Clustering

The System Clustering page includes the following sections. Click on the link to go to the corresponding section to learn more:

To go to the documentation for the previous section of System, see System. To go to the documentation for next subsection in the System section, see Configuration.

To access the Clustering page in the WAF management interface, on the left panel, under System, click Clustering.

To save configuration changes or edits you make to any features and options, you must click Save on the lower-right of the section or page where you are making changes. Click apply changes on the upper-left corner of the page, and then click OK. Your changes will not be stored if you do not properly save your changes.

Clustering in WAF is based on VRRP. It allows for configuring high availability WAF pairs running Active/Passive with automatic fail-over within three seconds.

When deployed in combination with a load balancer in a separate load balancing pool many WAF nodes can be run Active/Active with the policy synchronized across all nodes by the master.

Cluster virtual IP configuration

The Cluster virtual IP configuration section allows for adding new virtual interfaces with virtual IP addresses.

It is important that the exact same number of interfaces are configured on the master and worker and that the interfaces are configured in the same order.

Virtual IP	Virtual IP address of the cluster. This is the IP address the nodes in the cluster are sharing.
Netmask	The netmask defining the virtual IP's subnet. The netmask should be the same as the netmask assigned to the IP address of the physical interface to which Inbound Traffic is bound.
Interface Drop down list	Which interface to bind the cluster intrface to.. Options System interfaces Default First interface in the list
Type Drop down list	The type of the virtual IP. Options `FAILOVER MASTER` and `FAILOVER BACKUP` Default `FAILOVER MASTER` To configure a failover IP address, on the master select `FAILOVER MASTER` and on the worker select FAILOVER BACKUP. See the examples below for more information.

Synchronization configuration

When Web Security Manager nodes are running a cluster one of the Web Security Manager nodes can be designated the TEACH role and the worker the LEARN role .

In order to keep load balancing and backup nodes up-to-date with the current configuration the TEACHER is keeping the LEARNER updated with changes to configured websites.

To keep the synchronization packages private in the cluster the messages are encrypted using a password as key. Synchronization messages can be sent using either MULTICAST or UNICAST.

Enable proxy settings synchronization Check box	Enable or disable proxy settings synchronization. If enabled, Web Security Manager will synchronize the current ACL database and other parameters with other Web Security Manager nodes.
Mode Drop down list	Synchronization role. If set to `Teach`, this Web Security Manager will multicast the ACL database to other Web Security Manager installations. If set to `Learn`, this Web Security Manager will update it's ACL database according to synchronization messages from other Web Security Manager installations. Synchronization settings affects the operation of the `Learner`. When synchronization is enabled and the node synchronization mode is set to `Learn`, the node will not sample learn data but wait for the node master to dispatch a policy. You need to configure an interface that will be used for synchronization before the ACL database synchronization will be activated.
Password Input field	Password used for synchronization message authentication. Valid input Any string. A long password is recommended as it do not have to be memorable by humans. Input example `98974953Q38512432324CU4859229842784` Default value `none`
Protocol Drop down list	Synchronization network protocol. Options `MULTICAST` `UNICAST` Default `MULTICAST` The MULTICAST method is selected by default. This method is the easiest to configure but as the name suggests the messages are sent to all nodes within the network and may not always work in complex networks. To keep network traffic at a minimum and to make things work in complex networks UNICAST should be preferred. This method requires the LEARN node to be specified on the TEACH node. When sending synchronization messages using UNICAST the TEACHER sends the messages directly to the LEARNERS ip address using UDP.
Sync type Drop down list	How websites are synchronized are synchronized in a cluster. Options `FULL SYNC` `TEMPLATE` Default `FULL SYNC` This option applies to learning nodes and controls how websites are synchronized. FULL SYNC Everything, including "Listen IP", backend servers and health checking configuration is synchronized. For HTTPS websites and HTTP websites configured to listen to a specific IP address it is required that the same IP addresses are configured on the learn node - typically in the form of a Cluster IP address configured for high availability or load balancing. Otherwise configuring the proxy core will fail. TEMPLATE When new website configuration is received by worker node: All information, including listen IP is included but website is created with disabled status meaning it will not served by the learning node until the website is enabled in ADC : Virtual Host . When synchronizing changes Listen IP, backend server configuration, load balancing settings and health checking configuration will not be synchronized. This allows for synchronizing across datacenters or for synchronizing a cluster that is used in combination with a network load balancer.
Peer(s) Input field	The IP address(es) of the other node(s) in the cluster. This input field is disabled if `MULTICAST` is selected. In this case it displays the multicast address which cannot be changed. Valid input The IP address(s) of the corresponding node(s) in the cluster - i.e. on the TEACHER it should be the LEARNER(s) and vice versa. Note that the IP address should be the IP address assigned to the network interface to which synchronization is bound on the corresponding node. To synchronize to more than one LEARNER node using UNICAST add a list of LEARNER IP addresses separated by comma or space. Default value `none`

Cluster configuration examples

Below are given examples of configuring a high availability cluster running in active/passive mode and a "self load balancing" cluster running in active/active mode.

Configuring a fail-over cluster

To configure a fail-over (active/passive) cluster of two Web Security Manager nodes do the following:

Node 1 configuration

Create a FAILOVER-MASTER interface by doing the following:

In Cluster virtual IP configuration enter the virtual IP address of the cluster in the the Virtual IP field.
In Netmask enter the netmask specifying the subnet for the virtual ip.
Select the interface to bind the cluster interface to. If the configured cluster IP is within one of the system interfaces' netmask the system interface with the mask that matches must be selected.
In the Type drop-down menu select FAILOVER-MASTER.
Click the Add virtual IP button.

Enable cluster synchronization and designate the role TEACH in the Synchronization configuration section:

Select Enable proxy settings synchronization
Select TEACH in the Mode drop-down.
Enter a password for the cluster in the Password field.
In the Protocol drop-down select the default MULTICAST
Click the Save button.

Node 2 configuration

Create a FAILOVER-BACKUP interface for the same virtual IP by doing the following:

In Cluster virtual IP configuration enter the virtual IP address of the cluster in the Virtual IP field.
In Netmask enter the netmask specifying the subnet for the virtual ip.
Select the interface to bind the cluster interface to. If the configured cluster IP is within one of the system interfaces' netmask the system interface with the mask that matches must be selected.
In the Type drop-down menu select FAILOVER-BACKUP.
Click the Add virtual IP button.

Enable cluster synchronization and designate the role LEARN in the Synchronization configuration section:

Select Enable proxy settings synchronization
Select LEARN in the Mode drop-down.
Enter the same cluster password as for node 1for the cluster in the Password field.
In the Protocol drop-down select the default MULTICAST
Click the Save button.

The cluster can also be configured to synchronize and maintain fail-over state using UNICAST targeting a specific peer IP see Synchronization configuration and Cluster virtual IP configuration for more information.

VRRP Interfaces

The VRRP Interfaces configuration section provides an overview of VRRP interfaces and allows for post configuration.

ID	The VRRP interface id on the node.
VIP	Virtual IP address of the cluster. This is the IP address the nodes in the cluster is sharing.
Netmask	The netmask defining the virtual IP's subnet.
VHID Input field	Virtual host identifier number of the VRRP group. On each Web Security Manager node VHIDs are required to be unique. VHIDs identify cluster groups accros Web Security Manager nodes. The same VHIDs are therefore required to be configured on both cluster nodes. Valid input An even integer in the range 2-254 Default value `Next available VHID number`
Interface	The physical network interface the VRRP interface is bound to.
State	State of the VRRP interface can be either `MASTER` or `BACKUP`. If a VRRP interface with a low priority (automatically set when selecting the types FAILOVER-BACKUP or LOADBALANCE-FAILOVER) is assuming the role of MASTER then probably the original MASTER node is experiencing problems.
Priority Input field	The priority of the interface in the VRRP group. Do not edit this property unless you are familiar with the VRRP protocol. The priority itself is an abstraction over the `advskev` VRRP parameter. When setting `priorityadvskev` is calculated as `254 - priority`. Interfaces of type FAILOVER-MASTER are configured with a high priority and interfaces of type FAILOVER-BACKUP are configured with a lower priority. Valid input An integer in the range 1-254 Default value `FAILOVER-MASTER: 254` `FAILOVER-BACKUP: 154`