Managing Clusters

Configuring a Cluster

Introduction

Configure a cluster to maintain connections in the organization's network when there is a failure in a cluster member. The cluster provides redundancy.

Cluster High Availability is supported. In High Availability, only one gateway is active at a time. When there is a failover, the standby member becomes active. There is no load sharing between the members of the cluster.

All cluster configuration is done through the active member.

Note - Bridge and switch configurations are not supported in cluster configuration.

Configuration workflow:

  1. Complete the First Time Configuration Wizard on both appliances. In the Local Network page of the wizard, clear the Enable switch on LAN ports checkbox.

  2. Configure network settings on the appliance that is the primary (active) member.

  3. Connect a sync cable between the appliances.

  4. Configure the active member.

  5. Configure the standby member.

Prerequisites

  • In WebUI > Device > Local Network, delete bridge and switch configurations before you start to configure a cluster.

  • The appliances in a cluster must have the same hardware, firmware, and licenses.

    Note - Connect the sync cable only after you complete the First Time Configuration Wizard and remove the switch on both appliances. No additional configuration is required on both members.

Best Practice - Designate the same LAN port for the Sync interface. The default Sync interface is LAN2/SYNC.

For the primary (active) cluster member:

  1. Connect to the appliance that is the primary cluster member.

  2. In the WebUI, go to Device > High Availability and click Configure Cluster.

  3. Follow the wizard steps and configure the appliance as a primary member. For more information, see Configuring High Availability.

For the secondary (standby) cluster member:

  1. Connect to the appliance that is the secondary cluster member.

  2. Go to Device > High Availability and click Configure Cluster.

  3. Follow the wizard steps and configure the appliance as a secondary member. For more information, see Configuring High Availability.

Complete other configuration requirements such as access policy, VPN, and Threat Prevention parameters. The primary and secondary members now synchronize their configuration.

Monitoring the Cluster

Best Practice - After the cluster is successfully configured, connect to https://my.firewall. This redirects you to the WebUI Home > System page for the active cluster member.

To log in to each appliance:

Go to https://<IP>:4434.<IP> is the IP address of a specified member.

Note - Not all options are available as all cluster configuration is done through the active member. The WebUI of the standby cluster member only has one tab: Device.

To show the status of the cluster member:

Go to Device > High Availability.

Upgrading a Cluster

When you upgrade a cluster member, you can maintain network connectivity during an upgrade. One member of the cluster remains active while the other cluster member is upgraded. The system is always active and there is no downtime during the upgrade process.

In a High Availability cluster, only one member is active at a time. The other appliance is standby. To upgrade a cluster, first upgrade the standby appliance and then upgrade the active member.

Upgrade workflow:

  1. Upgrade the standby member in the WebUI Device > System Operations page.

    The standby member automatically reboots.

  2. In the active member's WebUI Device > High Availability page, wait for the status to show "Active" and "Standby."

  3. Upgrade the active member.

    The active member automatically reboots.

Note - The upgrade process is the same for each cluster member. Only manual upgrade is supported.

After the reboot:

  • The former active member is now the standby member.

  • The former standby member is now the active member.

To manually upgrade a cluster member:

  1. On the Device > System Operations page, click Manual Upgrade.

    The Upgrade Software Wizard opens.

  2. Follow the Wizard instructions to upgrade the cluster member.

    The upgrade process automatically reboots the member.

To see the status of each cluster member:

Go to Device > High Availability.