High availability

High availability refers to the hardware configuration and settings that allow the firewall to continue functioning during a power loss, disk failure, or other event.

Note Support for HA varies according to device model. Check your device specifications.

To ensure continuous service, devices are deployed in a cluster. When the primary device in the cluster fails, the auxiliary takes over so that there is no interruption of firewall protection. The devices are physically connected over a dedicated HA link port.

You can check the HA status in the control center.

The process by which a device takes over when it does not receive communication from its peer within the specified time is known as device failover.

Peers in an HA cluster continuously monitor the dedicated HA link and the interfaces configured to be monitored. If any monitored port goes down, the device will leave the cluster and link failover will occur.

During device failover or link failover, session failover occurs for forwarded TCP traffic that is not passing through a proxy service. This doesn't apply to virus scanning sessions in progress, VPN sessions, UDP, ICMP, multicast, broadcast sessions, and proxy traffic.

The HA configuration status is displayed at the top of the page with the following possibilities:

Status

Description

HA not configured

High availability is not configured on this device.

HA configured

High availability has been configured on this device. When high availability is configured you will also see the status of each device in the cluster.

When HA is configured the devices in the cluster can have the following status:

Status

Description

Active

The device is active and connected. In an active-active system both the primary and auxiliary device will show as active.

Standby

Shown against the auxiliary device in an active-passive system. The device is connected and ready for failover.

Standalone

The device is not currently part of a high availability cluster. This could be because the connection to the auxiliary device has been lost.

Faulty

The device is faulty. The cluster will not work as an high availability system until the faulty node has been recovered to a working state.

High availability configuration modes

HA can be configured in two ways as described below:

Configuration mode

Description

QuickHA

QuickHA provides a way to easily set up a high availability system with minimum configuration steps by automatically selecting default configuration values.

Interactive mode

Interactive mode allows you more control over the HA settings. In this mode you can choose parameters that would otherwise be automatically selected when using QuickHA, such as assigned virtual MAC address and peer administration settings.

In this mode the devices are configured in sequence with the auxiliary device configured first followed by the primary.

When HA is active, updating the following settings won't result in downtime:

  • Cluster ID.
  • Monitoring ports.
  • Peer administration port.
  • Using the hypervisor-assigned MAC address.
  • Fail back to the primary device.
  • Keepalive timer.
  • Keepalive attempts.