Adjust Layer 2 Firewall clustering options
By default, Layer 2 Firewall Clusters operate in active-standby mode.
Only one Layer 2 Firewall node at a time is online and processing traffic, while the others are standby. Only if the online node fails, one of the standby nodes goes online to take over the connections being handled by the failed node.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor > General > Clustering
Use this branch to view nodes and add new nodes to the NGFW Engine cluster.
Option | Definition |
---|---|
Node ID (Not editable) |
Shows the ID number of the node. |
Name | Specifies the name of the node. Double-click the cell to edit the name. |
Configuration Status (Not editable) |
Shows the configuration status of the node. |
Certificate (Optional) |
Shows information about the node's certificate for external
certificate management. Right-click the cell, then select Edit Certificate to create a certificate request for the NGFW Engine node. You must create a separate certificate request for each NGFW Engine node. |
Version (Not editable) |
Shows the version of the NGFW Engine software that is installed on the engine. |
Comment (Optional) |
A comment for your own reference. |
SNMP Location | Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object. |
SNMP Engine ID (SNMPv3 only) |
A unique identifier for each NGFW Engine node that is used by the SNMP agent. The engine ID is used with a hash function to generate keys for authentication and encryption of SNMPv3 messages. If you do not specify the SNMP engine ID, an SNMP engine ID is automatically generated. |
Disabled | Disables the node. You can enable the node later. |
Add Node | Adds a node to the cluster. Opens the Engine Node Properties dialog box. |
Edit Node | Allows you to change the properties of the selected node. Opens the Engine Node Properties dialog box. |
Remove Node | Deletes the selected node. The deleted node cannot be restored. |
Clustering Mode
(Not Layer 2 Firewalls) |
Note: Only standby clustering mode is supported for Layer 2 Firewall Clusters.
|
Clustering | Allows you to change advanced settings for the cluster. Opens the Advanced Cluster Settings dialog box. |
Advanced Cluster Settings dialog box (Layer 2 Firewalls)
Use this dialog box to define advanced clustering settings.
Setting | Description |
---|---|
Heartbeat Message Period | Defines how often clustered engines send heartbeat messages to each other (notifying that they are up and running). Enter the value in milliseconds. The default value is 1000 milliseconds (one second).
CAUTION: Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Heartbeat Failover Time | Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds.
CAUTION: Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Interface ID | Shows the assigned interface ID. |
State Sync |
Defines how the nodes exchange information about the traffic that they process.
Note: We strongly recommend using Access rule options to disable state synchronization for specific traffic rather than adjusting the State Sync settings for the cluster.
|
Full Sync Interval
or Incr Sync Interval |
Define how frequently the full synchronizations and incremental synchronizations are done. Do not set the values much higher or lower than their defaults (5000 ms for full, 50 ms for incremental)
CAUTION: Adjusting the sync intervals has significant impact on the cluster's performance. Inappropriate settings seriously degrade the firewall's performance.
|
Sync Security Level |
|
Heartbeat IP | Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications (default: 225.1.1.1). This multicast IP address must not be used for other purposes on any of the network interfaces. |
Synchronization IP | Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications (default: 225.1.1.2). This multicast IP address must not be used for other purposes on any of the network interfaces. |