Prerequisites and considerations

  • You must use the eth-0 interfaces (management ports) of the Advanced Threat Defense Appliances for cluster communication.
    Note: The eth-0 interfaces of all nodes must be in the same layer-2 network of the OSI reference model for better performance and to avoid network latency.
  • The nodes must be homogenous regarding the following:
    • Advanced Threat Defense software version. The software versions of all nodes must exactly match.
    • Analyzer VMs. All nodes must have the same analyzer VMs.
      Note: Upon adding a node to a cluster or upon modifying a VM profile of Primary node, VM configurations in the Primary node are pushed to the VMs in secondary nodes, synchronizing all the VMs in the cluster.
    • It is recommended that DAT and engine versions of McAfee Anti-Malware Engine are the same in all nodes.
    • It is recommended that DAT and engine versions of McAfee Gateway Anti-Malware Engine are the same in all nodes.
  • The nodes can be heterogenous regarding the following:
    • Hardware. That is, you can create a cluster using a combination of ATD-3000 and ATD-6000 Appliances.
    • FIPS compliance. Regardless of primary or secondary, some nodes can be in FIPS mode and the rest in non-FIPS mode.
    Note: In Common Criteria (CC) mode, Load-balancing is not supported.
  • Use the IP address of the Primary node to submit files and to integrate with other products such as Network Security Platform, McAfee Email Gateway, Web Gateway and so on. If Backup node is present in cluster, then these integrated products need to be configured with cluster IP address. The Primary node or the primary Advanced Threat Defense Appliance acts as the external interface for the cluster. That is, the Primary node is virtually associated to the IP address of the cluster from the standpoint of configuration and file submission. If you integrate Network Security Platform, Web Gateway and Email Gateway with the secondary nodes, these nodes function like standalone Advanced Threat Defense Appliances.
    Note: Integrating an Advanced Threat Defense cluster with Email Gateway is supported with release 3.4.2.
  • If the Primary node is down, the Backup node takes over. Backup node must be in same L2 network as Primary node.
  • User can view the Analysis Status and Analysis Results of all the nodes in cluster from Active node, that is Primary node or Backup node.
  • You can wipe out all cluster related configurations from a node and make it as a standalone box. clearlbconfig command is used to destroy cluster using CLI. It is permitted to run at all nodes (Primary/ Backup/Secondary). This command can be used in scenarios where normal means of removing a node (Remove Node/ Withdraw From Cluster) does not remove that node from cluster.