HA prerequisites
You can establish an HA link pair with one of the following methods:
- Directly, using a crossover cable.
- Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.
- Using a link aggregation switch in LACP 802.3ad mode and connecting XG Firewall in bridged mode.
Note Use the network medium that is capable of forwarding non-routable multicast
packets.
Prerequisites
- Cables to all the monitored ports on both devices must be connected.
- The devices in the HA cluster must be the same model and revision.
- The devices must be registered.
- The devices must have same number of interfaces.
- The devices must have the same firmware version installed (including maintenance releases and hot fixes).
- For an active-active configuration, one license for each device is required.
- For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
- The devices must have the same subscription modules enabled.
- Secure your network deployment as the communication channel between HA nodes is unencrypted.
- On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ, and must have a unique IP address. Also, SSH must be enabled for both devices on the DMZ zone.
- Access over SSH on the DMZ zone must be enabled for both XG Firewall devices.
- DHCP and PPPoE configuration must be disabled before attempting HA configuration.
- HA link latency increases with distance. We recommend that you disable spanning tree protocol (STP) on the dedicated HA link.
- In the switched interface, adjust the link activation time on each port that connects to the firewall interface. This is valid if the Ethernet switch uses spanning tree protocol (STP) or rapid spanning tree protocol (RSTP). For example, on a Cisco Catalyst-series switch, enable spanning tree portfast on each port that connects to the firewall interface.