    My other thoughts are do we have to setup additional external interfaces on both devices and manually fail over policy based traffic?

    I hope that makes sense and if what we are trying to setup is viable?

  • Options

    IMHO, FireCluster is not designed to create a hot/instant disaster recovery infrastructure such as you are hoping to implement.
    To me, its primary function is to provide a hot, nearly instant recovery for a failed firewall.

    You may be able to create your goals using FireCluster, but suggesting a design for this is beyond my experience.
    Consider opening a support incident to get help from WG in discussing this.

    Also note that should your main site go down, you also need to address switching over to incoming access to the alternate site. Dynamic routing abilities such as BGP should be able to address this. You would need to discuss this with your ISP(s).

  • Options

    Great thanks for your thoughts, I recall that the previous network guy has BGP enabled across the links or that side of the protocols are configured by the ISP so we should be ok on that front. It is just the design that I am unsure of! : S
    Will be raising a ticket and gathering Network Architect resources! Cheers!

Sign In to comment.