Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Connect new virtual auxiliary in active-passive HA

In active-passive HA, you can automatically establish HA when you set up a new virtual auxiliary device. You must initiate HA on the primary device and connect the new virtual appliance as an HA spare.

If both are existing firewalls, you can use QuickHA or interactive mode to establish HA.

In active-active HA, you configure HA on each device.

Device access

  1. Go to Administration > Device access.
  2. Select DMZ under SSH.
  3. Click Apply.

    The firewalls use the HA passphrase and establish an SSH tunnel between the dedicated HA links of the HA devices.

Configure HA on primary

  1. Sign in to the primary device's web admin console.
  2. Go to System services > High availability.
  3. Under Initial device role, select one of the following options:

    • Primary (active-passive)
    • Primary (active-active)
  4. Set HA configuration mode to Interactive mode.

  5. Optional: Enter a Cluster ID.

    The firewall automatically assigns this ID to both devices in the cluster. If your network has multiple HA clusters, assign a different ID to each cluster to prevent virtual MAC address conflicts. See HA modes and device roles.

  6. Optional: Change the node name.

  7. The firewall automatically generates a passphrase. Paste the passphrase you copied from the auxiliary device.
  8. Under Dedicated HA link, select a physical, VLAN, or LAG interface that belongs to the DMZ.
  9. Under Dedicated peer HA link IPv4 address, enter the auxiliary device's dedicated HA link address.

    Note

    Make sure the dedicated HA link IP addresses of both devices belong to the same subnet.

  10. Optional: Under Select ports to be monitored, you can select one or more from the following options to monitor if the device is available:

    • Physical interfaces
    • LAG interfaces
    • Unbound interfaces if they have VLAN configured. You can't select unbound interfaces if they don't have a VLAN.

    If a monitored port goes down, the device considers itself unavailable, and failover occurs.

  11. Specify the following Peer administration settings to access the auxiliary device's web admin console:

    1. Select an Interface.
    2. Enter an IPv4 address or IPv6 address.
  12. For Preferred primary device, select one of the HA devices.

    This device automatically becomes the primary device when it recovers after a failover. See Failing back to primary device.

    Tip

    We recommend that you select the initial primary device. In active-passive HA, only the initial primary device supports services, such as FastPath offloading. It also holds the licenses and is easy to identify.

  13. Enter the Keepalive request interval in milliseconds.

    The device sends a heartbeat over the dedicated link port to the peer device at these intervals. Heartbeats are used to determine if the peer device is available.

    Default: 250

  14. Enter the number of Keepalive attempts.

    Default: 16

    For example, if you enter a keepalive request interval of 250 milliseconds and keepalive attempts of 8, the device is declared dead after 250 * 8 = 2 seconds.

    Note

    You can't set the keepalive interval and keepalive attempts while the devices are in Standalone or Faulty statuses.

  15. Select Use host or hypervisor-assigned MAC address to use the MAC address assigned by the hypervisor.

    If you select the checkbox, you don't need to turn on promiscuous mode on the vSwitch. If you don't select the checkbox, see Accept MAC address changes.

  16. Click Initiate HA.

The following message appears: HA could not be enabled.

Set up the hot spare

To connect a new virtual appliance as the auxiliary and automatically configure HA, do as follows:

  1. Install a firewall instance using the same firmware version as the existing device.
  2. Start the firewall. The setup assistant appears.
  3. Under Default administrator's new password, enter a password and reenter it.
  4. Click Connect as HA spare.

    Registering virtual firewalls.

  5. Enter the following details in the pop-up window:

    1. Peer serial number: Enter the serial number of the existing HA device you'll connect this device to.

      You can see it in the upper-left corner on Control center in the existing device.

    2. Passphrase: Enter the passphrase entered in the existing device's HA configuration.

    3. Dedicated HA link: Select the same interface used in the existing device.
    4. IP address: Enter an IP address that belongs to the same subnet as the existing device's dedicated HA link.
    5. Subnet mask: Select the same subnet mask used in the existing device.

      Auxiliary device's settings in virtual HA.

  6. Click Apply.

  7. Click Continue.
  8. Review the summary and click Finish.

    The firewall creates the auxiliary device, assigns a serial number, and configures the interfaces for the dedicated HA link and the administration port.

    When you sign in to the auxiliary device, you can see its serial number in the upper-left corner on Control center. It starts with HAAUX, for example, HAAUXxxxxxxxxxx.

    The primary device shows Standalone status.

    Status on the primary virtual device in interactive mode for active-passive HA.

  9. After a few minutes, refresh the auxiliary device's web admin console and sign in.

    You can see that HA is established.

    Status on the auxiliary device for active passive HA after a refresh.