Select the
Enable Cloud Host Compliance Service check
box to connect to the cloud services. The
Connection
status displays whether the HCS is enabled or not. Verify that the status
indicator turns
Green, confirming a successful connection
to the cloud.
By default, HCS is disabled.
Below are the various connection statuses:
- Gray: Service is not enabled.
- Green: Service is enabled and successfully
connected to the cloud.
- Red: Service is enabled and successfully
connected to the cloud.
- Check for Device Certificate Validity for the firewall where
the HCS is enabled.
- Check Cloud FQDN. Contact Support team to resolve this
issue.
If your device is in a high availability (HA)
configuration, then the HCS connection for the active-secondary/passive
device will show as Not Connected
(Red) status. This is an expected behavior and is
accompanied by the message Device is not
Active/Primary on the page.
Note the following behavior regarding HCS in a HA environment:
- Active-Active Mode: Verdict synchronization
occurs in one direction only, from the primary device to the
secondary device. This will ensure that the secondary device, which
also processes traffic, has up-to-date verdicts.
- Active-Passive Mode: Continuous
synchronization to the passive device does not occur. In the event
of a failover, the newly active device automatically downloads the
complete set of verdicts from the cloud.
The Active-Active sync happens on a best-effort basis
and requires that device configurations are kept synchronized between the HA
peers. If policies are inconsistent between the devices, verdict
synchronization may fail or function unpredictably. This is a known
limitation of the feature.