CloudGen Firewalls are organized into a two-level hierarchy on the Firewall Control Center: Ranges and Clusters.
These two levels are in a relation of 1:n. In other words, one range can include any number of clusters. The maximum number of ranges and clusters depends both on the type of Control Center and on the specific licenses that can be obtained additionally upon request.
The following Control Centers provide a different number of maximum ranges and clusters:
VC Editions – Virtual appliances for use on hypervisor platforms
- VC400 Standard Edition – One range (tenant), three clusters (configuration groups), and unlimited managed firewalls. Additional ranges can be obtained through licenses.
- VC610 Enterprise Edition – Two ranges (tenants), unlimited clusters (configuration groups), and unlimited managed firewalls. Additional ranges can be obtained through licenses.
- VC820 Global Edition – Five ranges (tenants), unlimited clusters (configuration groups), and unlimited managed firewalls. Additional ranges can be obtained through licenses.
VCC Editions – Virtual appliances for use in public clouds
- VCC400 Standard Edition – One range (tenant), three clusters (configuration groups), and unlimited managed firewalls.
- VCC610 Enterprise Edition – Two ranges (tenants), unlimited clusters (configuration groups), and managed firewalls.
Usage of Ranges and Clusters
One common use is to create ranges for regions such as North America and EMEA, and then to create clusters for each country in the region. Configuration and default settings shared by multiple CloudGen Firewalls can be configured on the cluster or range level. To create reusable configurations for multiple firewalls, use a repository. The configuration of an individual system can then be linked or copied from a range or global repository, making it easy to deploy a change to all managed systems.
Create a Range
You must create at least one range on a Control Center.
- Click the CONFIGURATION tab.
- Right-click Multi-Range and select Create Range.
- Enter a Range Number.
- (optional) Enter a Description.
- (optional) Enter the contact details in the Contact Info field.
- Configure the range properties as described in the Specific Settings section.
- Click Next.
- (optional) Enter the owner and purchase details in the information sections.
- Click Finish.
- Click Activate.
Remove a Range
- Click the CONFIGURATION tab.
- Right-click the range you wish to remove and click Lock.
- Right-click the range and select Remove Range.
- Click OK to confirm the deletion.
- Click Activate.
Create a Cluster
Unless you are using a Standard Edition Control Center, there is no limit on how many clusters you can create. For migration purposes only, Control Center editions allowing only one cluster allow the introduction of an additional migration cluster with the default name migrate. This cluster is not intended for production use.
- Click the CONFIGURATION tab.
- Expand Multi-Range, right-click your desired range, and select Create Cluster.
- Select the software release of the CloudGen Firewalls that should be managed, and click OK.
- Enter a Cluster Name. Cluster names must be unique in the range.
Enter a Description.
(optional) Enter the contact details.
- (optional) Configure the cluster properties as described in the Specific Settings section.
- Click Next.
- (optional) Enter the owner and purchase details in the information sections.
- Click Finish.
- Click Activate.
Remove a Cluster
- Click the CONFIGURATION tab.
- Navigate to the cluster you wish to remove.
- Right-click the cluster and, in the context menu, select Lock.
- Right-click the cluster and, in the context menu, select Remove Cluster.
- Click OK.
- Click Activate.
Range-Specific and Cluster-Specific Settings
Each range and cluster can override global settings by using its own configuration interface. When enabling these settings, the scope is limited to the range or cluster it is set for.
Migrating the Configuration
Migration can only be performed at the next major firmware version (5.4 > 6.0 > 6.1 > 6.2 > 7.0 > 7.1 > 7.2 > 8.0 > etc).
You must migrate your configuration in the following order:
- Update the Control Center firmware.
- Update all managed firewalls within a cluster.
- Migrate the cluster version.
Migrating a Repository-Linked Firewall
If you are using a repository, you must prepare the repository-linked firewalls before migration.
For information, see How to Prepare Repository Linked Box Configurations for Migration.
- Click the CONFIGURATION tab.
- Expand Multi-Range and navigate to the desired object in the Repository tree.
- Right-click the object and click Lock.
- Right-click the object and select Migrate Node.
- Select the destination major firmware version.
- Click OK.
- Click Activate.
Migrate a Cluster or Range
Clusters can only be migrated to a higher firmware version. You cannot downgrade a cluster configuration.
- Click the CONFIGURATION tab.
- Navigate to the cluster or range you wish to migrate.
- Right-click the cluster or range and click Lock.
- Right-click the cluster and select Migrate Cluster / Migrate Range.
- Choose the version number as the migration destination, and click OK to confirm the migration.
Review the future configuration.
- Click Activate.
Migrate Multiple Clusters and Ranges
- Click the CONFIGURATION tab.
- Right-click Multi-Range and select Migrate Clusters / Migrate Ranges from the context menu.
- Select the nodes to be migrated while holding down the SHIFT key.
- Click OK to confirm the migration.
- Click Activate.
Migrate Global Firewall Objects
When upgrading a firewall to a newer version, you must also migrate the ruleset and the global firewall objects to the new feature level.
- Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > Firewall Objects.
- Click Lock.
- Expand the Settings menu on the left and select Setup. The Ruleset Setup window opens.
- Select the new Feature Level from the drop-down list.
- Click OK to confirm the migration.
- Click Send Changes and Activate.