topic Cluster with only one member in Cloud Firewall

Cluster with only one member

Micha — Wed, 27 Dec 2023 11:02:53 GMT

Hi,

We want in the future to have a two firewall cluster, but at the moment only have one firewall (and license).

In order to make it easier in the future to add a second firewall, we want to set it up initially as a cluster.

We configured one interface as "sync" (required by SmartConsole), but the cluster object always is red since ClusterXL is not working (obviously).

Is there a way to have the single firewall ignore the "cluster problems" so the object will be green?

Or is the only way to change it back to a single firewall (cpconfig -> Disable cluster membership for this gateway), add it to SmartConsole as a standalone firewall object, and in the future perform cpconfig-> re-enable cluster membership?

Note: It is a GCP CloudGuard firewall.

Re: Cluster with only one member

Vincent_Bacher — Wed, 27 Dec 2023 11:32:53 GMT

I guess this is the classical "works as designed" behavior and i don't see any reason why a feature "ignore cluster problems" would make sense. So i would prefer using the simple gateway as it is and convert it to cluster later on when purchasing second cluster member device.

Re: Cluster with only one member

the_rock — Wed, 27 Dec 2023 14:02:12 GMT

Personally, but again, this is just my own opinion, I would not bother until you are ready to have a working custer. I mean, you can always enable/disable cluster membership option from the cpconfig menu (I know few customers who enabled that initially via default wizard, but then you can toggle it after from the menu, just needs a reboot).

Alternatively, you can then set up all the needed cluster interfaces. I could be mistaken, but if I recall, you only technically need sync interface for functioning cluster. No, I think thats not true, as you need VIP for the cluster IP object, so that would make it 1 + sync, so thats 2.

Best,

Andy

Re: Cluster with only one member

PhoneBoy — Wed, 27 Dec 2023 18:28:41 GMT

Forming a cluster requires two or more nodes to be active.
With a single member, there is no cluster, thus it will always appear "red" by design.
I wouldn't enable ClusterXL until you are ready to establish the cluster.

Re: Cluster with only one member

Bob_Zimmerman — Wed, 27 Dec 2023 18:57:42 GMT

The headache with moving from a single firewall to a cluster later is you then have to take a hard outage to change the IPs on the interfaces and use the old IPs as VIPs (or to change the routes on all adjacent things). If you start with a single-member cluster, you can add a second member at any time with zero traffic impact. This can be a big deal for locations which don't have qualified people nearby.

Re: Cluster with only one member

Chris_Atkinson — Wed, 27 Dec 2023 22:55:40 GMT

Yep but since this is a Cloud deployment and we don't have context of the scale of the deployment I would encourage some further discussion with the local account team, Vsec / Cloudguard cores can be relatively inexpensive.

Also does the topology mandate a traditional cluster vs auto-scale / MIG ?

Re: Cluster with only one member

PhoneBoy — Thu, 28 Dec 2023 17:33:12 GMT

That is 100% true.
Hopefully ElasticXL will take some of this pain away.

Re: Cluster with only one member

the_rock — Thu, 28 Dec 2023 17:53:15 GMT

Are you saying this would work with elasticXL? if so, that would be pretty cool : - )

Best,

Andy

Re: Cluster with only one member

PhoneBoy — Thu, 28 Dec 2023 20:42:21 GMT

In short, yes, it should.

ElasticXL will use much of the same technology that was developed for Maestro and Scalable Platforms.
Unlike with ClusterXL where you have to define the individual members before creating the cluster object, Maestro only requires a single management object, which is nothing more than a standard gateway object.
Members are added via the Orchestrator in Maestro and there will be gclish commands in R82 to add cluster members.

Re: Cluster with only one member

the_rock — Thu, 28 Dec 2023 20:43:42 GMT

Cool! But this will ONLY be possible on Maestro, nor regular Gaia gateways?

Andy

Re: Cluster with only one member

PhoneBoy — Thu, 28 Dec 2023 20:50:11 GMT

ElasticXL is ultimately replacing ClusterXL on regular gateways.