Loading cluster configs from different models

April 20, 2018 in watchguard ‐ 3 min read

This article will show you how to download the cluster configuration from one model type and upload it to another. If the model does not change you can use the article about feature key renewals on a cluster and simply input the feature keys of the new devices.

In this example I will apply the configuration of a WatchGuard XTM330 Cluster to a M200 Cluster.

image

How-to

At first you should factory reset both of the new firewalls and change the passwords on both of them. This is important because users and passwords are stored locally on the machines in a database called firebox-db.

Now we save the configuration of the old cluster (XTM-330) as a file. To do this connect to the management IP of the cluster, start the policy manager and select File > Save > As file… Save the confguration under a simple to identify name like Watchguard-XTM330-Cluster.xml

Now we want to change this XTM330 configuration file in one suitable for a M200. To do this we open an empty M200 configuration and then from within this config file load the XTM330 cluster config that we saved earlier.

Once the config is load it we save it as a new config file called WatchGuard-M200-Cluster.xml

[video width=“1920” height=“1080” webm=“https://blog.hackzenwerk.org/wp-content/uploads/2018/04/0.webm”][/video]

You will see a message that the number of interfaces has changed:

image

This way you can change the model type of the cluster configuration file. So far so complicated.

Now we will edit the feature keys of the cluster. If you directly try to change the feature key in the clusterconfig you will see the error message that the key does not match to the model.

image

This issue originates in the feature key of the single firewall still beeing present in the background identifying it as a specific model. However with an active cluster you cannot change this setting.

This means we have to deactivate the cluster and change the feature key of the firewall.

[video width=“1920” height=“1080” webm=“https://blog.hackzenwerk.org/wp-content/uploads/2018/04/5.webm”][/video]

After that we can reenable the cluster and change the feature keys of the single members.

[video width=“1920” height=“1080” webm=“https://blog.hackzenwerk.org/wp-content/uploads/2018/04/6.webm”][/video]

Now we have a cluster config file ready to be uploaded to the new M200 cluster.

Connect to one of the resetteted firewalls and upload the cluster config. Make sure to change Setup > OS Compatibility to support the firmware of the new firewall.

[video width=“1920” height=“1080” webm=“https://blog.hackzenwerk.org/wp-content/uploads/2018/04/7.webm”][/video]

Reboot the device and connect to the Management IP of the cluster. If we now reboot the second firewall and connect the clusterinterfaces after a while the Inactive firewall should become Backup Master.

If this fails, and sadly that happens quite often, Factory seset the second box again and manually write the clusterconfig to it. DO NOT FORGET TO SET THE FIREWALL PASSWORD AGAIN HERE!

Afterwards reboot the firewall and after a while it should come online as the Backup Master.

Cheers, Ori