Configure Active/Passive HA on AWS

  1. Make sure that you have followed the prerequisites.
    For deploying a pair of VM-Series firewalls in HA in the AWS cloud, you must ensure the following:
    • Select the IAM role you created when launching the VM-Series firewall on an EC2 instance; you cannot assign the role to an instance that is already running. See IAM Roles for HA.
      For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, and defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation.
    • The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface.
      The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface.
      Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved —detached and then attached—to the now active (previously passive) firewall.
    • The HA peers must be deployed in the same AWS availability zone.
  2. Enable HA.
    1. Select
      Device
      High Availability
      General
      , and edit the Setup section.
    2. Select
      Enable HA
      .
  3. Configure ethernet 1/1 as an HA interface. This interface must be used for HA2 communication.
    1. Select
      Network
      Interfaces
      .
    2. Confirm that the link state is up on ethernet1/1.
    3. Click the link for ethernet1/1 and set the
      Interface Type
      to HA.
      set_interface_as_HA.PNG
  4. Set up the Control Link (HA1) to use the management port.
    1. Select
      Device
      High Availability
      General
      , and edit the Control Link (HA1) section.
      HA_control_link.AWS.PNG
    2. (
      Optional
      ) Select
      Encryption Enabled
      , for secure HA communication between the peers. To enable encryption, you must export the HA key from a device and import it into the peer device.
      1. Select
        Device
        Certificate Management
        Certificates
        .
      2. Select
        Export HA key
        . Save the HA key to a network location that the peer device can access.
      3. On the peer device, navigate to
        Device
        Certificate Management
        Certificates
        , and select
        Import HA key
        to browse to the location that you saved the key and import it in to the peer device.
  5. Set up the Data Link (HA2) to use ethernet1/1.
    1. Select
      Device
      High Availability
      General
      , edit the Data Link (HA2) section.
    2. Select
      Port
      ethernet1/1.
    3. Enter the IP address for ethernet1/1. This IP address must be the same that assigned to the ENI on the EC2 Dashboard.
    4. Enter the
      Netmask
      .
    5. Enter a
      Gateway
      IP address if the HA1 interfaces are on separate subnets.
    6. Select
      IP
      or
      UDP
      for
      Transport
      . Use
      IP
      if you need Layer 3 transport (IP protocol number 99). Use
      UDP
      if you want the firewall to calculate the checksum on the entire packet rather than just the header, as in the IP option (UDP port 29281).
      HA_data_link_AWS.PNG
    7. (
      Optional
      ) Modify the
      Threshold
      for
      HA2 Keep-alive
      packets. By default,
      HA2 Keep-alive
      is enabled for monitoring the HA2 data link between the peers. If a failure occurs and this threshold (default is 10000 ms) is exceeded, the defined action will occur. A critical system log message is generated when an HA2 keep-alive failure occurs.
      You can configure the
      HA2 keep-alive
      option on both devices, or just one device in the HA pair. If you enable this option on one device, only that device will send the keep-alive messages.
  6. Set the device priority and enable preemption.
    Use this setting if you want to make sure that a specific device is the preferred active device. For information, see Device Priority and Preemption.
    1. Select
      Device
      High Availability
      General
      and edit the Election Settings section.
    2. Set the numerical value in
      Device Priority
      . Make sure to set a lower numerical value on the device that you want to assign a higher priority to.
      If both firewalls have the same device priority value, the firewall with the lowest MAC address on the HA1 control link will become the active device.
    3. Select
      Preemptive
      .
      You must enable preemptive on both the active and the passive device.
    4. Modify the failover timers. By default, the HA timer profile is set to the
      Recommended
      profile and is suited for most HA deployments.
  7. (
    Optional
    ) Modify the wait time before a failover is triggered.
    1. Select
      Device
      High Availability
      General
      and edit the Active/Passive Settings.
    2. Modify the
      Monitor fail hold up time
      to a value between 1-60 minutes; default is 1 minute. This is the time interval during which the firewall will remain active following a link failure. Use this setting to avoid an HA failover triggered by the occasional flapping of neighboring devices.
  8. Configure the IP address of the HA peer.
    1. Select
      Device
      High Availability
      General
      , and edit the Setup section.
    2. Enter the IP address of the HA1 port on the peer. This is the IP address assigned to the management interface (ethernet 0/0), which is also the HA1 link on the other firewall.
    3. Set the
      Group ID
      number between 1 and 63. Although this value is not used on the VM-Series firewall on AWS, but cannot leave the field blank.
  9. Configure the other peer.
    Repeat steps 3 to 9 on the HA peer.
  10. After you finish configuring both devices, verify that the devices are paired in active/passive HA.
    1. Access the
      Dashboard
      on both devices, and view the
      High Availability
      widget.
    2. On the active device, click the
      Sync to peer
      link.
    3. Confirm that the devices are paired and synced, as shown below:
      • On the passive device: The state of the local device should display
        passive
        and the configuration is
        synchronized
        .
        HA_configured_passive.PNG
      • On the active device: The state of the local device should display
        active
        and the configuration is
        synchronized
        .
        HA_configured_passive.PNG
  11. Verify that failover occurs properly.
    1. Shut down the active HA peer.
      1. On the EC2 Dashboard, select
        Instances
        .
      2. From the list, select the VM-Series firewall and click
        Actions
        Stop
        .
    2. Check that the passive peer assumes the role of the active peer and that the dataplane interfaces have moved over to the now active HA peer.

Related Documentation