Description:
To improve the availability two Unified Firewalls can be set up in an HA cluster (High Availability). In doing so one Firewall acts as the Master and the other one as a Slave. The configuration as well as status information is synchronized from the Master Firewall to the Slave Firewall.
If an outage of the Master Firewall occurs, the Slave Firewall becomes the new Master and takes over all network communication. To announce the new MAC address a Gratuitous ARP packet is sent for each network.
TCP connections are tracked via Connection Tracking and are synchronized to the Slave Firewall. However UTM functions such as IDS/IPS cannot be synchronized. Thus after a roll change all existing connections, which are scanned by a UTM function, are interrupted. |
The IP address range used for the "Cluster Interconnect" must not be used elsewhere (e.g. for the local network). Otherwise this will lead to routing problems! |
Requirements:
An HA cluster can only be used in a scenario with a series connection or stand-alone operation. |
Scenario:
Procedure:
1) Configuration of the Master Firewall:
1.1) Open the configuration of the Unified Firewall in a browser and go to the menu Network → Connections → Network Connections.
A dedicated Ethernet port is necessary to set up an HA cluster. Therefore delete an unused Network Connection if the Interface is already in use (in this example the Network Connection which is assigned to the Interface eth3 has to be deleted).
1.2) Go to the menu Firewall → High Availability.
1.3) Activate the function High Availability via the slider and change the following parameters:
1.4) The configuration of the Master Firewall is thereby complete.
2) Configuration of the Slave Firewall:
2.1) Make sure, that the same Ethernet port as on the Master Firewall is available for the synchronization. Delete a Network Connection, if necessary (see step 1.1)).
For the function High Availability the use of the same Ethernet ports is mandatory, as the configuration is identical. |
2.2) Activate the function High Availability via the slider and change the following parameters:
2.3) The configuration of the Slave Firewall is thereby complete. The synchrionization is now initiated.
After synchronizing the configuration the Slave Firewall cannot be reached via its web interface! |