WildFire Cluster High Availability
High availability is a crucial advantage of WildFire appliance clusters because HA prevents the loss of critical data and services. An HA cluster copies and distributes critical data, such as analysis results, reports, and signatures, across nodes so that a node failure does not result in data loss. An HA cluster also provides redundant critical services, such as analysis functionality, WildFire API, and signature generation, so that a node failure doesn’t interrupt service. A cluster must have at least two nodes to provide high availability benefits. Cluster node failure doesn’t affect firewalls, because firewalls registered to a failed node use the cluster registration list to register with another cluster node.
Each of the two devices in the HA pair is configured by the user as a primary and secondary appliance. Based on this initial priority value configuration, WildFire also assigns an operational status of active to the primary appliance and passive to the secondary device. This status determines which WildFire appliance is used as the point of contact for management and infrastructure controls. The passive device is always synchronized with the active appliance and is ready to assume that role should a system or network failure occur. For example, when the primary appliance in an active state (active-primary) suffers a failure, a failover event occurs and transitions to a passive-primary state, while the secondary appliance transitions to active-secondary. The originally assigned priority value remains the same regardless of the status of the appliance.
Failover occurs when the HA pair is no longer able to communicate with each other, becomes unresponsive, or suffers a fatal error. While the WildFire HA pair will attempt to auto-resolve minor disruptions, major events require user-intervention. Failover can also be triggered when a controller is suspended or decommissioned by the user.
Do not configure a cluster with only one controller node. Each cluster should have an HA controller pair. A cluster should have a single controller node only in temporary situations, for example, when you swap controller nodes or if a controller node fails.
In a two-node cluster HA pair, if one controller node fails, the other controller node cannot process samples. For the remaining cluster node to process samples, you must configure it to function as a standalone WildFire appliance: delete the HA and cluster configurations on the remaining cluster node and reboot the node. The node comes back up as a standalone WildFire appliance.
Three-node clusters operate a HA pair with the addition of server node to provide additional redundancy. The server operates the same database and server infrastructure services as a controller, but does not generate signatures. This deployment enables the cluster to function if a controller node fails.
Additional nodes that are added to a WildFire cluster function as a worker or server node. The third node is automatically configured as a server, while each subsequent addition is added as a worker.