Two-layer HA pairs can be deployed by manually pushing the primary and secondary configuration to the ZTD service using different Zero Touch matchers. In this case, a configuration is individually deployed to a certain appliance. An HA pair can also be deployed to the ZTD service by using the same matching condition, e.g., the same public IP address. In this case, the two appliances contact the ZTD service with the same public IP, and, at random, one appliance becomes the primary box and the other one the secondary box. If this random assignment is not desired, sequential Zero Touch Deployment is the solution.
Sequential HA Zero Touch Deployment can be enabled globally or specifically for ranges or clusters. When this feature is used, only the primary configuration must be pushed to the ZTD service. The completion of the deployment of the primary firewall automatically triggers the push of the secondary configuration to the ZTD service, using the same matching condition.
The following deployment steps give an example of sequential HA Zero Touch Deployment:
- The configuration of the primary box of an HA-enabled box on the Control Center is pushed to the ZTD service using a public IP matching condition. For more information, see How to Configure a Firewall for Zero Touch Deployment.
- The appliance that should become the primary box is plugged in at the site and receives the configuration from the ZTD service, based on the public IP address of the connection.
- The completion of the Zero Touch Deployment of the primary box triggers the push of the secondary configuration, using the same public IP address as matching condition.
- As soon as the primary box is successfully connected, the appliance that should become the secondary box is plugged in at the site.
- The appliance contacts the ZTD service with the same public IP address. The configuration pushed in Step 3 is applied to the appliance.
- The HA pair is successfully deployed.
General Information on ZTD and High Availability
Every Barracuda CloudGen Firewall has a box key that is necessary for a successful establishment of a connection from the firewall to the Control Center. For this reason, the box key is part of the minimal PAR file that is pushed to the ZTD service and received by the appliance. To ensure that such an important secret is shared only between the CC and firewall and never leaves the company infrastructure, this key is regenerated when the appliance connects to the Control Center for the first time. The connected appliance receives a complete configuration update with the new key and, from then on, is connected using the new key.
An HA pair shares the same box key. When deployed via ZTD, the key is regenerated only when the primary box completes its Zero Touch Deployment, not when the secondary box completes it. As a consequence, if an HA pair is deployed at the same time, everything will work automatically and no manual action is needed.
If a connected box is transformed to an HA pair, or if the primary box is already deployed and completed, the secondary box can be deployed using Zero Touch Deployment, but the key regeneration must be triggered manually. It is recommended to push the configuration of the secondary box to Zero Touch Deployment and, immediately afterwards, to regenerate the box key for the HA pair. The connected primary box will receive an update; the secondary box - which is in deployment - will be able to connect with the old key, and will receive the updated new key immediately after connection to the Control Center.