Convert a Single Firewall element to a Firewall Cluster element

Converting a Single Firewall to a Firewall Cluster requires you to convert the IP addresses used for these roles to the correct types.

Firewall Clusters have more IP addressing requirements than Single Firewalls. The requirements are due to the two types of IP addresses that clusters must have to function:
  • An NDI (Node Dedicated IP Address) is used for communications between the engine itself and some other host in the network. Other hosts can be other nodes in the cluster, the Management Server, or hosts you ping from the engine’s command line.
  • A CVI (Cluster Virtual IP Address) is used for handling traffic that the cluster examines. If other network devices select the firewall’s IP address, converting the IP address to a CVI allows those external configurations to remain the same. (Examples of other network devices are a default gateway or VPN endpoint.)

You must change the IP address that is used for a particular role if the new interface type is not compatible with that role.

The IP address requirements and related important considerations are listed in the following table.

Table 1. Interface type requirements by role on Firewall Clusters
Role Type Required Notes
Control interface (Management connections) NDI Each node requires its own NDI address. Often, the same IP address on a Single Firewall is used for both the engine’s own communications and the traffic that the engine processes. In these cases, you can convert the IP address that processes the traffic to a CVI. With the conversion, you can avoid reconfiguring external equipment and you can add new NDI addresses for the nodes.

Make sure that there are enough IP addresses available, especially if the firewall is managed remotely.

DHCP relay CVI Configured in the physical interface properties.
DHCP relay for VPN clients NDI Configured in the VPN settings in the Engine Editor.
Heartbeat interface NDI Heartbeat and state synchronization communications between clustered engines. We recommend using a dedicated interface for the heartbeat, as reliable transmissions are critical to the operation of the cluster. If the heartbeat traffic passes through a switch, make sure that the switch does not throttle or block multicast traffic between the clustered engines.
Routing CVI Traffic that is sent to an NDI address is not routed to any other destinations.

Surrounding network devices that use the firewall as a default gateway must use a CVI address.

If the internal DHCP server is used and configured to assign the firewall as the default gateway for clients, the default gateway IP address must be a CVI. (Configure the CVI in the physical interface properties.)

VPN endpoints CVI Configured in the VPN settings in the Engine Editor.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. If you plan to convert the current IP address for management connections to a CVI:
    1. Add the new NDI IP address as a Backup Control IP address in the Single Firewall element.
    2. Adjust the Access and NAT rules of any firewalls on the communications path so that both current and new control IP addresses can be used. Then refresh the policies of these firewalls.
    3. Refresh the policy of the Single Firewall you plan to convert.
    4. Deselect the Backup Control IP address option and configure the new NDI control IP address as the Primary Control IP address.
      Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the engine.
  2. Add any new IP addresses that are required for the selected interface roles and configure the settings to use those IP addresses.
  3. If configured, remove dynamic IP addresses, Modem Interfaces, ADSL Interfaces, integrated Switches, and Port Group Interfaces. These configurations are not supported on clusters.
  4. Right-click the Single Firewall element, then select Configuration > Upgrade to Cluster.
    An interface mapping dialog box opens.
  5. Click the Upgrade to cell for each interface and select the IP address types for the interfaces.
    • You can select both a CVI and an NDI to be created for the same physical interface. This working configuration is recommended for all interfaces. However, it might not be appropriate at this stage, because you cannot select which role the current IP address takes. More IP addresses are generated automatically to create the CVIs and NDIs.
    • Each selection is validated and you might not be able to select a type if it is incompatible with the selected role of the interface. See the preceding table for a summary of requirements.
  6. Click OK.
    The Cluster Properties dialog box for the new Firewall Cluster element opens.
  7. Switch to the Interfaces tab.
  8. In addition to the Physical interfaces and IP addresses used on the Single Firewall, add the interfaces and addresses needed for the cluster. Check that the IP addresses on all interfaces are unique and unassigned, and change them if necessary.
  9. Select Packet Dispatch as the CVI mode and enter the related unicast MAC address in the properties of all Physical Interfaces that have CVI definitions.
  10. Click Options and define which IP addresses are used in particular roles in system communications as explained in Setting Interface Options for Firewalls (page 489).
  11. If the internal DHCP server is used and configured to assign the firewall as the default gateway for clients, verify that the default gateway IP address is a CVI. (See Physical Interface properties on the DHCP tab.)
  12. Click OK.
    You can still click Cancel to return to the previous configuration and undo the conversion.
    The Single Firewall element is converted to a Firewall Cluster.

Properties dialog box (Upgrade to Firewall Cluster)

Use this dialog box to configure the upgrade of a Single Firewall to a Firewall Cluster.

Option Definition
Upgrade to Select the IP address type for each interface.
  • NDI — Upgrade to a Node Dedicated IP Address (NDI). An NDI is used for communications between the engine itself and another host in the network, such as the other nodes in the cluster, the Management Server, and hosts that you ping from the engine’s command line.
  • CVI — Upgrade to Cluster Virtual IP Address (CVI). A CVI is used for handling traffic that the cluster examines. If other network devices point to the Firewall’s IP address (as a default gateway or as a VPN endpoint, for example), converting the IP address to a CVI allows those external configurations to remain unchanged.
  • NDI/CVI — Upgrade the interface to have both an NDI and a CVI.
Note:
  • You can select both a CVI and an NDI to be created for the same physical interface. This configuration is recommended for all interfaces, but it might not be appropriate for all interfaces at this stage, because you cannot select which role the current IP address takes. Additional IP addresses are generated automatically to create the CVIs and NDIs.
  • Each selection is validated, and you might not be able to select a type if it is incompatible with the selected role of the interface.
Interface ID Shows the assigned interface ID.
Mode The role of the interface IP address in system communications.
IP Address The IP address of the interface.
Network The network to which the interface IP address belongs.
Comment

(Optional)

 A comment for your own reference.