Watchguard XTM 5 series



  • Is there a how-to doc or extensive video on setting up two Watchguard XTM 5 series fireboxes to do failover? So if I was to turn off the PA (Active) box it would automatically make the (Passive) box active.

    Oh and can the 10/100Mbit port on the XTM 5 series be used for the heartbeat link?

    Thanks,



  • There is no machine specific failover tutorial because the concepts are the same no matter the hardware. And yes, a 10/100 link is fine for the sync/heartbeat connection.



  • @dotdash:

    There is no machine specific failover tutorial because the concepts are the same no matter the hardware. And yes, a 10/100 link is fine for the sync/heartbeat connection.

    OK, so is there a good tutorial on setting up the firewall to failover then?

    Thanks,



  • Good place to start is here: https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

    The book is the best source, the gold subscription is worth it for that alone.



  • @dotdash:

    Good place to start is here: https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

    The book is the best source, the gold subscription is worth it for that alone.

    When I go to the page above I only see the following:

    Configuring pfSense Hardware Redundancy (CARP
    There is currently no text in this page. You can search for this page title in other pages, or search the related logs, but you do not have permission to create this page.

    That whats note to steve who posted the same link. :)





  • @dotdash:

    The link code stripped off the trailing )

    https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

    So the question I have is with this diagram. in the link above..It's a bit confusing. Why? Well I am familiar with Neverfail and how it works. (https://doc.pfsense.org/index.php/File:CARP_Setup.png)

    Does the backup firewall LAN IP perminate or does it change when it fails over; and for the WAN since I used DHCP is there anyway to inject the MAC address from primary firewall into the secondary when fail-over occurs?

    In a NF world the LAN IP of the secondary passive server is disabled, all data goes through the heartbeat. When primary active server fails it tells the secondary passive server and begins the fail-over to the secondary making is active and setting the primary to passive. During the process the LAN connection the primary is turned off while its turned on, on the secondary. This way the interruption is minimal.

    Is what CARP does?



  • Neverheard of Neverfail, but pfSense operates much like a Cisco failover cluster using HSRP/VRRP- All traffic is routed out via the virtual/carp addresses. The virtual addresses have unique macs and are advertised by the cluster member that is currently master.
    They are labeled as 'cluster shares' on the picture.



  • So what happens when the the firewall fails over. Does it retain the IP address WAN off the other firewall?



  • @Smoothrunnings:

    So what happens when the the firewall fails over. Does it retain the IP address WAN off the other firewall?

    Each firewall has an address, but they share a virtual address that is used for routing the traffic.
    In the referenced diagram, the default gateway of lan computers is 192.168.1.3 and on the WAN, traffic is natted out 127.29.29.3.
    Those IPs will float between the two nodes. The concepts are different than that Neverland thing, please review the whole document referenced.



  • @dotdash:

    @Smoothrunnings:

    So what happens when the the firewall fails over. Does it retain the IP address WAN off the other firewall?

    Each firewall has an address, but they share a virtual address that is used for routing the traffic.
    In the referenced diagram, the default gateway of lan computers is 192.168.1.3 and on the WAN, traffic is natted out 127.29.29.3.
    Those IPs will float between the two nodes. The concepts are different than that Neverland thing, please review the whole document referenced.

    So under CARP do the PRI and SEC FW's share the pub IP addresses?



  • As previously explained, each firewall has a public address and they share the CARP Virtual IPs. Traffic should be routed via the Virtual IPs.



  • @dotdash:

    As previously explained, each firewall has a public address and they share the CARP Virtual IPs. Traffic should be routed via the Virtual IPs.

    "Each has its own WAN address" might be a better way to explain that since the linked document seems to show the cluster double natted behind a DSL router combo..

    One could assume from that drawing that the DSL router actually has the only public IP in that particular example.



  • I assumed the document was using the 127 addresses as an example. It states you need three real addresses in the linked overview. Trying to run CARP behind NAT or float a single public greatly complicates matters and would not be recommended for someone still coming to grips with the basics. There are exceptions, but for a CARP cluster you need at least three public IP addresses.



  • @chpalmer:

    @dotdash:

    As previously explained, each firewall has a public address and they share the CARP Virtual IPs. Traffic should be routed via the Virtual IPs.

    "Each has its own WAN address" might be a better way to explain that since the linked document seems to show the cluster double natted behind a DSL router combo..

    One could assume from that drawing that the DSL router actually has the only public IP in that particular example.

    When you say each has its own WAN address, do you mean from a virtual IP or from a public IP aspect?

    From what I have learned with CSICO firewalls (we have engineers at work) the slave box has its own WAN IP but when failover occurs everything from the master firewall is transferred to the slave including the MAC address so that the slave firewall in my case would get the same IP address from the ISP (as I am on DHCP for my WAN).

    The questions I have are the following:

    1. do I have to setup the same apps on my slave firewall as I have on my master? (ie. Haproxy, LCD Driver, OpenVPN, Ntopng, etc.)
    2. does the CARP heartbeat smart enough to update any chances I make to the local firewall and or it's apps that it updates them?



  • @Smoothrunnings:

    From what I have learned with CSICO firewalls (we have engineers at work) the slave box has its own WAN IP but when failover occurs everything from the master firewall is transferred to the slave including the MAC address so that the slave firewall in my case would get the same IP address from the ISP (as I am on DHCP for my WAN).

    The questions I have are the following:

    1. do I have to setup the same apps on my slave firewall as I have on my master? (ie. Haproxy, LCD Driver, OpenVPN, Ntopng, etc.)
    2. does the CARP heartbeat smart enough to update any chances I make to the local firewall and or it's apps that it updates them?

    a. HA on Cisco is similar to HA on pfSense- Master and slave have a public IP on the WAN. They share one or more Virtual public IPs that have unique MACs. The Virtual IPs migrate between master and slave.

    1. Generally yes, you need the same packages on both boxes. LCDproc and Ntopng would be exceptions as they don't run critical services.
    2. XMLRPC will push any config changes from the master to the slave. If you updated a package on the master, you would need to update the slave also.


  • @Smoothrunnings:

    @chpalmer:

    @dotdash:

    As previously explained, each firewall has a public address and they share the CARP Virtual IPs. Traffic should be routed via the Virtual IPs.

    "Each has its own WAN address" might be a better way to explain that since the linked document seems to show the cluster double natted behind a DSL router combo..

    One could assume from that drawing that the DSL router actually has the only public IP in that particular example.

    When you say each has its own WAN address, do you mean from a virtual IP or from a public IP aspect?

    From what I have learned with CSICO firewalls (we have engineers at work) the slave box has its own WAN IP but when failover occurs everything from the master firewall is transferred to the slave including the MAC address so that the slave firewall in my case would get the same IP address from the ISP (as I am on DHCP for my WAN).

    The questions I have are the following:

    1. do I have to setup the same apps on my slave firewall as I have on my master? (ie. Haproxy, LCD Driver, OpenVPN, Ntopng, etc.)
    2. does the CARP heartbeat smart enough to update any chances I make to the local firewall and or it's apps that it updates them?

    opps wrong post. :(



  • @dotdash:

    a. HA on Cisco is similar to HA on pfSense- Master and slave have a public IP on the WAN. They share one or more Virtual public IPs that have unique MACs. The Virtual IPs migrate between master and slave.

    1. Generally yes, you need the same packages on both boxes. LCDproc and Ntopng would be exceptions as they don't run critical services.
    2. XMLRPC will push any config changes from the master to the slave. If you updated a package on the master, you would need to update the slave also.

    a. If what you are saying the WAN on both firewalls have their own public IPs, then how does the secondary assume the role of the primary when fail-over occurs?

    Thanks



  • @Smoothrunnings:

    a. If what you are saying the WAN on both firewalls have their own public IPs, then how does the secondary assume the role of the primary when fail-over occurs?

    Thanks

    The secondary gains control of the Virtual (CARP) IPs, the LAN side and the Public side. If this isn't clear, please review the CARP man page, the HA documentation, etc. I feel like this discussion is going in circles.