cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Adding a third 5800 to a current 5800 Firewall Cluster

We currently have a two-firewall cluster. We are working on getting a third member added to this cluster and I have it on my desk for configuration. We are required to have most of the set up done before it is racked and added to the network. This is so Cyber Security can do an assessment before it is added to our network.

What would be the best way to add this new firewall to the cluster?

-Configure as a local configuration with an IP on an interface that I can access
-Install firewall and confirm I can see it on the network
-Manually add it to the cluster (convert from local to cluster configuration?)

or is it possible to do a cluster setup before adding it to the network?


I have the option to do as much local setup as possible for the assessment and then do a follow up assessment after installation.

0 Kudos
4 Replies
Admin
Admin

Re: Adding a third 5800 to a current 5800 Firewall Cluster

You can't really add a member to a cluster without doing SIC which requires getting the device on the network.

0 Kudos
Employee+
Employee+

Re: Adding a third 5800 to a current 5800 Firewall Cluster

Agree with Dameon.

Also, if you cannot connect it to the management server, then you cannot install the policy (which includes the ClusterXL configuration).

What kind of assessment are you required to do before?

You may prepare the system configuration in advance (ip addresses of interfaces, routes, hostname, DNS servers, local configurations like fwkern.conf, others...), unless it is a VSX cluster, where most of the configuration is in the Management Server 🙂

0 Kudos
Wolfgang
Silver

Re: Adding a third 5800 to a current 5800 Firewall Cluster

Daemon  and Victor explaniert very well whats to do.

Configure everything of the local configuration, enable cluster membership with same cluster ID, set SIC password, install all needed hotfixes. At this point the gateway starts with initial policy. This allows ssh, webUI and connections from management to the system. Routing is disabled at this point. 

Then you can install it into your rack, connect to the network and establish SIC with management. Install policy and everything is fine.

You can edit initial_policy.pf to get more secure policy in the initial state, but this is a hard work to do.

Wolfgang

 

0 Kudos
Vladimir
Pearl

Re: Adding a third 5800 to a current 5800 Firewall Cluster

FYI: if you are adding the 3rd member to the cluster, check what version of the product it is intended to run.

If it will be a VSX VSLS cluster member, R80.20 will work on it. If your intended use is the load sharing 3 member cluster, the R80.20 does not support it presently.

0 Kudos