diff --git a/build_num b/build_num
index a62a32961..795c75df9 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 2398
+#define BUILD_NUM 2399
diff --git a/doc/ChangeLog b/doc/ChangeLog
index d0eb2017c..fcac2791f 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,10 @@
 2010-01-20  vadim  <vadim@vk.crocodile.org>
 
+	* CompilerDriver.cpp (CompilerDriver::validateClusterGroups):
+	fixes #1119 "add test for the integrity of failover cluster
+	groups".  Compilers require all failover group objects to be
+	configured with interfaces of member firewalls.
+
 	* PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext):
 	fixes #1120 "redundant commands generated for ssh
 	access". Compiler for PIX generated two "ssh address netmask
diff --git a/src/compiler_lib/CompilerDriver.cpp b/src/compiler_lib/CompilerDriver.cpp
index fd7e153e8..fbe28104a 100644
--- a/src/compiler_lib/CompilerDriver.cpp
+++ b/src/compiler_lib/CompilerDriver.cpp
@@ -673,8 +673,9 @@ void CompilerDriver::validateClusterGroups(Cluster *cluster)
         string state_sync_type = (*it)->getStr("type");
         if (!isSupported(&state_sync_protocols, state_sync_type))
         {
-            QString err("State sync group type %1 is not supported");
-            throw FWException(err.arg(state_sync_type.c_str()).toStdString());
+            QString err("State sync group type '%1' is not supported");
+            abort(cluster, NULL, NULL, err.arg(state_sync_type.c_str()).toStdString());
+            throw FatalErrorInSingleRuleCompileMode();
         }
     }
 
@@ -686,11 +687,23 @@ void CompilerDriver::validateClusterGroups(Cluster *cluster)
     list<FWObject*> failover_groups = cluster->getByTypeDeep(FailoverClusterGroup::TYPENAME);
     for (list<FWObject*>::iterator it = failover_groups.begin(); it != failover_groups.end(); ++it)
     {
-        string failover_type = (*it)->getStr("type");
+        FWObject *failover_group = *it;
+        FWObject *parent = failover_group->getParent();
+        string failover_type = failover_group->getStr("type");
         if (!isSupported(&failover_protocols, failover_type))
         {
-            QString err("Failover group type %1 is not supported");
-            throw FWException(err.arg(failover_type.c_str()).toStdString());
+            QString err("Failover group type '%1' is not supported");
+            abort(cluster, NULL, NULL, err.arg(failover_type.c_str()).toStdString());
+            throw FatalErrorInSingleRuleCompileMode();
+        }
+
+        list<FWObject*> l2 = failover_group->getByTypeDeep(FWObjectReference::TYPENAME);
+        if (l2.size() == 0)
+        {
+            QString err("Failover group of cluster interface '%1' is empty");
+            abort(cluster, NULL, NULL,
+                  err.arg(parent->getName().c_str()).toStdString());
+            throw FatalErrorInSingleRuleCompileMode();
         }
     }
 }
diff --git a/test/ipt/cluster-tests.fwb b/test/ipt/cluster-tests.fwb
index 58fb9a4a5..806144831 100644
--- a/test/ipt/cluster-tests.fwb
+++ b/test/ipt/cluster-tests.fwb
@@ -1195,7 +1195,7 @@
           <ClusterGroupOptions/>
         </StateSyncClusterGroup>
       </Cluster>
-      <Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1263355432" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls.  See ticket #372 for explanation.&#10;" ro="False">
+      <Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1264020601" lastInstalled="0" lastModified="1263355432" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls.  See ticket #372 for explanation.&#10;" ro="False">
         <NAT id="id3587X13311" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id3588X13311" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -1624,7 +1624,7 @@
           </ClusterGroupOptions>
         </StateSyncClusterGroup>
       </Cluster>
-      <Cluster id="id3937X13563" host_OS="linux24" lastCompiled="1248541096" lastInstalled="0" lastModified="1251419063" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
+      <Cluster id="id3937X13563" host_OS="linux24" lastCompiled="1264020603" lastInstalled="0" lastModified="1251419063" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
         <NAT id="id3941X13563" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id5083X25627" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -2286,7 +2286,7 @@
       <ServiceGroup id="id1513X69605" name="TagServices" comment="" ro="False"/>
     </ServiceGroup>
     <ObjectGroup id="id1514X69605" name="Firewalls" comment="" ro="False">
-      <Firewall id="id2735X69605" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1251419063" platform="iptables" version="" name="linux-1" comment="  " ro="False">
+      <Firewall id="id2735X69605" host_OS="linux24" inactive="False" lastCompiled="1264020603" lastInstalled="0" lastModified="1251419063" platform="iptables" version="" name="linux-1" comment="  " ro="False">
         <NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </NAT>
@@ -2454,7 +2454,7 @@
           <Option name="verify_interfaces">True</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id3009X69605" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1251418923" platform="iptables" version="" name="linux-2" comment="" ro="False">
+      <Firewall id="id3009X69605" host_OS="linux24" inactive="False" lastCompiled="1264020603" lastInstalled="0" lastModified="1251418923" platform="iptables" version="" name="linux-2" comment="" ro="False">
         <NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </NAT>
@@ -2999,7 +2999,7 @@
           <Option name="verify_interfaces">True</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id3783X36775" host_OS="linux24" inactive="False" lastCompiled="1251482998" lastInstalled="0" lastModified="1251482982" platform="iptables" version="" name="linux-bonding-1" comment="VLAN and bonding interface configuration" ro="False">
+      <Firewall id="id3783X36775" host_OS="linux24" inactive="False" lastCompiled="1264020604" lastInstalled="0" lastModified="1251482982" platform="iptables" version="" name="linux-bonding-1" comment="VLAN and bonding interface configuration" ro="False">
         <NAT id="id3817X36775" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </NAT>
diff --git a/test/pix/cluster-tests.fwb b/test/pix/cluster-tests.fwb
index 900b77b49..d95b25570 100644
--- a/test/pix/cluster-tests.fwb
+++ b/test/pix/cluster-tests.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1258406412" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1264019328" id="root">
   <Library id="sysid99" name="Deleted Objects" comment="" ro="False">
     <Interface id="id3213X42281" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vrrp2" comment="" ro="False">
       <InterfaceOptions>
@@ -698,6 +698,230 @@
           </ClusterGroupOptions>
         </StateSyncClusterGroup>
       </Cluster>
+      <Cluster id="id56535X61097" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1264019437" platform="pix" name="cluster1-1" comment="the same as cluster1, but some failover groups are unconfigured or broken in some way" ro="False">
+        <NAT id="id56688X61097" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <NATRule id="id56689X61097" disabled="False" position="0" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="id2385X39486"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id56556X61097"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <NATRuleOptions/>
+          </NATRule>
+          <RuleSetOptions/>
+        </NAT>
+        <Policy id="id56589X61097" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <PolicyRule id="id56590X61097" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
+            <Src neg="False">
+              <ObjectRef ref="id56535X61097"/>
+              <ObjectRef ref="id2385X39486"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id56556X61097"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id56603X61097" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
+            <Src neg="False">
+              <ObjectRef ref="id2385X39486"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id56535X61097"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="tcp-SSH"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id56615X61097" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
+            <Src neg="False">
+              <ObjectRef ref="id2385X39486"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id56535X61097"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="tcp-SSH"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id56627X61097" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
+            <Src neg="False">
+              <ObjectRef ref="id2735X69605"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id2385X39486"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="udp-DNS"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id56639X61097" disabled="False" log="True" position="4" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
+            <Src neg="False">
+              <ObjectRef ref="id56535X61097"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id2385X39486"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="udp-DNS"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id56651X61097" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id56535X61097"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id56663X61097" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="id2385X39486"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id56675X61097" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id56704X61097" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
+        </Routing>
+        <Interface id="id56545X61097" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment="" ro="False">
+          <InterfaceOptions>
+            <Option name="iface_mtu">1500</Option>
+            <Option name="type">vrrp</Option>
+          </InterfaceOptions>
+          <FailoverClusterGroup id="id56552X61097" type="none" name="cluster1:e1:members" comment="">
+            <ClusterGroupOptions>
+              <Option name="vrrp_secret">not so secret</Option>
+              <Option name="vrrp_vrid">100</Option>
+            </ClusterGroupOptions>
+          </FailoverClusterGroup>
+        </Interface>
+        <Interface id="id56556X61097" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="" ro="False">
+          <InterfaceOptions>
+            <Option name="iface_mtu">1500</Option>
+            <Option name="type">vrrp</Option>
+          </InterfaceOptions>
+          <FailoverClusterGroup id="id56563X61097" type="none" name="cluster1:e0.101:members" comment="">
+            <ClusterGroupOptions/>
+          </FailoverClusterGroup>
+        </Interface>
+        <Interface id="id56567X61097" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet2" comment="" ro="False">
+          <InterfaceOptions/>
+          <FailoverClusterGroup id="id56574X61097" master_iface="id2331X71781" type="pix_failover" name="Failover group" comment="">
+            <ObjectRef ref="id2331X71781"/>
+            <ObjectRef ref="id2946X39486"/>
+            <ClusterGroupOptions/>
+          </FailoverClusterGroup>
+        </Interface>
+        <Interface id="id56578X61097" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="20" unnum="False" unprotected="False" name="Ethernet0.102" comment="" ro="False">
+          <InterfaceOptions/>
+          <FailoverClusterGroup id="id56585X61097" master_iface="id3817X97641" type="none" name="cluster1:e0.102:members" comment="">
+            <ObjectRef ref="id3817X97641"/>
+            <ObjectRef ref="id3315X97641"/>
+            <ClusterGroupOptions/>
+          </FailoverClusterGroup>
+        </Interface>
+        <FirewallOptions/>
+        <StateSyncClusterGroup id="id56707X61097" master_iface="id2331X71781" type="pix_state_sync" name="State Sync Group" comment="">
+          <ObjectRef ref="id2331X71781"/>
+          <ObjectRef ref="id2946X39486"/>
+          <ClusterGroupOptions>
+            <Option name="pix_failover_key">super_secret</Option>
+          </ClusterGroupOptions>
+        </StateSyncClusterGroup>
+      </Cluster>
     </ObjectGroup>
     <ObjectGroup id="id1496X69605" name="Objects" comment="" ro="False">
       <ObjectGroup id="id1497X69605" name="Addresses" comment="" ro="False">