Migrate Active/Passive HA on AWS to Interface Move Mode

Learn more about migrating between to interface-move mode from secondary-IP on the VM-Series firewall on AWS.
Complete the following procedure to migrate your existing VM-Series firewall HA pair from secondary-IP HA to interface-move HA.
  1. Disable DPDK support on the passive HA peer. Interface-move HA mode does not support DPDK, so you must disable it; enabling Packet MMAP.
    1. Log in to the passive firewall CLI.
    2. Disable DPDK using the following command. Executing this command restarts the firewall.
      admin@PA-VM> set system setting dpdk-pkt-io off
  2. Disable DPDK support on the active HA peer.
    1. Log in to the active firewall CLI.
    2. Disable DPDK using the following command. Executing this command restarts the firewall.
      admin@PA-VM> set system setting dpdk-pkt-io off
      Restarting the firewall will impact traffic.
  3. Change the HA mode on the active peer from secondary-IP mode to interface-move mode.
    1. Access the VM-Series firewall CLI on the active peer.
    2. Execute the following command.
      request plugins vm_series aws ha failover-mode interface-move
    3. Commit your changes.
    4. Comfirm your HA mode by executing the following command.
      show plugins vm_series aws ha failover-mode
    5. Repeat this command on the passive peer.
  4. Delete the data interfaces from the passive firewall instance.
    1. Log in to the AWS EC2 console.
    2. Select
      Network Interfaces
      .
    3. Select a data interface on the passive firewall instance and click
      Delete
      .
    4. In the
      Delete Network Interface
      window, click
      Yes, Delete
      .
    5. Repeat this process for each data interface on the passive firewall instance.

Recommended For You