It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure a Private Uplink for a High Availability Cluster

  • Last updated on

After setting up an HA cluster, you can also configure a private uplink to safeguard against failure of the switch connecting the two HA units. For the private uplink, you must configure a network (at least 2-bit) as a subnet and configure the CloudGen Firewall to use this connection to send the HA sync packets.

The configuration of the private uplink must be done on the primary firewall for the HA pair. The configuration is automatically transmitted to the secondary firewall.

ha_uplink_80.png

Before You Begin

  • Barracuda Networks recommends directly connecting both firewalls with a network cable for the private uplink.

  • A /30 network is required. E.g., 172.16.16.0/30

Step 1. Define the Alternative HA IP Addresses for the Primary and Secondary Firewall

  1. Log into the primary firewall.

  2. Go to CONFIGURATION > Configuration Tree > Box > Network.

  3. Click Lock.

  4. In the left menu, expand the Configuration Mode section and click Switch to Advanced View.

  5. Click + to add the private IP address as an Additional Local IP. The IP Address Configuration window opens.

    • Interface – Select the interface the crossover cable is connected to. 

    • IP Address – Enter the Alternative HA IP address for the unit. E.g., 172.16.16.1

    • Associated Netmask – Select /30.

    • Responds to Ping – Set to yes.

    • Management IP – Set to yes.

Private_Uplink_02.png
  1. Click OK.

  2. Click Send Changes and Activate.

Step 2. Activate the Private Uplink

For the HA sync to work over the private link, you must associate the private link IPs with the corresponding management IP addresses. The UI label Translated HA IP stands for the management IP address of each firewall in HA pair. The UI label Alternative HA IP stands for the respective private uplink IP address.

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Control.

  2. Click Lock.

  3. In the HA Monitoring Parameters section, add entries for the primary unit and secondary unit:

    • Translated HA IP – Enter the management IP address E.g., 10.0.10.20 for the primary unit 

    • Alternative HA IP – Enter the additional local network IP of the unit. E.g., 172.16.16.1 for the primary unit

    • Usage Policy – Select from the following options:

      • Use-Both – Sends the HA sync and heartbeat over both the management IP link and the private uplink.

      • Use-Alternative-Only – Sends the HA sync and heartbeat only over the private uplink.

      • Disabled – The HA sync and heartbeat are sent over the management IP link only.

    Private_Uplink_03.png
Private_Uplink_04.png
  1. Click OK.

  2. Click Send Changes and Activate.

Step 3. Add the Alternative HA IP Address to the ACL List

To grant administrative access rights for Alternative HA IP address usage, add the Alternative HA IP address to the ACL list.

  1. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.

  2. Click Lock.

  3. Add the /30 network containing the alternative HA IP addresses.

Private_Uplink_05.png
  1. Click Send Changes and Activate.

Step 4. Activate the Network Configuration

Activate the network configuration on the primary and secondary CloudGen Firewall.

  1. Go to CONTROL > Box.

  2. In the menu, expand Network and click Activate new network configuration.

Standalone_HA_06.png
  1. Select Failsafe as the activation mode.