Interface requirements
Make sure the firewalls meet the interface requirements before you configure HA.
Firewall interfaces
See the physical and virtual interface configurations that support HA. HA supports some interface configurations, but you can't assign these to the dedicated HA link or administration ports.
Interface type | Active-passive | Active-active |
---|---|---|
DHCP DHCP prefix delegation | Only use static IP addresses for the dedicated HA link and administration ports. | Only use static IP addresses for all interfaces. |
PPPoE | Session failover doesn't occur. Only use static IP addresses for the dedicated HA link and administration ports. | Only use static IP addresses for all interfaces. |
Bridge interface | Can't use it for dedicated HA link. | Can't use it for dedicated HA link. |
Alias IP address | Can't use it for dedicated HA link. | Can't use it for dedicated HA link. |
Cellular WAN |
Note
HA can't be configured if you've turned on Cellular WAN. So, go to Network > Cellular WAN and turn it off.
Breakout interfaces
See how the primary device's breakout interface configurations are synchronized with the auxiliary device.
- When you configure breakout interfaces on primary device: Restart the primary device to apply the configuration, then restart the auxiliary device.
- Primary device has breakout interfaces: After the breakout configuration is synchronized to the auxiliary device, restart the auxiliary device for the configuration to take effect.
- Primary device doesn't have breakout interfaces: The auxiliary device's breakout interface configurations are deleted during synchronization.
HA port configuration
Dedicated HA link
-
Identify the DMZ ports you want to use for Dedicated HA link. They can be physical, VLAN, or LAG interfaces.
- Dependent configurations: Make sure they don't have dependent configurations. These configurations are deleted when HA is initiated.
- IP address: Make sure they belong to the same subnet but have a different IP address on the primary and auxiliary devices.
- IP assignment: Assign only static IP addresses to these interfaces.
-
Port and interface settings: To specify the advanced settings for the dedicated HA link port, go to Network > Interfaces, click Advanced settings for the interface and do as follows:
-
Specify the Port settings:
-
High-speed (25, 50, and 100 GbE) ports, which apply to XGS 8500 and XGS 7500 Series firewalls:
- Link mode: Select the same port speed and duplex as the connected device. It can be the connected port of a network device, such as a switch, or the peer HA device's dedicated HA link.
- Click Save to apply the settings to the appliance.
-
Edit the interface, click Show recommended settings, and click Load recommended configuration to automatically load the negotiation and Forward Error Correction (FEC) settings, and click Save.
Note
If the recommended settings are empty, turn off Auto-negotiation for media type and FEC.
-
For other ports, set Link mode to Automatic or the same port speed and duplex as the connected network device or the peer device.
-
-
Under Interface settings, use the default MTU and MSS options.
Note
If you select unbound interfaces for the dedicated HA link in QuickHA mode, verify the advanced settings after you configure HA. The firewall assigns these interfaces to the DMZ and resets the advanced settings.
For more information, see Configure physical interfaces.
-
Monitored ports
- Identify monitored ports that are different from the dedicated HA link ports.
- Only use static IP addresses for these interfaces.
Administration ports
Administration ports are the administration or management interfaces over which you access the primary and the auxiliary's web admin consoles.
The web admin console's default IP addresses differ for the regular ports used in the smaller appliances and the management ports used in the larger appliances. The default addresses are as follows:
- Other ports:
172.16.16.16
- Management ports (PortMGMT):
10.0.1.1
You can't access the auxiliary device's web admin console using the primary device's administration IP address. So, do as follows:
- Identify the subnet you want to use for both devices' administration or management ports.
-
Identify different IP addresses in this subnet for each device's administration ports.
If you use the same IP address on both devices, you can't access the auxiliary device's web admin console.
-
Only use static IP addresses for these interfaces.
Note
You can access the primary device's web admin console from any zone if you've given access to HTTPS from the zone on Administration > Device access.
To access the auxiliary device's web admin console, your endpoint must be within the same subnet as the auxiliary device.