Deploy HA ports
Make sure ports used in HA, such as the dedicated HA link, monitored ports, and administration ports, are connected within your network and meet the configuration requirements.
-
HA ports
- Dedicated HA link: Carries device and connection statuses, load-balancing information, and performs firewall synchronization
- Monitored ports: Devices determine their availability based on the port status
- Administration or management port: Gives access to the web admin console
Note
We recommend that you turn on RSTP mode for the switch connected to the firewall's ports.
Dedicated HA link
Dedicated HA links connect the HA devices and are used for the following encrypted communications:
- To communicate device status through heartbeat packets from one device to the other.
- To share connection statuses between the devices.
- To carry load-balancing information from the primary device to the auxiliary device.
- To synchronize firewall configuration between the devices.
Dedicated HA links don't process traffic.
SSH tunnel
An SSH tunnel is established between the devices' dedicated HA links using the passphrase in the HA configuration. The passphrase is deleted after the tunnel is established and can't be used later to establish the secure tunnel with a different device. So, if you want to replace a firewall in the cluster, you must disable HA and reconfigure it.
For the SSH tunnel to be established, dedicated HA links must be in the DMZ zone with SSH turned on for the zone.
What you must do
- Note the interface for the dedicated HA link during your planning process. It can be a physical, VLAN, or LAG interface.
-
Connect the interfaces: Connect the dedicated HA link interfaces of the two devices with each other using one of the following options:
- We recommend that you connect these interfaces directly using an Ethernet cable between the two devices. This eliminates network issues from preventing heartbeat transmission, which results in HA failover. See Failover.
- Alternatively, you can connect them through network devices, such as a switch or vSwitch.
-
Port-to-port mapping: Make sure there's port-to-port mapping between the devices. If you selected a LAG interface, its parent interfaces must be the same.
Monitored ports
Monitored ports are physical interfaces. Each HA device monitors its own monitored ports to determine if it's available. If a single monitored port becomes unavailable, failover occurs.
Port monitoring ensures that failover occurs when interfaces critical to your network face an issue. When failover occurs, the auxiliary device takes over and processes the traffic so that critical traffic continues to flow. If you don't select any monitored ports, HA continues to function, and failover only occurs for other reasons, such as HA heartbeat issues and device or power failure.
Tip
We recommend that you select ports critical to your network traffic to ensure failover when one of these ports becomes unavailable.
WAN ports connecting the internet and DMZ ports connecting critical servers are commonly selected as monitored ports. So, failover occurs when the internet goes down or the interface becomes unavailable, ensuring continuous traffic flow.
What you must do
- Note the physical interfaces for the monitored ports during your planning process.
- Connect every monitored port on both devices to your network.
-
Go to Network > Interfaces and make sure every one of them shows Connected status.
Warning
If you don't connect even a single monitored port to a router or switch, you can't establish HA. If even one becomes unavailable after establishing HA, the device considers itself unavailable, and failover occurs.
Administration ports
These are the administration or management ports over which you can access the web admin consoles of the primary and auxiliary devices.
Note
You can only access the auxiliary device's web admin console if your endpoint belongs to the same subnet.