HA1 SSH Key Refresh
Refresh SSH host keys and set other SSH key options for an HA1 control link and re-establish HA1 sessions between HA peers so the new keys and settings take effect without restarting the HA peers.
When you configure Active/Passive HA or Active/Active HA, you can enable encryption for the HA1 (control link) connection between HA firewalls. HA peers use public and private Secure Shell (SSH) host keys to authenticate each other. When you enable encryption and generate a new pair of host keys or configure other HA1 encryption settings, you can now enable the new host keys and other settings without restarting the HA firewalls, thus avoiding the firewalls going offline. The firewall re-establishes HA1 sessions with its peer and generates system logs (subtype is ha) for re-establishing HA1 and HA1-backup sessions.
- (Optional) Set the HA1 link to use a specific key type (known as the default host key type). The HA1 link uses only the default host key type to authenticate the HA peers (before an encrypted session is established between them). The choices are ECDSA 256, 384, or 521, or RSA 2048, 3072, or 4096. By default, the default host key type is RSA 2048.
- Establish when automatic rekeying of the session keys occurs for the HA1 link by setting data, time, and/or packet count parameters. After any one rekeying parameter reaches its configured value, SSH uses the new session encryption keys.
- (Optional) Set the SSH server to use the specified encryption ciphers for the HA1 sessions. HA1 SSH allows all supported ciphers by default. When you set one or more ciphers, the SSH server advertises only those ciphers while connecting, and if the client (the HA peer) tries to connect using a different cipher, the server terminates the connection.
- (Optional) Delete a cipher from the set of ciphers you selected for the HA1 link.
- (Optional) Set the session key exchange algorithm for HA1 SSH. By default the server advertises all the key exchange algorithms to the client.
- (Optional) Set the message authentication code (MAC) for HA1 SSH. By default the server advertises all the MAC algorithms to the client.
- Regenerate ECDSA or RSA host keys for HA1 SSH to replace the existing keys. Do this at the frequency you determine necessary for security purposes.
Refresh HA1 SSH Keys and Configure Key Options
If you enable encryption over the HA1 control link, you can refresh the SSH host keys, change various key options, and re-establish HA1 sessions between ...
Refresh SSH Keys and Configure Key Options for Management Interface Connection
Regenerate SSH keys and configure other key options for the connection to the management interface on the firewall. ...
FIPS-CC Security Functions
FIPS-CC Security Functions When FIPS-CC mode is enabled, the following security functions are enforced on all firewalls and appliances: To log in, the browser must ...
High Availability High availability (HA) is a deployment in which two firewalls are placed in a group and their configuration is synchronized to prevent a ...
HA Links and Backup Links
HA Links and Backup Links The firewalls in an HA pair use HA links to synchronize data and maintain state information. Some models of the ...
Configure Active/Passive HA
Configure Active/Passive HA The following procedure shows how to configure a pair of firewalls in an active/passive deployment as depicted in the following example topology. ...
Configure Active/Active HA
Configure Active/Active HA The following procedure describes the basic workflow for configuring your firewalls in an active/active configuration. However, before you begin, Determine Your Active/Active ...
Synchronization of System Runtime Information
Synchronization of System Runtime Information The following table summarizes what system runtime information is synchronized between HA peers. Runtime Information Config Synced? HA Link Details ...