Configure HA Clustering

Configure HA clustering on up to 16 firewalls to protect against failure of data center communications or to achieve horizontal scaling.
Learn about HA clustering and follow the HA Clustering Best Practices and Provisioning before you configure HA firewalls as members of a cluster.
  1. Establish an interface as an HA interface (to later assign as the HA4 link).
    1. Select
      Network
      Interfaces
      Ethernet
      and select an interface; for example, ethernet1/1.
    2. Select the
      Interface Type
      to be
      HA
      .
    3. Assign the interface to a
      Security Zone
      .
    4. Click
      OK
      .
    5. Repeat this step to configure another interface to use as the HA4 backup link.
  2. Enable HA clustering.
    1. Select
      Device
      High Availability
      General
      and edit the Clustering Settings.
    2. Enable Cluster Participation
      .
    3. Enter the
      Cluster ID
      , a unique numeric ID for an HA cluster in which all members can share session state; range is 1 to 99.
    4. Enter a short, helpful
      Cluster Description
      .
    5. (
      Optional
      ) Change
      Cluster Synchronization Timeout (min)
      , which is the maximum number of minutes that the local firewall waits before going to Active state when another cluster member (for example, in unknown state) is preventing the cluster from fully synchronizing; range is 0 to 30; default is 0.
    6. (
      Optional
      ) Change
      Monitor Fail Hold Down Time (min)
      , which is the number of minutes after which a down link is retested to see if it is back up; range is 1 to 60; default is 1.
    7. Click
      OK
      .
  3. Configure the HA4 link.
    1. Select
      HA Communications
      and in the Clustering Links section, edit the HA4 section.
    2. Select the interface you configured in the first step as an
      HA
      interface to be the
      Port
      for the HA4 link; for example, ethernet1/1.
    3. Enter the
      IPv4/IPv6 Address
      of the local HA4 interface.
    4. Enter the
      Netmask
      .
    5. (
      Optional
      ) Change the
      HA4 Keep-alive
      Threshold (ms)
      to specify the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional; range is 5,000 to 60,000; default is 10,000.
    6. Click
      OK
      .
  4. Configure the HA4 Backup link.
    1. Edit the HA4 Backup section.
    2. Select the other interface you configured in the first step as an
      HA
      interface to be the
      Port
      for the HA4 backup link.
    3. Enter the
      IPv4/IPv6 Address
      of the local HA4 backup interface.
    4. Enter the
      Netmask
      .
    5. Click
      OK
      .
  5. Specify all members of the HA cluster, including the local member and both HA peers in any HA pair.
    1. Select
      Cluster Config
      .
    2. (
      On a supported firewall
      )
      Add
      a peer member’s
      Device Serial Number
      .
    3. (
      On Panorama
      )
      Add
      and select a
      Device
      from the dropdown and enter a
      Device Name
      .
    4. Enter the
      HA4 IP Address
      of the HA peer in the cluster.
    5. Enter the
      HA4 Backup IP Address
      of the HA peer in the cluster.
    6. Enable
      Session Synchronization
      with the peer you identified.
    7. (
      Optional
      ) Enter a helpful
      Description
      .
    8. Click
      OK
      .
    9. Select the device and
      Enable
      it.
  6. Define HA failover conditions with link and path monitoring.
  7. Commit
    .
  8. (
    Panorama only
    ) Refresh the list of HA firewalls in the HA cluster.
    1. Under Templates, select
      Device
      High Availability
      Cluster Config
      .
    2. Click
      Refresh
      at the bottom of the screen.
  9. View HA cluster information in the UI.
    1. Select
      Dashboard
      .
    2. View the HA cluster fields. The top section displays cluster state and HA4 connections to provide cluster health at a glance. The HA4 and HA4 Backup indicators will be one of the following: Green indicates the link status of the cluster members is Up. Red indicates the link status of all the cluster members is Down. Yellow indicates the link status of some cluster members is Up while the status of other cluster members is Down. Grey indicates not configured. The center section displays the capacity of the local session table and session cache table so you can monitor how full the tables are and plan for firewall upgrades. The lower section displays communication errors on the HA4 and HA4 backup links, signifying possible problems with synchronizing information between members.
      ha-cluster-widget.png
  10. Access the CLI to view HA cluster and HA4 link information and perform other HA clustering tasks.

Recommended For You