Migrating to a New FireCluster

If you are trading up your WatchGuard FireCluster to a new FireCluster model, there are several steps to follow to ensure success.  You can move the configuration from your current device, as long as you make sure to update with the new firewall information.  You will be able to set up this cluster locally, so that the only downtime is the physical swap-out.


Before you begin:

  • Make sure that you have activated both of the new devices

  • Save a copy of each new device’s Feature Key locally for easy access

  • Make sure you have an updated version of WatchGuard System Manager installed on your computer

  • Make sure both of the new devices are running the same firmware version

 

To move the cluster configuration:

  1. Log into your current FireCluster with Policy Manager. Select File > Save > As File to save a local copy of the config. You can then disconnect from the device.

  2. Once both of the new firewalls are activated, physically connect a computer into Eth1 on one of the devices and make sure it is powered one.

    NOTE: The other device can remain off for now, and does not need to be physically connected to the other.

  3. Make sure that your computer receives a DHCP address from the 10.0.1.X network.

  4. In WatchGuard System Manager, select File > Connect to Device and use the following information:
    IP Address: 10.0.1.1
    Username: status
    Password: readonly

  5. Once connected, open Policy Manager

  6. The passwords on the device will need to be updated. Select File > Manage Users and Roles
    Username:
    admin
    Password: readwrite

  7. Update the passwords for the Status and Admin accounts. Click OK once complete to save the passwords.

  8. Select File > Open > Configuration File

  9. Import the configuration file saved from the original FireCluster

  10. The old FireCluster’s information will need to be updated with the new licensing. Select FireCluster > Configure

  11. Select the Members tab

  12. Select the first device, and click Edit

  13. In the Configuration window, update the Serial Number with the new primary device’s information

  14. Click the Feature Key tab. Click Remove to clear the old licensing.

  15. Click Import, and paste in the new primary device’s Feature Key. Click OK to go back to FireCluster Configuration.

  16. Select the second device, and click Edit

  17. In the Configuration window, update the Serial Number with the new secondary device’s information.

  18. Click the Feature Key tab. Click Remove to clear the old licensing.

  19. Click Import, and paste in the new secondary device’s Feature Key. Click OK to go back to FireCluster Configuration.

  20. Click OK on any open windows. Select File > Save > To Firebox. Use the updated Admin credentials (from step 6)

  21. Once the configuration is saved, close Policy Manager.


    At this point, the new primary device will be running with the moved configuration.  To reconnect to the device, you will need to make sure you are connected across the device’s management interface.  If your firewall does not manage DHCP for this network, make sure that you statically set your computer on the same subnet.

  22. In the WatchGuard System Manager window, you will see that the device is unreachable. Select File > Disconnect All

  23. You will now need to prepare the second device to be joined to the cluster. Make sure that the second firewall has been factory reset.

  24. To best review the FireCluster before it is implemented into the network, it is best to set up the devices where a failover can be tested. If you have equipment available, plug a switch/hub into the Trusted/Management interface, and then connect your computer into this equipment.

  25. Reconnect to the firewall through WatchGuard System Manager using the correct IP address and updated credentials.

  26. Connect the cluster interface between the primary and secondary devices.

  27. Open Firebox System Manager. Select Tools > Cluster > Discover Member.

  28. In the Front Panel of Firebox System Manager, monitor the Cluster section to verify that the secondary device joins as the Backup Master.

  29. Once the second device joins as the Backup Master, connect its Trusted Interface to the switch/hub (step 24).

  30. To test the failover, select Tools > Cluster > Failover Master.

  31. Verify that the roles of the devices flip.

Once the devices are joined and failover is tested, they can be implemented into the network.