10.4. Compiling cluster configuration with Firewall Builder

Cluster compilation works very much like it does for individual firewalls. However, there are a few things to keep in mind.

Clusters are represented by objects of type "Cluster" located in the object group "Clusters". To a generate configuration for all cluster member firewalls and install it on each, you need to compile it just like you would compile a regular standalone firewall object.

10.4.1. Compile a Cluster, Install a Firewall

In the compile dialog list there are two columns of checkboxes: "Compile" and "Install". When you compile a cluster, the "Compile" checkboxes appear next to the cluster objects only while "Install" checkboxes appear next to the member firewall objects only. This is because to compile, the policy compiler needs to read the cluster object to get all the information about the cluster configuration, including the list of member firewalls. However, when generated configuration is ready and needs to be installed on member firewalls, the program needs to communicate with each member firewall separately. So the "Install" checkboxes are next to the member firewalls in the list, letting you turn installation on and off on each member separately.

Figure 10.12. Compiling cluster object with two members

Compiling cluster object with two members


A PIX cluster is an exception to this rule. In a PIX cluster, you only need to update configuration of the active unit in the failover pair. The active unit then pushes configuration to the second unit in the pair automatically. Firewall Builder is aware of this and the "Install" checkbox is only enabled next to the member firewall marked as "master" in the cluster configuration.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.