Adjust IPS clustering options

IPS Clusters operate by default in load-balancing mode. This means that all configured nodes in an IPS Cluster are online simultaneously and the traffic is distributed among the operational nodes. The load balancing aims to keep the traffic load as evenly distributed as possible.

Alternatively, the IPS Cluster can run in standby mode. In that case, only one IPS node at a time is online and processing traffic, while the others are in standby mode. Only if the online node fails, one of the standby nodes goes online to take over the connections being handled by the failed node.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an IPS Cluster element, then select Edit IPS Cluster.
    The Engine Editor opens.
  2. In the navigation pane on the left, browse to General > Clustering.
    The Clustering pane opens on the right.
  3. Configure the settings.
  4. Click Save and Refresh to transfer the changes.

Engine Editor > General > Clustering

Use this branch to view nodes and add new nodes to the NGFW Engine cluster.

Option Definition
Node ID

(Not editable)

Shows the ID number of the node.
Name Specifies the name of the node. Double-click the cell to edit the name.
Configuration Status

(Not editable)

Shows the configuration status of the node.
Certificate

(Optional)

Shows information about the node's certificate for external certificate management. Right-click the cell, then select Edit Certificate to create a certificate request for the NGFW Engine node.

You must create a separate certificate request for each NGFW Engine node.

Version

(Not editable)

Shows the version of the NGFW Engine software that is installed on the engine.
Comment

(Optional)

A comment for your own reference.
SNMP Location Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object.
SNMP Engine ID

(SNMPv3 only)

A unique identifier for each NGFW Engine node that is used by the SNMP agent.

The engine ID is used with a hash function to generate keys for authentication and encryption of SNMPv3 messages. If you do not specify the SNMP engine ID, an SNMP engine ID is automatically generated.

Disabled Disables the node. You can enable the node later.
Add Node Adds a node to the cluster. Opens the Engine Node Properties dialog box.
Edit Node Allows you to change the properties of the selected node. Opens the Engine Node Properties dialog box.
Remove Node Deletes the selected node. The deleted node cannot be restored.
Clustering Mode

(Not Layer 2 Firewalls)

  • Balancing — All nodes are simultaneously online providing enhanced performance and high availability if there is node failure. Balancing mode is the default mode.
  • Standby — Only one node can be online at a time. We recommend having at least one other node on standby to allow automatic takeover if there is failure. Several nodes can be on standby at a time. A randomly selected standby node is turned online when the online node fails.
Note: Only standby clustering mode is supported for Layer 2 Firewall Clusters.
Clustering Allows you to change advanced settings for the cluster. Opens the Advanced Cluster Settings dialog box.

Advanced Cluster Settings dialog box (IPS engines)

Use this dialog box to define advanced clustering settings.

Option Definition
Filter Mode Defines how traffic is balanced between the nodes.
  • Static — Packet ownership (the node to which the connection or packet belongs) can change only when nodes are added or removed from the cluster, or when they switch from one state to another.
  • Dynamic — Traffic is balanced to avoid node overloads and existing connections are moved between nodes whenever overload is detected.
Heartbeat Message Period Specifies how often clustered NGFW Engines send heartbeat messages to each other (notifying that they are up and running). Enter the value in milliseconds. The default value is 1000 milliseconds (one second).
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Heartbeat Failover Time Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds.
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Interface ID Shows the assigned interface ID.
Heartbeat IP Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications. The default is 225.1.1.1. This multicast IP address must not be used for other purposes on any of the network interfaces.