You can establish an HA link pair with one of the following methods:
- Directly, using a crossover cable.
- Indirectly, through a dedicated Ethernet network. The HA management traffic must be on
an isolated network, for example, a dedicated VLAN over an Ethernet network.
- Using a link aggregation switch in LACP 802.3ad mode and connecting XG Firewall in bridged mode.
Note Use the network medium that is capable of forwarding non-routable multicast
packets.
Prerequisites
- Cables to all the monitored ports on both devices must be connected.
- The devices in the HA cluster must be the same model and revision.
- The devices must be registered.
- The devices must have same number of interfaces.
- The devices must have the same firmware version installed (including maintenance
releases and hot fixes).
- For an active-active configuration, one license for each device is required.
- For an active-passive configuration, one license is required for the primary device.
No license is needed for the auxiliary device.
- The devices must have the same subscription modules enabled.
- Secure your network deployment as the communication channel between HA nodes is
unencrypted.
- On both devices, the dedicated HA link port must be a member of the same zone with the
type DMZ, and must have a unique IP address. Also, SSH must be enabled for both devices
on the DMZ zone.
- Access over SSH on the DMZ zone must be enabled for both XG Firewall devices.
- DHCP and PPPoE configuration must be disabled before attempting HA configuration.
- HA link latency increases with distance. We recommend that you disable spanning tree
protocol (STP) on the dedicated HA link.
- In the switched interface, adjust the link activation time on each port that connects
to the firewall interface. This is valid if the Ethernet switch uses spanning tree
protocol (STP) or rapid spanning tree protocol (RSTP). For example, on a Cisco
Catalyst-series switch, enable spanning tree portfast on each port that
connects to the firewall interface.