It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Set Up a High Availability Cluster

  • Last updated on

For redundancy and reliability, you can set up two firewalls in a High Availability (HA) cluster. During normal operations, the primary firewall is active while the secondary firewall waits in standby mode. The secondary firewall has the same configuration as the primary firewall, and it only becomes available when the primary firewall is down. The failover is reversed when the primary firewall can resume operations. Services should be configured on the secondary IP address, not the management IP address of the firewall, because only the secondary IP addresses fail over to the secondary firewall. For the same reason, use the secondary IP address as the default gateway for your clients.

To execute a failover when a firewall or networking component becomes unavailable, you can configure the monitoring of additional IP addresses and interfaces. You can also manually execute a failover. For more information, see How to Perform a Manual High Availability Failover.

Before You Begin

  • If you want to join a Windows domain, you must do so on both primary and secondary firewalls before creating the HA cluster. For more information, see How to Join a Windows Domain.
  • Each firewall must have a management IP address in the same subnet. Verify that they are not using the same IP addresses as the management IP address.

Step 1. Add Management IP Addresses to the Administrator IP/Ranges

If you restrict administrative access to the firewall by defining administrator IP addresses or networks, you must add the management IP address of the HA partner firewall to the administrator IP/Ranges list. If you are not restricting the administrator IP address (0.0.0.0 entry is present), you can skip this step.

Step 1.1 Add the Administrator IP/Range on the Primary Firewall

Add the management IP of the secondary firewall to the administrator IP addresses on the primary firewall.

  1. Log into the primary firewall.
  2. Go to BASIC > Administration. 
  3. In the Management ACL section, enter:
    • IP/Network Address – Enter the management IP address of the secondary firewall. 
    • Netmask – Enter 255.255.255.255
  4. Click Add
Step 1.2 Add the Administrator IP/Range on the Secondary Firewall

Add the management IP of the primary firewall to the administrator IP addresses on the secondary firewall.

  1. Log into the secondary firewall.
  2. Go to BASIC > Administration. 
  3. In the Management ACL section, enter:
    • IP/Network Address – Enter the management IP address of the primary firewall. 
    • Netmask – Enter 255.255.255.255
  4. Click Add

Step 2. Add a Secondary IP Address to the Primary Firewall

Add a secondary IP address to the primary firewall and configure the services of the firewall that are to be used from the local network to listen on this IP address. Use this secondary IP address as the default gateway for the clients in your network. In case of a failover, this IP address is transferred to the secondary firewall.

  1. Go to NETWORK > IP Configuration.
  2. Enter a Secondary IP Address and select the services that should listen on this IP address.
  3. Click Add.

Step 3. Enable NTP

Go to BASIC > Administration and verify that NTP is enabled on the primary firewall.

HA_NTP.png

Step 4. Enable High Availability

Before you set up two firewalls in an HA cluster, ensure that both fulfill the following prerequisites:

  • Both firewalls must be the same model type and revision. They must also run the same firmware version.
  • The management IP addresses of both firewalls must be in the same network and subnet.
  • System clocks and time zones must be accurately set on both firewalls. If they are not, HA pairing can fail.
  • The Default Domain (BASIC > Administration) must be set on both firewalls.
Enable HA on the Secondary Firewall
  1. Log into the secondary firewall.
  2. Go to ADVANCED > High Availability.
  3. In the Setup section, click Enable High Availability.
  4. In the Enable High Availability window, enter the management IP address, serial number, and administrator password for the primary firewall.
  5. Click Enable. The HA pairing process can take several minutes. During this process, do not reload the configuration page or configure any other settings.

After the HA pairing is successful, the Disable High Availability option appears in place of the Enable High Availability option. The IP addresses and serial numbers of both HA firewalls are also displayed. 

Additionally, this warning message is displayed on every configuration page of the secondary firewall:

image2013-7-26 15:21:15.png

While the secondary firewall is part of the HA cluster, you can configure only the following settings:

  • ADVANCED > High Availability
  • NETWORK > IP Configuration > Management IP Configuration
  • NETWORK > IP Configuration > Dynamic Interface Configuration
  • (If WWAN interfaces are available) NETWORK > IP Configuration in the section WWAN Interface.

Configure Monitoring

You can configure the monitoring of additional IP addresses and interfaces. If these IP addresses and interfaces become unreachable, a failover is executed.

On the ADVANCED > High Availability page, in the Monitoring section, add the Reachable IPs and Reachable Interfaces.

Verify the HA Status

To verify the HA status of the firewall, go to the ADVANCED > High Availability page and see the Status section. This section indicates if the appliance is active, standby, primary, or secondary. If the appliance is not part of an HA cluster, this section indicates that it is Stand-Alone.

This figure shows an example of the status for a firewall in an HA cluster.

HA_status01.png

On the BASIC > Status page, you can also view the current HA status in the Services section. To see the status details, hover over High Availability.