Converting Single Firewalls to Firewall Clusters

You can use a conversion tool to change an existing Single Firewall engine into a Firewall Cluster.

The conversion tool:

  • Maintains the relationship of the NGFW Engine element with other configurations in the system, such as VPNs
  • Allows you to maintain some existing interface configurations, such as VLANs defined on interfaces
  • Minimizes service interruptions.
The following limitations apply when you convert Single Firewall elements to Firewall Cluster elements:
  • It is not possible to combine two Single Firewall elements into a Firewall Cluster.
  • A Single Firewall can only be converted to a two-node Firewall Cluster. If you want to add more nodes to the cluster, you must add the nodes separately after the conversion.

Due to differences in the supported configurations, the following configurations prevent you from converting from a Single Firewall to a Firewall Cluster:

Table 1. Unsupported configurations on Firewall Clusters
Configuration Notes
ADSL interfaces Firewall clusters do not support integrated ADSL modems. To convert to a cluster, you must change to an external ADSL modem that the firewall engines access through an Ethernet connection.
Wireless interfaces Firewall clusters do not support wireless interfaces.
Dynamic IP addresses Firewall clusters can only have static IP addresses. Clusters cannot use a dynamically assigned (DHCP or PPPoE) IP address.
Modem interfaces Firewall clusters do not support integrated mobile broadband modems, such as LTE modems. You must change to a configuration that uses an external mobile broadband modem through an Ethernet connection to convert to a cluster.
Integrated switch Firewall clusters do not support integrated switches. To convert to a cluster, you must change to a configuration that uses an external switch that the firewall engines access through an Ethernet connection.
Note: If you change the control IP address of the existing node after you start the conversion tool, the connection between the engine and the SMC is lost.

The configuration consists of these general steps:

  1. Prepare your environment for converting the Single Firewall to a Firewall Cluster.
  2. Prepare interfaces and IP addresses for converting the Single Firewall to a Firewall Cluster.
  3. Convert the Single Firewall element to a Firewall Cluster element.
  4. Activate the new NGFW Engine configuration on the Firewall Cluster.