Convert Single Firewall elements to Firewall Cluster elements

You can use a conversion tool to change an existing Single Firewall engine into a Firewall Cluster.

The conversion tool maintains the relationship of the engine element with other configurations in the system, allows you to maintain some existing interface configurations, and minimizes service interruptions. VPNs are an example of other configurations in the system. VLANs defined on interfaces are an example of existing interface configurations. The conversion requires you to select one Single Firewall element to convert to a cluster.

Make sure that enough IP addresses are available, especially if the Single Firewall is managed remotely. Each clustered engine node needs at least one dedicated IP address for its management communications. Also, the traffic that the nodes inspect requires at least one dedicated IP address per cluster.

The following limitations apply when you convert Single Firewall elements to Firewall Cluster elements:
  • It is not possible to combine two Single Firewall elements into a Firewall Cluster.
  • A Single Firewall engine can only be converted to a two-node Firewall Cluster. If you want to add more nodes to the cluster, you must add the nodes separately after the conversion.
  • Due to differences in the supported configurations, there are some configurations that prevent you from converting from a Single Firewall to a Firewall Cluster. These configurations are listed in the following table.
Table 1. Unsupported configurations on Firewall Clusters
Configuration Notes

ADSL interfaces

Firewall clusters do not support integrated ADSL modems. To convert to a cluster, you must switch to an external ADSL modem that the firewall engines access through an Ethernet connection.

Wireless interfaces

Firewall clusters do not support wireless interfaces.

Internal DHCP Server on older engine versions

Clustered firewalls support an internal DHCP server starting from software version 5.2. Upgrade the engine as necessary before conversion.

Dynamic IP addresses

Firewall clusters can only have static IP addresses. Clusters cannot use a dynamically assigned (DHCP or PPPoE) IP address.

Modem interfaces

Firewall clusters do not support integrated 3G modems. You must switch to a configuration that uses an external 3G modem through an Ethernet connection to convert to a cluster.

Integrated switch

Firewall clusters do not support integrated switches. To convert to a cluster, you must change to a configuration that uses an external switch that the firewall engines access through an Ethernet connection.

CAUTION:
If you change the control IP address of the existing node in this process, the connection between the engine and the SMC is lost.