Define HA Failover Conditions

Perform the following task to define failover conditions and thus establish what will cause a firewall in an HA pair to fail over, an event where the task of securing traffic passes from the previously active firewall to its HA peer. The HA Overview describes conditions that cause a failover.
If you are using SNMPv3 to monitor the firewalls, note that the SNMPv3 Engine ID is unique to each firewall; the EngineID is not synchronized between the HA pair and, therefore, allows you to independently monitor each firewall in the HA pair. For information on setting up SNMP, see Forward Traps to an SNMP Manager. Because the EngineID is generated using the firewall serial number, on the VM-Series firewall you must apply a valid license in order to obtain a unique EngineID for each firewall.
  1. To configure link monitoring, define the interfaces you want to monitor. A change in the link state of these interfaces will trigger a failover.
    1. Select
      Device
      High Availability
      Link and Path Monitoring
      and
      Add
      a Link Group.
    2. Name the
      Link Group
      ,
      Add
      the interfaces to monitor, and select the
      Failure Condition
      for the group. The Link group you define is added to the
      Link Group
      section.
  2. (
    Optional
    ) Modify the failure condition for the Link Groups that you configured (in the preceding step) on the firewall.
    By default, the firewall will trigger a failover when any monitored link fails.
    1. Select the
      Link Monitoring
      section.
    2. Set the
      Failure Condition
      to
      All
      .
      The default setting is
      Any
      .
  3. To configure path monitoring, define the destination IP addresses that the firewall should ping to verify network connectivity.
    1. In the
      Path Group
      section of the
      Device
      High Availability
      Link and Path Monitoring
      tab, pick the
      Add option for your set up:
      Virtual Wire, VLAN, or Virtual Router.
    2. Select the appropriate item for the
      Name
      and
      Add
      the IP addresses (source and/or destination, as prompted) that you wish to monitor. Then select the
      Failure Condition
      for the group. The path group you define is added to the
      Path Group
      section.
  4. (
    Optional
    ) Modify the failure condition for all Path Groups configured on the firewall.
    By default, the firewall will trigger a failover when any monitored path fails.
    Set the
    Failure Condition
    to
    All
    .
    The default setting is
    Any
    .
  5. Commit
    the configuration.

Recommended For You