I have 2 MWGs. They were setup clustered for management purposes, but each one was in a different building on our campus. Each one handled authentication and each one had a separate internet connection. We are in the process of moving everything to one central location (one of the existing buildings). This is mostly due to centralizing our internet services. So currently, the MWG in the other building is just sitting there, with no traffic going through it. What I would like to do is shut it down, bring it over to this building, and put it in place here and use it for some sort of load balancing or HA setup. What is currently the best practice in this situation? I understand it might require some pro services but I am just trying to get a feel for what exactly is required.
The HA that comes with the product allows an active/active configuration. Both MWGs will share a single virtual IP address and both machines will handle the load. If one node goes down there may be a short interruption of only a few seconds, and the remaining box will continue filtering.
This setup may work fine for you, but it is important to mention that in case of a failure one node has to handle the complete load, so this does not work if two nodes are required to handle the traffic from a sizing perspective.
If this is not a problem, and there is not a downstream proxy/nat device between the clients and MWG, this may be the easiest setup.
Certainly there are a lot of other ways to deploy, I guess someone else will have a different opinion 🙂
I would have to do some more research to see if one of them will handle the current traffic, as well as the expected traffic growth. Where can I find these specs to let me know what the limits are?
I think it may be as easy as
a) From teh config> appliances tab on the master, delete the box from teh other build from teh appliances cluster
b) move the box. Reconfig it to its new IP if need be
c) re-add it to the cluster under Config> Appliances ... and I suspect the policy config will just work.
If you're using a shared VIP and failover a talk with someone of L2 support horsepower should be all you need to configure the vip. From teh policy sharing persepctive, these things seem pretty low drama yanking them out and re-adding them to a cluster.
If the IP isn't changing during the move, you may not have to do anything at all.