Prepare interfaces and IP addresses for converting a Single Firewall to a Firewall Cluster

Firewall Clusters have different IP addressing requirements than Single Firewalls. You must change the IP address that is used for a particular role if the new interface type is not compatible with that role.

Firewall Clusters must have two types of IP addresses:

  • NDI (Node Dedicated IP Address) — An IP address that is used for traffic to or from an individual node in a cluster. Each node in the cluster has a specific IP address that is used as the NDI.
  • CVI (Cluster Virtual IP Address) — An IP address that is used to handle traffic routed through the cluster for inspection. All nodes in a cluster share this IP address. Allows other devices to communicate with the Firewall Cluster as a single entity. If other network devices, such as a default gateway or VPN endpoint, select the firewall’s IP address, converting the IP address to a CVI allows those external configurations to remain the same.
Table 1. Interface type requirements by role on Firewall Clusters
Role Type Required Notes
Control interface (Management connections) NDI Each node requires its own NDI address. Often, the same IP address on a Single Firewall is used for both the engine’s own communications and the traffic that the engine processes. In these cases, you can convert the IP address that processes the traffic to a CVI. With the conversion, you can avoid reconfiguring external equipment and you can add new NDI addresses for the nodes.

Make sure that enough IP addresses are available in the network, especially if the Single Firewall is managed remotely.

DHCP relay CVI Configured in the physical interface properties.
DHCP relay for VPN clients NDI Configured in the VPN settings in the Engine Editor.
Heartbeat interface NDI Heartbeat and state synchronization communications between clustered engines. We recommend using a dedicated interface for the heartbeat, as reliable transmissions are critical to the operation of the cluster. If the heartbeat traffic passes through a switch, make sure that the switch does not throttle or block multicast traffic between the clustered engines.
Routing CVI Traffic that is sent to an NDI address is not routed to any other destinations.

Surrounding network devices that use the firewall as a default gateway must use a CVI address.

If the internal DHCP server is used and configured to assign the firewall as the default gateway for clients, the default gateway IP address must be a CVI. (Configure the CVI in the physical interface properties.)

VPN endpoints CVI Configured in the VPN settings in the Engine Editor.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. If you plan to convert the Single Firewall's existing IP address for management connections to a CVI that processes the traffic in the Firewall Cluster, configure a new IP address for management connections.
    1. In the properties of the Single Firewall element, add a new IP address to the interface that you want to use for management connections.
    2. In the interface options, select the new control IP address from the Backup control IP address drop-down list.
      Management communication is not yet allowed to the new IP address. Adding the new IP address as a backup control IP address prevents management communication from being interrupted.
    3. Edit the Access and NAT rules of any firewalls on the communications path so that both current and new control IP addresses are allowed, then refresh the policies of these firewalls.
    4. Refresh the policy of the Single Firewall that you plan to convert.
    5. Deselect the new control IP address from the Backup control IP address drop-down list.
    6. Select the new control from the Primary control IP address drop-down list.
  2. Add any new IP addresses that are required for the selected interface roles and configure the settings to use those IP addresses.
    Make sure to add IP addresses to all physical interfaces or VLAN interfaces.
  3. If configured, remove dynamic IP addresses, modem interfaces, ADSL interfaces, integrated switches, and port group interfaces. These configurations are not supported on clusters.