Set up and configure a WatchGuard FireCluster: A Step-by-Step Guide

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back to another video in today's tutorial I'll guide you through the process of setting up and configuring a fire cluster we'll also explore how to check the status of a fire cluster and discuss the factors that can lead to a fire cluster triggering a failover take a look at this connectivity overview diagram this is how you should connect two devices and create a working fire cluster utilizing watch guard fire cluster allows you to set up a cluster with two devices enhancing Network performance and scalability this configuration serves to prevent Network disruptions in the event of Hardware or software failures before I show you how to configure a fire cluster there are a few important things you should know oh by the way we have a great giveaway from our sponsor multicloud multicloud is an online cloud storage manager that allows users to link their various cloud services to a single site here you can transfer files preview documents and generally make better use of the storage facilities get your 200 GB Cloud to cloud data transfer traffic for Lifetime the service is gdpr compliant and reliable when creating a cluster with two devices it is imperative that they are of the identical model and are running the same version of the Fireware OS I want to point out that each device in a fire cluster must have an active Live security subscription have the feature key for each Firebox saved in a local file you will need an ethernet cable for each cluster interface one network switch for each enable trusted optional custom or external interface ethernet cables to connect the interfaces of both devices to the network switches lastly when configuring a fire cluster we advise utilizing watchu system managers policy manager as setting up or managing a fire cluster through the Fireware web UI is not feasible before before diving into the fire cluster configuration in the user interface don't forget to subscribe to this Channel and leave your comments in the section below now let's go over some fire cluster terminology a device within the fire cluster is referred to as a cluster member and every cluster consists of two members the cluster master and the backup Master the cluster Master is responsible for updating and managing the cluster's connection and session details it syncs this information with the backup master which in turn monitors the cluster master and seamlessly assumes the cluster Master role in case of a failover when building a fire cluster you have two configuration options you can configure an active passive fire cluster or an active active fire cluster in an active active fire cluster configuration the cluster devices jointly handle the traffic flowing through the cluster the cluster Master allocates connections and if one cluster member fails the second device takes over over the connections assigned to the failed device and manages the entire load to enhance both redundancy and load sharing in your network opting for an active active cluster setup is recommended in an active passive fire cluster setup the active device manages all Network traffic should it experience a failure the passive device seamlessly assumes control of the connections originally handled by the failed device as the traffic load is concentrated on one device at a time while an active passive cluster provides redundancy it doesn't contribute to increased scalability when setting up a fire cluster it's essential to allocate a cluster ID number for identification purposes on m290 devices the default ID number is 50 although the cluster ID might appear inconsequential there are instances where its significance becomes apparent it is advisable to consult the fire cluster help documentation for additional information every device within a fire cluster requires its own unique feature key when you activate a fire cluster the functioning of subscription Services VPN licenses and upgrades for cluster members follows a specific protocol determined by your fire cluster configuration while each device in a fire cluster must have an active LIF security subscription license the licensing for other features is contingent on the type of fire cluster you implement for an active active cluster both devices must possess active licenses for the same set of subscription services such such as web blocker application control Gateway antivirus and so forth in an active passive fire cluster only one device is active at a given time consequently this active device utilizes the subscription services that are active for either cluster member for a more comprehensive understanding of how licensing is managed within a fire cluster it is advisable to refer to the fire cluster help documentation before activating the fire cluster feature ensure that you have the ne necessary Hardware to set up your fire cluster plan the IP addresses and interfaces to be used and deactivate any inuse interfaces in the configuration file for this demonstration I will employ specific interfaces and IP addresses connecting them as Illustrated if you're configuring an active passive cluster as I will shortly ensure that your network interfaces are set up in mixed routing or drop in mode for an active active cluster configuration your network interfaces must be in mixed routing mode as fire cluster does not support Bridge network mode to configure a fire cluster you have two options run the fire cluster Setup Wizard or manually configure the fire cluster I have two m290 devices for this demonstration we need to configure one of them and keep the second to its default out of the box settings no configuration needed for the second device let's start configuring our first device open a web browser window and navigate to to 10.1.1 use port 880 which is the default web UI Port use the default credentials to log in the username is admin and the password is rewrite after you log in the setup wizard pops up select create new configuration accept the terms and click next keep the default DHCP settings for the external interface add any DNS server you want according to your needs now assign the IP address for The Trusted interface and set your DHCP range I will keep the default values for now next change the status password and the admin password and click next you can set an IP of a remote computer here and allow only that IP to manage the device I will leave this blank next assign a device name I'm keeping the default here too now choose your time zone it is important for the device to have a correct time zone click next all the way to the end and finish the wizard now let's log into the device again from the web UI nothing special about this as the device now has its default configuration let's go ahead then and download the watchg guard System Manager head to watchg guard.com click support at the top right corner go to download software select your device model from the list I'm using m290 devices find and download the latest watchguard System Manager software locate the file you downloaded and start the installation the process is simple just hit next all the way to the end Now launch the watchguard system manager software log into the device using the status password you configured previously you should see the device name along with its Fireware OS version if you want you can click on the cross icon to view which interfaces are enabled now click on the policy manager manager from the top menu the policy manager pops and we can see the default policy configuration the process is very simple up to this point it is also simple to subscribe to our Channel just hit the Subscribe button and give this video a thumbs up to illustrate this process we'll utilize the fire cluster Setup Wizard initiate the fire cluster Setup Wizard by navigating to the fire cluster menu and then select setup subsequently choose active passive as the cluster type if you are configuring multiple fire clusters within the same layer and broadcast domain assign a unique cluster ID otherwise the default setting of 50 can be accepted I will use ID number one as cluster ID in the case of setting up an active active cluster you would also need to specify a load balancing method at this point proceed by selecting the cluster interfaces responsible for connecting the cluster members a primary interface face is mandatory and for enhanced redundancy it is advisable to designate a backup interface by default the primary interface is determined as the one with the highest interface number and in my situation that corresponds to interface 7 for the backup cluster interface I will designate interface 6 moving forward the selection of the interface for the management IP address is required this interface serves as a direct connection for maintenance tasks on fire cluster members for the management interface I'll use interface number one subsequently I'll input the feature key member name and serial number for this device next we have to set up the IP address for the cluster interfaces and the management interfaces fill in the appropriate information and click next now let's add the second device remember it is important to have the second device as default out of the box settings click import and paste the feature key of the second device type the member name for the second device and check its serial number two fill in the IP information as you did for the first member it is important to configure this the right way otherwise you will face connectivity issues now click next and close the wizard next go to network configuration and check the IP address of The Trusted interface and DHCP settings close the this window and save the configuration the device has now act as a cluster to verify that disconnect from the first device and connect again this time use the IP address of The Trusted interface you configured during the cluster Setup Wizard note that the device icon has changed and it now shows a two device icon click the cross to see both cluster members you will see the master device and the backup Master open the policy manager again and go go to network configuration change the IP address of The Trusted interface according to your needs don't forget to change the DHCP settings too save the new configuration now just disable and enable your network interface to get a new IP address this is an important step because we have to connect with the cluster management interface launch the watchg guard system manager and connect to the cluster trusted interface open policy manager again and go to setup system change the cluster name to whatever you like I will name it m290 cluster no spaces allowed save the configuration again right click on the cluster device and select refresh status to see if the setting has been applied properly now let's check the functionality of the cluster open a command window and type this command open another command window but this time ping the first device which has the IP 190 21680 21 open a third command window and ping the second device which has the IP 192.168.0 202 now that all three ping commands get a reply we know that the cluster allows communication with the network and the internet let's disconnect the first device and see what happens I will unplug it from the power socket as you see the Ping fails to reach the first of device and the Google DNS this is normal the second device should take over now and restore the connection it looks like the connection is restored the Ping command for Google DNS gets a reply once more with the first device still disconnected let's go to the system manager to see what is going on the first device is inactive and the second has become the master device now I will reconnect the first device it should change from inactive status to backup master nice the device is back online and we receive a ping reply again notice that the Ping command to Google DNS still has its connection active now let's repeat the same process but this time we will disconnect the second device again we should see the same behavior refresh the status of the cluster to see which device is the master switch back to the Ping commands one last time and wait for the second device to become active this shouldn't take long and there it is both devices are up and running now let's check and verify the status of the cluster from the system manager it looks like everything is okay and the cluster is working properly thank you very much for joining us on this demonstration feel free to leave any comments below and hit that subscribe button so you won't miss any of our videos

Info

Channel: IT Superhero

Views: 624

Rating: undefined out of 5

Keywords: watchguard, firewall, firebox, firecluster, security, internet security, watchguard firecluster, watchguard firecluster setup, watchguard firecluster setup tutorial, watchguard tutorial, firecluster tutorial, firewalls, cyber security, firewall configuration, watchguard firewall, it security, watchguard configuration, watchguard firebox, firewall how to, what is firewall, firewalls and network security, active passive cluster, active active cluster

Id: UnINuP31gwk

Channel Id: undefined

Length: 13min 54sec (834 seconds)

Published: Sun Jan 28 2024