Convert a Single Firewall to a Firewall Cluster

Use the conversion tool to change an existing Single Firewall engine into a Firewall Cluster.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the Single Firewall element, then select Configuration > Upgrade to Cluster.
    An interface mapping dialog box opens.
  2. Click the Upgrade to cell for each interface and select the IP address types for the interfaces.
    You can create a CVI and an NDI for the same physical interface. This configuration is recommended for all interfaces. More IP addresses are generated automatically to create the CVIs and NDIs.
    Note: Each selection is validated and you might not be able to select a type if it is incompatible with the selected role of the interface.
  3. Click OK.
    The properties dialog box for the new Firewall Cluster element opens.
  4. On the Interfaces tab, add the interfaces and addresses needed for the cluster.
    Make sure that the IP addresses on all interfaces are unique and unassigned, and change them if necessary.
  5. Select Packet Dispatch as the CVI mode and enter the related unicast MAC address in the properties of all physical interfaces.
  6. Click Options, then define which IP addresses are used in particular roles in system communications.
  7. If the internal DHCP server is configured to assign the firewall as the default gateway for clients, verify that the default gateway IP address is a CVI on the DHCP tab of the Physical Interface Properties dialog box.
  8. Click OK.
    The Single Firewall element is converted to a Firewall Cluster.

Properties dialog box (Upgrade to Firewall Cluster)

Use this dialog box to configure the upgrade of a Single Firewall to a Firewall Cluster.

Option Definition
Upgrade to Select the IP address type for each interface.
  • NDI — Upgrade to a Node Dedicated IP Address (NDI). An NDI is used for communications between the engine itself and another host in the network, such as the other nodes in the cluster, the Management Server, and hosts that you ping from the engine’s command line.
  • CVI — Upgrade to Cluster Virtual IP Address (CVI). A CVI is used for handling traffic that the cluster examines. If other network devices point to the Firewall’s IP address (as a default gateway or as a VPN endpoint, for example), converting the IP address to a CVI allows those external configurations to remain unchanged.
  • NDI/CVI — Upgrade the interface to have both an NDI and a CVI.
  • You can select both a CVI and an NDI to be created for the same physical interface. This configuration is recommended for all interfaces, but it might not be appropriate for all interfaces at this stage, because you cannot select which role the current IP address takes. Additional IP addresses are generated automatically to create the CVIs and NDIs.
  • Each selection is validated, and you might not be able to select a type if it is incompatible with the selected role of the interface.
Interface ID Shows the assigned interface ID.
Mode The role of the interface IP address in system communications.
IP Address The IP address of the interface.
Network The network to which the interface IP address belongs.
Comment

(Optional)

A comment for your own reference.