HA Active/Active Config
Configure settings for a firewall in HA active/active
mode.
- Device > High Availability > Active/Active Config
To configure settings for an Active/Active HA
pair, select .
Device
High
Availability
Active/Active Config
Active/Active Config Settings | Description |
---|---|
Packet Forwarding | Enable peers to forward
packets over the HA3 link for session setup and for Layer 7 inspection
(App-ID, Content-ID, and threat inspection) of asymmetrically routed
sessions. |
HA3 Interface | Select the data interface you plan to use
to forward packets between active/active HA peers. The interface
you use must be a dedicated Layer 2 interface set to Interface Type HA .If
the HA3 link fails, the active-secondary peer will transition to
the non-functional state.To prevent this condition, configure a Link
Aggregation Group (LAG) interface with two or more physical interfaces as
the HA3 link. The firewall does not support an HA3 Backup link.
An aggregate interface with multiple interfaces will provide additional
capacity and link redundancy to support packet forwarding between
HA peers. You must enable jumbo frames on all
intermediary networking devices when using the HA3 interface. |
VR Sync | Force synchronization of all virtual routers
configured on the HA peers. Use this option when the virtual
router is not configured for dynamic routing protocols. Both peers
must be connected to the same next-hop router through a switched
network and must use static routing only. |
QoS Sync | Synchronize the QoS profile selection on
all physical interfaces. Use this option when both peers have similar
link speeds and require the same QoS profiles on all physical interfaces.
This setting affects the synchronization of QoS settings on the Network tab.
QoS policy is synchronized regardless of this setting. |
Tentative Hold Time (sec) | When a firewall in an HA active/active configuration
fails, it will go into a tentative state. The transition from tentative
state to active-secondary state triggers the Tentative Hold Time,
during which the firewall attempts to build routing adjacencies
and populate its route table before it will process any packets.
Without this timer, the recovering firewall would enter the active-secondary
state immediately and would silently discard packets because it
would not have the necessary routes (default is 60 seconds). |
Session Owner Selection | The session owner is responsible for all
Layer 7 inspection (App-ID and Content-ID) for the session and for
generating all Traffic logs for the session. Select one of the following
options to specify how to determine the session owner for a packet:
|
Virtual Address | Click Add , select
the IPv4 or IPv6 tab
and then click Add again to enter options
to specify the type of HA virtual address to use: Floating or ARP
Load Sharing. You can also mix the type of virtual address types
in the pair. For example, you could use ARP load sharing on the
LAN interface and a Floating IP on the WAN interface.
|
Virtual Address (cont) |
|
Recommended For You
Recommended Videos
Recommended videos not found.