Requirements and Prerequisites for Threat Defense Virtual Clustering

Model Requirements

  • FTDv5, FTDv10, FTDv20, FTDv30, FTDv50, FTDv100

  • VMware or KVM

  • In threat defense virtual 7.3 and earlier, a maximum of 4 nodes in a cluster in a 2x2 configuration is supported. You can set up a maximum of two hosts with a maximum of two threat defense virtual instances in each host.

Hardware and Software Requirements

All units in a cluster:

  • Must have jumbo frame reservation enabled for the cluster control link. Do this in the Day 0 configuration when you deploy the threat defense virtual by setting "DeploymentType": "Cluster". Otherwise, you must restart each node to enable jumbo frames after the cluster has formed and is healthy.

  • (KVM only) Must use CPU hard partitioning (CPU pinning) for all VMs on the KVM host.

  • Must be the same performance tier. We recommend using the same number of CPUs and memory for all nodes, or performance will be limited on all nodes to match the least capable node.

  • Must use the management interface for management center communications. Data interface management is not supported.

  • Must run the same version, except during upgrade. Hitless upgrade is supported.

  • Must be in the same group.

  • Must not have any deployment pending or in progress.

  • Must not have any unsupported features configured on the control node: Unsupported Features and Clustering.

  • Must not have VPN configured on the data nodes. The control node can have site-to-site VPN configured.

Management Center Requirements

Make sure the management center NTP server is set to a reliable server that is reachable by all cluster nodes to ensure proper clock sync. By default, the device uses the same NTP server as the management center. If the time is not set to be the same on all cluster nodes, they can be removed automatically from the cluster.

Switch Requirements

Be sure to complete the switch configuration before you configure clustering. Make sure the ports connected to the cluster control link have the correct (higher) MTU configured. By default, the cluster control link MTU is set to 154 bytes higher than the data interfaces. If the switches have an MTU mismatch, the cluster formation will fail.