Connect new virtual auxiliary in active-passive HA
In active-passive HA, you can automatically establish HA when you set up a new virtual auxiliary device. You must initiate HA on the primary device and connect the new virtual appliance as an HA spare.
If both are existing firewalls, you can use QuickHA or interactive mode to establish HA.
In active-active HA, you configure HA on each device.
Device access
- Go to Administration > Device access.
- Select DMZ under SSH.
-
Click Apply.
The firewalls use the HA passphrase and establish an SSH tunnel between the dedicated HA links of the HA devices.
Configure HA on primary
- Sign in to the primary device's web admin console.
- Go to System services > High availability.
-
Under Initial device role, select one of the following options:
- Primary (active-passive)
- Primary (active-active)
-
Set HA configuration mode to Interactive mode.
-
Optional: Enter a Cluster ID.
The firewall automatically assigns this ID to both devices in the cluster. If your network has multiple HA clusters, assign a different ID to each cluster to prevent virtual MAC address conflicts. See HA modes and device roles.
-
Optional: Change the node name.
- The firewall automatically generates a passphrase. Paste the passphrase you copied from the auxiliary device.
- Under Dedicated HA link, select a physical, VLAN, or LAG interface that belongs to the DMZ.
-
Under Dedicated peer HA link IPv4 address, enter the auxiliary device's dedicated HA link address.
Note
Make sure the dedicated HA link IP addresses of both devices belong to the same subnet.
-
Optional: Under Select ports to be monitored, you can select one or more from the following options to monitor if the device is available:
- Physical interfaces
- LAG interfaces
- Unbound interfaces if they have VLAN configured. You can't select unbound interfaces if they don't have a VLAN.
If a monitored port goes down, the device considers itself unavailable, and failover occurs.
-
Specify the following Peer administration settings to access the auxiliary device's web admin console:
- Select an Interface.
- Enter an IPv4 address or IPv6 address.
-
For Preferred primary device, select one of the HA devices.
This device automatically becomes the primary device when it recovers after a failover. See Failing back to primary device.
Tip
We recommend that you select the initial primary device. In active-passive HA, only the initial primary device supports services, such as FastPath offloading. It also holds the licenses and is easy to identify.
-
Enter the Keepalive request interval in milliseconds.
The device sends a heartbeat over the dedicated link port to the peer device at these intervals. Heartbeats are used to determine if the peer device is available.
Default: 250
-
Enter the number of Keepalive attempts.
Default: 16
For example, if you enter a keepalive request interval of 250 milliseconds and keepalive attempts of 8, the device is declared dead after 250 * 8 = 2 seconds.
Note
You can't set the keepalive interval and keepalive attempts while the devices are in Standalone or Faulty statuses.
-
Select Use host or hypervisor-assigned MAC address to use the MAC address assigned by the hypervisor.
If you select the checkbox, you don't need to turn on promiscuous mode on the vSwitch. If you don't select the checkbox, see Accept MAC address changes.
-
Click Initiate HA.
The following message appears: HA could not be enabled.
Set up the hot spare
To connect a new virtual appliance as the auxiliary and automatically configure HA, do as follows:
- Install a firewall instance using the same firmware version as the existing device.
- Start the firewall. The setup assistant appears.
- Under Default administrator's new password, enter a password and reenter it.
-
Click Connect as HA spare.
-
Enter the following details in the pop-up window:
-
Peer serial number: Enter the serial number of the existing HA device you'll connect this device to.
You can see it in the upper-left corner on Control center in the existing device.
-
Passphrase: Enter the passphrase entered in the existing device's HA configuration.
- Dedicated HA link: Select the same interface used in the existing device.
- IP address: Enter an IP address that belongs to the same subnet as the existing device's dedicated HA link.
-
Subnet mask: Select the same subnet mask used in the existing device.
-
-
Click Apply.
- Click Continue.
-
Review the summary and click Finish.
The firewall creates the auxiliary device, assigns a serial number, and configures the interfaces for the dedicated HA link and the administration port.
When you sign in to the auxiliary device, you can see its serial number in the upper-left corner on Control center. It starts with HAAUX, for example,
HAAUXxxxxxxxxxx
.The primary device shows Standalone status.
-
After a few minutes, refresh the auxiliary device's web admin console and sign in.
You can see that HA is established.