Configure Active/Passive HA on AWS Using a Secondary IP

Before you deploy the VM-Series firewalls for you HA pair, ensure the following:
Refer to the VPC Planning Worksheet to ensure that your VPC is prepared for the VM-Series firewall.
Deploy both HA peers in the same AWS availability zone.
Create an IAM role and assign the role to the VM-Series firewalls when you deploy the instances.
The active and passive firewalls must have at least four interfaces each—a management interface, an HA2 interface, an untrust interface, and a trust interface. Additionally, the trust and untrust interfaces on the active firewall must assigned a secondary IP address.
Verify that the network and security components are defined suitably.
Enable communication to the internet. The default VPC includes an internet gateway, and if you install the VM-Series firewall in the default subnet it has access to the internet.
Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch the EC2 instances. The VM-Series firewall must belong to the public subnet so that it can be configured to access the internet.
Create a data security group that includes the firewall data interfaces. Additionally, configure the security to allow all traffic (0.0.0.0/0), so security is enforced by the firewalls. This is required to maintain existing sessions during failover.
Add routes to the route table for a private subnet to ensure that traffic can be routed across subnets and security groups in the VPC, as applicable.
If you are bootstrapping the firewall, create the necessary S3 bucket containing the required bootstrap files.
Deploy the VM-Series Firewall on AWS.
(
Optional
) Configure a dedicated HA1 interface on each HA peer.
Configure ethernet 1/1 as the HA2 interface on each HA peer.
Open the Amazon EC2 console.
Select Network Interface and then choose then select your network interface.
Select
Actions
Manage IP Addresses.
Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the VM-Series firewall.
Click
Yes
and
Update
.
Select
Actions
Change Source/Dest. Check
and select
Disable
.
Repeat this process on the second (to be passive) HA peer.
Add a secondary IP address to your dataplane interfaces on the first (to be active) HA peer.
Select
Network Interface
and then choose then select your network interface.
Select
Actions
Manage IP Addresses
IPv4 Addresses
Assign new IP
.
Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the VM-Series firewall.
Click
Yes
and
Update
.
Associate a secondary Elastic (public) IP address with the untrust interface of the active peer.
Select
Elastic IPs
and then choose then select the Elastic IP address to associate.
Select
Actions
Associate Elastic IP
.
Under
Resource Type
, select
Network Interface
.
Chose the network interface with which to associate the Elastic IP address.
Click
Associate
.
For outbound traffic inspection, add an entry to the subnet route table that sets the next hop as the firewall trust interface.
Select
VPC
Route Tables
.
Choose your subnet route table.
Select
Actions
Edit routes
Add route
.
Enter the
Destination
CIDR Block or IP address.
For
Target
, enter the network interface of the firewall trust interface.
Click
Save routes
.
To use AWS Ingress Routing, create a route table and associate the internet gateway to it. Then add an entry with the next hop set as the active firewall untrust interface.
Select
Route Tables
Create route table
.
(
Optional
) Enter a descriptive
Name tag
for your route table.
Click
Create
.
Click your route table and select
Actions
Edit edge associations
.
Select
Internet gateways
and choose your VPC internet gateway.
Click
Save
.
Click your route table and select
Actions
Edit routes
.
For the
Target
, select
Network Interface
and choose the untrust interface of the active firewall.
Click
Save routes
.
Configure the interfaces on the firewall. You must configure the HA2 data link and at least two Layer 3 interfaces for your untrust and trust interfaces. Complete this workflow on the first HA peer and then repeat the steps on the second HA peer.
Log in to the firewall web interface.
(
Optional
) If you are using the management interface as HA1, you must set the interface IP Type to static and configure a DNS server.
Select
Device
Setup
Interfaces
Management
.
Set the
IP Type
to
Static
.
Enter the private
IP address
of the primary VNIC of your VM-Series firewall instance.
Click
OK
.
Select
Device
Setup
Services
.
Click
Edit
.
Enter the IP address of the
Primary DNS Server
.
Click
OK
.
Commit
your changes.
Select
Network
Interfaces
Ethernet
and click on your untrust interface. In this example, the HA2 interface is 1/1, the trust interface is ethernet 1/2, and the untrust interface is ethernet 1/3.
Click the link for
ethernet 1/1
and configure as follows:
Interface Type
:
HA
Click the link for
ethernet 1/2
and configure as follows:
Interface Type
:
Layer3
On the
Config
tab, assign the interface to the default router.
On the
Config
tab, expand the
Security Zone
drop-down and select
New Zone
. Define a new zone, for example trust-zone, and then click
OK
.
On the
IPv4
tab, select
DHCP Client
.
Check
Enable
.
On the untrust interface, check
Automatically create default route pointing to default gateway provided by server
. This option tells the firewall to create a static route to a default gateway.
Repeat these steps for ethernet 1/3.
Repeat the above steps on the passive peer.
Enable HA.
Select
Device
High Availability
General
.
Edit the Setup settings.
Enter the private IP address of the passive peer in the
Peer HA1 IP address field
.
Click
OK
.

Edit the
Election Settings
to specify a particular firewall to be the active peer. Enter a lower numerical
Device Priority
value on the active firewall. If both firewalls have the same Device Priority value, the firewall with the lowest MAC value on the HA1 control becomes the active firewall.
Enabling preemption is not recommended.
(
Optional
) Edit the Control Link (HA1). If you do not plan to use the management interface for the control link and have added an additional interface (for example ethernet 1/4), edit this section to select the interface to use for HA1 communication.
Edit the Data Link (HA2) to use
Port
ethernet 1/1 and add the IP address of active peer and the
Gateway
IP address for the subnet.
Select
IP
or
UDP
from the Transport drop-down. Ethernet is not supported.

Click
OK
.
Commit
your changes.
Repeat the above steps on teh passive peer.
After your finish configuring HA on both firewalls, verify that the firewalls are paired in active/passive HA.
Access the
Dashboard
on both firewalls and view the High Availability widget.
On the active HA peer, click
Sync to peer
.
Confirm that the firewalls are paired and synced.
On the passive firewall: the state of the local firewall should display
Passive
and the
Running Config
should show as Synchronized.
On the active firewall: the state of the local firewall should display
Active
and the
Running Config
should show as Synchronized.
From the firewall command line interface, execute the following commands:
To verify failover readiness:
show plugins vm_series aws ha state
To show secondary IP mapping:
show plugins vm_series aws ha ips