Configure Active/Passive HA on AWS Using Interface Move
Complete the following procedure to configure active-passive HA using interface move mode.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
- Make sure that you have followed the prerequisites.For deploying a pair of VM-Series firewalls in HA in the AWS cloud, you must ensure the following:
- Select the IAM role you created when launching the VM-Series firewall on an EC2 instance; you cannot assign the role to an instance that is already running. See IAM Roles for HA.For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, and defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation.
- DPDK is not supported on the VM-Series firewall on AWS in an interface-move HA deployment. If your have VM-Series plugin 2.0.1 or later on your firewalls, you must disable DPDK.Disabling DPDK requires the firewall to reboot. If you are using bootstrapping to deploy the VM-Series firewall, you can avoid rebooting the firewall by disabling DPDK in the initi-cfg.txt file by usingop-cmd-dpdk-pkt-io=off. See Bootstrap the VM-Series Firewall on AWS for more information.
- The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface.The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface.Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved —detached and then attached—to the now active (previously passive) firewall.
- The HA peers must be deployed in the same AWS availability zone.
- (VM-Series plugin 2.0.1 or later) Disable DPDK on the active and passive firewalls. DPDK is enabled by default and interface-move HA mode does not support DPDK, so you must disable it; enabling Packet MMAP.
- Log in to the passive firewall CLI.
- Disable DPDK using the following command. Executing this command restarts the firewall.admin@PA-VM> set system setting dpdk-pkt-io off
- Enable HA.
- Select, and edit the Setup section.DeviceHigh AvailabilityGeneral
- SelectEnable HA.
- Configure ethernet 1/1 as an HA interface. This interface must be used for HA2 communication.
- Confirm that the link state is up on ethernet1/1.
- Click the link for ethernet1/1 and set theInterface Typeto HA.
- Set up the Control Link (HA1) to use the management port.
- Select, and edit the Control Link (HA1) section.DeviceHigh AvailabilityGeneral
- (Optional) SelectEncryption Enabled, for secure HA communication between the peers. To enable encryption, you must export the HA key from a device and import it into the peer device.
- Select.DeviceCertificate ManagementCertificates
- SelectExport HA key. Save the HA key to a network location that the peer device can access.
- On the peer device, navigate to, and selectDeviceCertificate ManagementCertificatesImport HA keyto browse to the location that you saved the key and import it in to the peer device.
- Set up the Data Link (HA2) to use ethernet1/1.
- Select, edit the Data Link (HA2) section.DeviceHigh AvailabilityGeneral
- Enter the IP address for ethernet1/1. This IP address must be the same that assigned to the ENI on the EC2 Dashboard.
- Enter theNetmask.
- Enter aGatewayIP address if the HA1 interfaces are on separate subnets.
- SelectIPorUDPforTransport. UseIPif you need Layer 3 transport (IP protocol number 99). UseUDPif you want the firewall to calculate the checksum on the entire packet rather than just the header, as in the IP option (UDP port 29281).
- (Optional) Modify theThresholdforHA2 Keep-alivepackets. By default,HA2 Keep-aliveis enabled for monitoring the HA2 data link between the peers. If a failure occurs and this threshold (default is 10000 ms) is exceeded, the defined action will occur. A critical system log message is generated when an HA2 keep-alive failure occurs.You can configure theHA2 keep-aliveoption on both devices, or just one device in the HA pair. If you enable this option on one device, only that device will send the keep-alive messages.
- Set the device priority and enable preemption.
- Selectand edit the Election Settings section.DeviceHigh AvailabilityGeneral
- Set the numerical value inDevice Priority. Make sure to set a lower numerical value on the device that you want to assign a higher priority to.If both firewalls have the same device priority value, the firewall with the lowest MAC address on the HA1 control link will become the active device.
- SelectPreemptive.You must enable preemptive on both the active and the passive device.
- Modify the failover timers. By default, the HA timer profile is set to theRecommendedprofile and is suited for most HA deployments.
- (Optional) Modify the wait time before a failover is triggered.
- Selectand edit the Active/Passive Settings.DeviceHigh AvailabilityGeneral
- Modify theMonitor fail hold up timeto a value between 1-60 minutes; default is 1 minute. This is the time interval during which the firewall will remain active following a link failure. Use this setting to avoid an HA failover triggered by the occasional flapping of neighboring devices.
- Configure the IP address of the HA peer.
- Select, and edit the Setup section.DeviceHigh AvailabilityGeneral
- Enter the IP address of the HA1 port on the peer. This is the IP address assigned to the management interface (ethernet 0/0), which is also the HA1 link on the other firewall.
- Set theGroup IDnumber between 1 and 63. Although this value is not used on the VM-Series firewall on AWS, but cannot leave the field blank.
- After you finish configuring both devices, verify that the devices are paired in active/passive HA.
- Access theDashboardon both devices, and view theHigh Availabilitywidget.
- On the active device, click theSync to peerlink.
- Confirm that the devices are paired and synced, as shown below:
- On the passive device: The state of the local device should displaypassiveand the configuration issynchronized.
- On the active device: The state of the local device should displayactiveand the configuration issynchronized.
- Verify that failover occurs properly.
- Verify the HA mode.show plugins vm_series aws ha failover-mode
- Verify that the packet IO mode is set to packet MMAP.show system setting dpdk-pkt-io
- Shut down the active HA peer.
- On the EC2 Dashboard, selectInstances.
- From the list, select the VM-Series firewall and click.ActionsStop
- Check that the passive peer assumes the role of the active peer and that the dataplane interfaces have moved over to the now active HA peer.
Recommended For You
Recommended videos not found.