Configuration Guidelines for Active/Passive HA

To set up an active (PeerA) passive (PeerB) pair in HA, you must configure some options identically on both firewalls and some independently (non-matching) on each firewall. These HA settings are not synchronized between the firewalls. For details on what is/is not synchronized, see Reference: HA Synchronization.
The following checklist details the settings that you must configure identically on both firewalls:
  • You must enable HA on both firewalls.
  • You must configure the same Group ID value on both firewalls. The firewall uses the Group ID value to create a virtual MAC address for all the configured interfaces. See Floating IP Address and Virtual MAC Address for information about virtual MAC addresses. When a new active firewall takes over, it sends Gratuitous ARP messages from each of its connected interfaces to inform the connected Layer 2 switches of the virtual MAC address’ new location.
  • If you are using in-band ports as HA links, you must set the interfaces for the HA1 and HA2 links to type HA.
  • Set the HA Mode to Active Passive on both firewalls.
  • If required, enable preemption on both firewalls. The device priority value, however, must not be identical.
  • If required, configure encryption on the HA1 link (for communication between the HA peers) on both firewalls.
  • Based on the combination of HA1 and HA1 Backup ports you are using, use the following recommendations to decide whether you should enable heartbeat backup:
    HA functionality (HA1 and HA1 backup) is not supported on the management interface if it's configured for DHCP addressing (IP Type set to DHCP Client), except for AWS.
    • HA1: Dedicated HA1 port
      HA1 Backup: Dedicated HA1 port
      Recommendation: Enable Heartbeat Backup
    • HA1: Dedicated HA1 port
      HA1 Backup: In-band port
      Recommendation: Enable Heartbeat Backup
    • HA1: Dedicated HA1 port
      HA1 Backup: Management port
      Recommendation: Do not enable Heartbeat Backup
    • HA1: In-band port
      HA1 Backup: In-band port
      Recommendation: Enable Heartbeat Backup
    • HA1: Management port
      HA1 Backup: In-band port
      Recommendation: Do not enable Heartbeat Backup
The following table lists the HA settings that you must configure independently on each firewall. See Reference: HA Synchronization for more information about other configuration settings are not automatically synchronized between peers.
Independent Configuration Settings
PeerA
PeerB
Control Link
IP address of the HA1 link configured on this firewall (PeerA).
IP address of the HA1 link configured on this firewall (PeerB).
For firewalls without dedicated HA ports, use the management port IP address for the control link.
Data Link
The data link information is synchronized between the firewalls after HA is enabled and the control link is established between the firewalls.
By default, the HA2 link uses Ethernet/Layer 2.
If using a Layer 3 connection, configure the IP address for the data link on this firewall (PeerA).
By default, the HA2 link uses Ethernet/Layer 2.
If using a Layer 3 connection, configure the IP address for the data link on this firewall (PeerB).
Device Priority (required, if preemption is enabled)
The firewall you plan to make active must have a lower numerical value than its peer. So, if Peer A is to function as the active firewall, keep the default value of 100 and increment the value on PeerB.
If the firewalls have the same device priority value, they use the MAC address of their HA1 as the tie-breaker.
If PeerB is passive, set the device priority value to a number larger than the setting on PeerA. For example, set the value to 110.
Link Monitoring—Monitor one or more physical interfaces that handle vital traffic on this firewall and define the failure condition.
Select the physical interfaces on the firewall that you would like to monitor and define the failure condition (all or any) to trigger a failover.
Pick a similar set of physical interfaces that you would like to monitor on this firewall and define the failure condition (all or any) to trigger a failover.
Path Monitoring—Monitor one or more destination IP addresses that the firewall can use ICMP pings to ascertain responsiveness.
Define the failure condition (all or any), ping interval and the ping count. This is particularly useful for monitoring the availability of other interconnected networking devices. For example, monitor the availability of a router that connects to a server, connectivity to the server itself, or some other vital device that is in the flow of traffic.
Make sure that the node/device that you are monitoring is not likely to be unresponsive, especially when it comes under load, as this could cause a a path monitoring failure and trigger a failover.
Pick a similar set of devices or destination IP addresses that can be monitored for determining the failover trigger for PeerB. Define the failure condition (all or any), ping interval and the ping count.

Related Documentation