HA prerequisites

You can establish an HA link pair with one of the following methods:
  • Directly, using a crossover cable.
  • Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.
Note Use the network medium that is capable of forwarding non-routable multicast packets.

Prerequisites

  • Cables to all the monitored ports on both devices must be connected.
  • The devices in the HA cluster must be the same model and revision.
  • The devices must be registered.
  • The devices must have same number of interfaces.
  • The devices must have the same firmware version installed (including maintenance releases and hot fixes).
  • For an active-active configuration, one license for each device is required.
  • For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
  • The devices must have the same subscription modules enabled.
  • Secure your network deployment as the communication channel between HA nodes is unencrypted.
  • On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ, and must have a unique IP address. Also, SSH must be enabled for both devices on the DMZ zone.
  • Access over SSH on the DMZ zone must be enabled for both XG Firewall devices.
  • DHCP and PPPoE configuration must be disabled before attempting HA configuration.
  • HA link latency increases with distance. We recommend that you disable spanning tree protocol (STP) on the dedicated HA link.
  • For the switch ports XG Firewall connects to, turn on portfast. Turn off the spanning tree protocols STP and RSTP.