Convert a Single Layer 2 Firewall to a Layer 2 Firewall Cluster

You can use a conversion tool to convert an existing Single Layer 2 Firewall to a Layer 2 Firewall Cluster.

Using the conversion tool maintains the relationship of the Single Layer 2 Firewall element and other configurations in the system. The conversion requires you to select one Single Layer 2 Firewall element to convert to a Layer 2 Firewall Cluster.

The following limitations apply when you convert a Single Layer 2 Firewall to a Layer 2 Firewall Cluster:
  • It is not possible to combine two Single Layer 2 Firewall elements into a Layer 2 Firewall Cluster element.
  • A Single Layer 2 Firewall can only be converted to a two-node Layer 2 Firewall Cluster. To add more nodes to the cluster, add the nodes separately after the conversion.
CAUTION:
If you change the control IP address of the existing node in this process, the connection between the NGFW Engine and the SMC is lost.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Make sure that both NGFW Engines are licensed.
    The licensing of clustered NGFW Engine nodes is done in the same way as the licensing of two Single Layer 2 Firewalls. All current Layer 2 Firewall licenses allow clustering the nodes, so no license changes are required to activate the feature.
  2. Make sure that the NGFW Engines are running software versions that are compatible with the SMC, and preferably that both NGFW Engines are running the same version.
    Although the cluster can be installed with the NGFW Engines running different software versions (unless otherwise stated in the Release Notes), long-term use with mismatched versions is not supported.
  3. If the new Layer 2 Firewall has a working configuration from previous use, return it to the initial configuration state.
    You can do so in the NGFW Configuration Wizard (sg-reconfigure) on the command line.
    Note: Do not establish a connection with the Management Server before the Layer 2 Firewall Cluster element is ready.
  4. Connect the network cables to the new node and power it on.
  5. Right-click the Single Layer 2 Firewall element that you want to upgrade to a Layer 2 Firewall Cluster, then select Configuration > Upgrade to Cluster.
  6. Browse to Interfaces > Interface Options.
  7. Define which IP addresses are used in particular roles in system communications.
  8. Click Save.
    Note: You can still close the Engine Editor without saving the changes to return to the previous configuration and undo the conversion.
  9. Make initial contact between each node and the Management Server.
    Install and configure any new NGFW Engine nodes as part of the cluster as in a new installation.
  10. Install the policy on the Layer 2 Firewall Cluster.
    To refresh the policy of the existing node before the new nodes are initialized, disable the inactive nodes on the Clustering pane in the Engine Editor. Otherwise, the policy installation fails due to a lack of connectivity to all nodes.