: Configure Active/Passive HA on AWS Using a Secondary IP
Focus
Focus

Configure Active/Passive HA on AWS Using a Secondary IP

Table of Contents
End-of-Life (EoL)

Configure Active/Passive HA on AWS Using a Secondary IP

Complete the following procedure to deploy new VM-Series firewalls as an HA pair with secondary IP addresses.
Secondary IP Move HA requires VM-Series plugin 2.0.1 or later.
  1. Before you deploy the VM-Series firewalls for you HA pair, ensure the following:
    • Refer to the VPC Planning Worksheet to ensure that your VPC is prepared for the VM-Series firewall.
    • Deploy both HA peers in the same AWS availability zone.
    • Create an IAM role and assign the role to the VM-Series firewalls when you deploy the instances.
    • The active and passive firewalls must have at least four interfaces each—a management interface, an HA2 interface, an untrust interface, and a trust interface. Additionally, the trust and untrust interfaces on the active firewall must assigned a secondary IP address.
    • Verify that the network and security components are defined suitably.
      • Enable communication to the internet. The default VPC includes an internet gateway, and if you install the VM-Series firewall in the default subnet it has access to the internet.
      • Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch the EC2 instances. The VM-Series firewall must belong to the public subnet so that it can be configured to access the internet.
      • Create a data security group that includes the firewall data interfaces. Additionally, configure the security to allow all traffic (0.0.0.0/0), so security is enforced by the firewalls. This is required to maintain existing sessions during failover.
      • Add routes to the route table for a private subnet to ensure that traffic can be routed across subnets and security groups in the VPC, as applicable.
    • If you are bootstrapping the firewall, create the necessary S3 bucket containing the required bootstrap files.
  2. Deploy the VM-Series Firewall on AWS.
    1. (Optional) Configure a dedicated HA1 interface on each HA peer.
    2. Configure ethernet 1/1 as the HA2 interface on each HA peer.
      1. Open the Amazon EC2 console.
      2. Select Network Interface and then choose then select your network interface.
      3. Select ActionsManage IP Addresses.
      4. Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the VM-Series firewall.
      5. Click Yes and Update.
      6. Select ActionsChange Source/Dest. Check and select Disable.
      7. Repeat this process on the second (to be passive) HA peer.
    3. Add a secondary IP address to your dataplane interfaces on the first (to be active) HA peer.
      1. Select Network Interface and then choose then select your network interface.
      2. Select ActionsManage IP AddressesIPv4 AddressesAssign new IP.
      3. Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the VM-Series firewall.
      4. Click Yes and Update.
    4. Associate a secondary Elastic (public) IP address with the untrust interface of the active peer.
      1. Select Elastic IPs and then choose then select the Elastic IP address to associate.
      2. Select ActionsAssociate Elastic IP.
      3. Under Resource Type, select Network Interface.
      4. Chose the network interface with which to associate the Elastic IP address.
      5. Click Associate.
    5. For outbound traffic inspection, add an entry to the subnet route table that sets the next hop as the firewall trust interface.
      1. Select VPCRoute Tables.
      2. Choose your subnet route table.
      3. Select ActionsEdit routesAdd route.
      4. Enter the Destination CIDR Block or IP address.
      5. For Target, enter the network interface of the firewall trust interface.
      6. Click Save routes.
    6. To use AWS Ingress Routing, create a route table and associate the internet gateway to it. Then add an entry with the next hop set as the active firewall untrust interface.
      1. Select Route TablesCreate route table.
      2. (Optional) Enter a descriptive Name tag for your route table.
      3. Click Create.
      4. Click your route table and select ActionsEdit edge associations.
      5. Select Internet gateways and choose your VPC internet gateway.
      6. Click Save.
      7. Click your route table and select ActionsEdit routes.
      8. For the Target, select Network Interface and choose the untrust interface of the active firewall.
      9. Click Save routes.
  3. Configure the interfaces on the firewall. You must configure the HA2 data link and at least two Layer 3 interfaces for your untrust and trust interfaces. Complete this workflow on the first HA peer and then repeat the steps on the second HA peer.
    1. Log in to the firewall web interface.
    2. (Optional) If you are using the management interface as HA1, you must set the interface IP Type to static and configure a DNS server.
      1. Select DeviceSetupInterfacesManagement.
      2. Set the IP Type to Static.
      3. Enter the private IP address of the primary VNIC of your VM-Series firewall instance.
      4. Click OK.
      5. Select DeviceSetupServices.
      6. Click Edit.
      7. Enter the IP address of the Primary DNS Server.
      8. Click OK.
      9. Commit your changes.
    3. Select NetworkInterfacesEthernet and click on your untrust interface. In this example, the HA2 interface is 1/1, the trust interface is ethernet 1/2, and the untrust interface is ethernet 1/3.
    4. Click the link for ethernet 1/1 and configure as follows:
      • Interface Type: HA
    5. Click the link for ethernet 1/2 and configure as follows:
      • Interface Type: Layer3
      • On the Config tab, assign the interface to the default router.
      • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example trust-zone, and then click OK.
      • On the IPv4 tab, select DHCP Client.
      • Check Enable.
      • On the untrust interface, check Automatically create default route pointing to default gateway provided by server. This option tells the firewall to create a static route to a default gateway.
      • Repeat these steps for ethernet 1/3.
    6. Repeat the above steps on the passive peer.
  4. Enable HA.
    1. Select DeviceHigh AvailabilityGeneral.
    2. Edit the Setup settings.
    3. Enter the private IP address of the passive peer in the Peer HA1 IP address field.
    4. Click OK.
    5. Edit the Election Settings to specify a particular firewall to be the active peer. Enter a lower numerical Device Priority value on the active firewall. If both firewalls have the same Device Priority value, the firewall with the lowest MAC value on the HA1 control becomes the active firewall.
      Enabling preemption is not recommended.
    6. (Optional) Edit the Control Link (HA1). If you do not plan to use the management interface for the control link and have added an additional interface (for example ethernet 1/4), edit this section to select the interface to use for HA1 communication.
    7. Edit the Data Link (HA2) to use Port ethernet 1/1 and add the IP address of active peer and the Gateway IP address for the subnet.
    8. Select IP or UDP from the Transport drop-down. Ethernet is not supported.
    9. Click OK.
    10. Commit your changes.
    11. Repeat the above steps on teh passive peer.
  5. After your finish configuring HA on both firewalls, verify that the firewalls are paired in active/passive HA.
    1. Access the Dashboard on both firewalls and view the High Availability widget.
    2. On the active HA peer, click Sync to peer.
    3. Confirm that the firewalls are paired and synced.
      • On the passive firewall: the state of the local firewall should display Passive and the Running Config should show as Synchronized.
      • On the active firewall: the state of the local firewall should display Active and the Running Config should show as Synchronized.
    4. From the firewall command line interface, execute the following commands:
      • To verify failover readiness:
        show plugins vm_series aws ha state
      • To show secondary IP mapping:
        show plugins vm_series aws ha ips