Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Interface requirements

Make sure the firewalls meet the interface requirements before you configure HA.

Firewall interfaces

See the physical and virtual interface configurations that support HA. HA supports some interface configurations, but you can't assign these to the dedicated HA link or administration ports.

Interface type Active-passive Active-active

DHCP

DHCP prefix delegation

Only use static IP addresses for the dedicated HA link and administration ports.

Only use static IP addresses for all interfaces.

PPPoE

Session failover doesn't occur.

Only use static IP addresses for the dedicated HA link and administration ports.

Only use static IP addresses for all interfaces.

Bridge interface

Can't use it for dedicated HA link.

Can't use it for dedicated HA link.

Alias IP address

Can't use it for dedicated HA link.

Can't use it for dedicated HA link.

Cellular WAN

Note

HA can't be configured if you've turned on Cellular WAN. So, go to Network > Cellular WAN and turn it off.

Breakout interfaces

See how the primary device's breakout interface configurations are synchronized with the auxiliary device.

  • When you configure breakout interfaces on primary device: Restart the primary device to apply the configuration, then restart the auxiliary device.
  • Primary device has breakout interfaces: After the breakout configuration is synchronized to the auxiliary device, restart the auxiliary device for the configuration to take effect.
  • Primary device doesn't have breakout interfaces: The auxiliary device's breakout interface configurations are deleted during synchronization.

HA port configuration

  1. Identify the DMZ ports you want to use for Dedicated HA link. They can be physical, VLAN, or LAG interfaces.

    1. Dependent configurations: Make sure they don't have dependent configurations. These configurations are deleted when HA is initiated.
    2. IP address: Make sure they belong to the same subnet but have a different IP address on the primary and auxiliary devices.
    3. IP assignment: Assign only static IP addresses to these interfaces.
  2. Port and interface settings: To specify the advanced settings for the dedicated HA link port, go to Network > Interfaces, click Advanced settings for the interface and do as follows:

    1. Specify the Port settings:

      • High-speed (25, 50, and 100 GbE) ports, which apply to XGS 8500 and XGS 7500 Series firewalls:

        1. Link mode: Select the same port speed and duplex as the connected device. It can be the connected port of a network device, such as a switch, or the peer HA device's dedicated HA link.
        2. Click Save to apply the settings to the appliance.
        3. Edit the interface, click Show recommended settings, and click Load recommended configuration to automatically load the negotiation and Forward Error Correction (FEC) settings, and click Save.

          Note

          If the recommended settings are empty, turn off Auto-negotiation for media type and FEC.

      • For other ports, set Link mode to Automatic or the same port speed and duplex as the connected network device or the peer device.

    2. Under Interface settings, use the default MTU and MSS options.

    Note

    If you select unbound interfaces for the dedicated HA link in QuickHA mode, verify the advanced settings after you configure HA. The firewall assigns these interfaces to the DMZ and resets the advanced settings.

    For more information, see Configure physical interfaces.

Monitored ports

  1. Identify monitored ports that are different from the dedicated HA link ports.
  2. Only use static IP addresses for these interfaces.

Administration ports

Administration ports are the administration or management interfaces over which you access the primary and the auxiliary's web admin consoles.

The web admin console's default IP addresses differ for the regular ports used in the smaller appliances and the management ports used in the larger appliances. The default addresses are as follows:

  • Other ports: 172.16.16.16
  • Management ports (PortMGMT): 10.0.1.1

You can't access the auxiliary device's web admin console using the primary device's administration IP address. So, do as follows:

  1. Identify the subnet you want to use for both devices' administration or management ports.
  2. Identify different IP addresses in this subnet for each device's administration ports.

    If you use the same IP address on both devices, you can't access the auxiliary device's web admin console.

  3. Only use static IP addresses for these interfaces.

Note

You can access the primary device's web admin console from any zone if you've given access to HTTPS from the zone on Administration > Device access.

To access the auxiliary device's web admin console, your endpoint must be within the same subnet as the auxiliary device.