Configure active-passive HA using QuickHA

How to use QuickHA to configure an active-passive HA cluster.

To configure active-passive QuickHA, do as follows:

Caution You must make sure that both appliances have different IP addresses initializing the QuickHA mode. For example, you can't have both devices using the default 172.16.16.16 address.
  1. Connect the XG Firewall devices using a network cable plugged into the dedicated HA port on both units.
  2. Sign in to the web admin console of the primary XG Firewall device and go to System services > High availability.
  3. Select Primary (Active-Passive) as the Initial device role
  4. Ensure QuickHA is selected. You’ll see default settings (which you can change), as described in the steps that follow.
  5. QuickHA generates a passphrase automatically. You can also change the passphrase manually.
    Note The passphrase is used only once to generate the SSH keys used to encrypt communication over the HA link. It's then deleted.
  6. QuickHA selects a dedicated HA link automatically. You can also select an interface manually.

    By default, QuickHA selects the first unbound interface. If this isn't available, it uses the first DMZ port. This interface is renamed QuickHA mode interface and is assigned an IPv4 address from the link local range, 169.254.0.0/16.

    QuickHA assigns the peer administration port based on the interface you're currently using to access XG Firewall WebAdmin. For example, if you're connected to PortA, this interface becomes the peer administration port on both XG Firewall devices.

    Caution If QuickHA selects a DMZ port that’s already in use, its current configuration will be overwritten.
  7. Click Initiate HA.
  8. Sign in to the web admin console of the auxiliary XG Firewall device and go to System services > High availability.
  9. Select Auxiliary as the device role.
  10. Select QuickHA and enter the same passphrase used on the primary XG Firewall device.
  11. Click Initiate HA. You see a message about the configuration being overwritten. This is because the configuration will be synchronized from the primary XG Firewall device.