High Availability (HA)

Hardware failure such as a failure of the power supply, hard disk, or processor is the main reason behind the failure of Internet security system and/or a firewall. To provide reliable and continuous connection to the Internet and to provide central management, two devices can be configured to function as a single device and provide HA.
Note This feature is available only in hardware devices.

Clustering Technology is used to ensure HA. In a cluster, two devices are grouped together and instructed to work as single entity.

This section covers the following topics:

How Cluster works

Device offers high availability by using Virtual MAC Address shared between a Primary device and an Auxiliary device linked together as a “cluster”.

Primary and Auxiliary device are physically connected over a dedicated HA link port.

Typically, traffic enters your network by passing through a network switch but in HA one of the devices in the cluster has a Virtual MAC Address and traffic is forwarded to the device which has the virtual MAC Address.

The device which has virtual MAC Address is the Primary device and other peer is Auxiliary device. Primary device acts as a load balancer and forwards the traffic to the Auxiliary device for processing. Auxiliary device can process traffic only if cluster is operating in the Active-Active mode.

If configured in Active-Passive mode, Primary device processes the entire traffic while Auxiliary device waits in a ready mode to operate as the Primary device, in case Primary device or any of the monitored links fail.

Auxiliary device monitors the Primary device through the dedicated HA link and if it does not receive any communication within the pre-configured time, the Primary device is considered to have failed. In this case, Auxiliary device takes ownership of the virtual MAC Address from Primary device and acts as temporarily as Primary device. Once Primary device is up it automatically takes over from the Auxiliary device.

The device from which HA is enabled goes in Standalone state while the other device rebooted. Once the other device comes up, synchronization process starts. It synchronizes time zone, signatures (Anti Virus, Web Categorization, IPS and Application), database configurations (Firewall Manager and Managed devices), backups (Firewall Manager and Managed devices) and logs (Managed devices).

After a successful synchronization, the two Firewall Manager devices come into Primary – Auxiliary state. In this state every event which takes place on Primary device gets reflected in Auxiliary device immediately.

When the Primary device goes down an automatic Failover takes place and the Auxiliary device goes into Standalone state. This process may take 10 to 15 seconds depending on size of data. During this transition period the administrator may lose access to Firewall Manager HA cluster for a while.