For redundancy and reliability, you can set up two firewalls in a High Availability (HA) cluster. During normal operations, the primary firewall is active while the secondary firewall waits in standby mode. The secondary firewall has the same configuration as the primary firewall, and it only becomes available when the primary firewall is down. The failover is reversed when the primary firewall can resume operations. Services should be configured on the secondary IP address, not the management IP address of the firewall, because only the secondary IP addresses fail over to the secondary firewall. For the same reason, use the secondary IP address as the default gateway for your clients.
To execute a failover when a firewall or networking component becomes unavailable, you can configure the monitoring of additional IP addresses and interfaces. You can also manually execute a failover. For more information, see How to Perform a Manual High Availability Failover.
Before You Begin
- If you want to join a Windows domain, you must do so on both primary and secondary firewalls before creating the HA cluster. For more information, see How to Join a Windows Domain.
- Each firewall must have a management IP address in the same subnet. Verify that they are not using the same IP addresses as the management IP address.
Step 1. Add Management IP Addresses to the Administrator IP/Ranges
If you restrict administrative access to the firewall by defining administrator IP addresses or networks, you must add the management IP address of the HA partner firewall to the administrator IP/Ranges list. If you are not restricting the administrator IP address (0.0.0.0 entry is present), you can skip this step.
Step 1.1 Add the Administrator IP/Range on the Primary Firewall
Add the management IP of the secondary firewall to the administrator IP addresses on the primary firewall.
- Log into the primary firewall.
- Go to BASIC > Administration.
- In the Management ACL section, enter:
- IP/Network Address – Enter the management IP address of the secondary firewall.
-
Netmask – Enter
255.255.255.255
- Click Add.
Step 1.2 Add the Administrator IP/Range on the Secondary Firewall
Add the management IP of the primary firewall to the administrator IP addresses on the secondary firewall.
- Log into the secondary firewall.
- Go to BASIC > Administration.
- In the Management ACL section, enter:
- IP/Network Address – Enter the management IP address of the primary firewall.
-
Netmask – Enter
255.255.255.255
- Click Add.
Step 2. Add a Secondary IP Address to the Primary Firewall
Add a secondary IP address to the primary firewall and configure the services of the firewall that are to be used from the local network to listen on this IP address. Use this secondary IP address as the default gateway for the clients in your network. In case of a failover, this IP address is transferred to the secondary firewall.
- Go to NETWORK > IP Configuration.
- Enter a Secondary IP Address and select the services that should listen on this IP address.
- Click Add.
Step 3. Enable NTP
Go to BASIC > Administration and verify that NTP is enabled on the primary firewall.
Step 4. Enable High Availability
Before you set up two firewalls in an HA cluster, ensure that both fulfill the following prerequisites:
- Both firewalls must be the same model type and revision. They must also run the same firmware version.
- The management IP addresses of both firewalls must be in the same network and subnet.
- System clocks and time zones must be accurately set on both firewalls. If they are not, HA pairing can fail.
- The Default Domain (BASIC > Administration) must be set on both firewalls.
Enable HA on the Secondary Firewall
- Log into the secondary firewall.
- Go to ADVANCED > High Availability.
- In the Setup section, click Enable High Availability.
- In the Enable High Availability window, enter the management IP address, serial number, and administrator password for the primary firewall.
- Click Enable. The HA pairing process can take several minutes. During this process, do not reload the configuration page or configure any other settings.
After the HA pairing is successful, the Disable High Availability option appears in place of the Enable High Availability option. The IP addresses and serial numbers of both HA firewalls are also displayed.
Additionally, this warning message is displayed on every configuration page of the secondary firewall:
While the secondary firewall is part of the HA cluster, you can configure only the following settings:
- ADVANCED > High Availability
- NETWORK > IP Configuration > Management IP Configuration
- NETWORK > IP Configuration > Dynamic Interface Configuration
-
(If WWAN interfaces are available) NETWORK > IP Configuration in the section WWAN Interface.
Configure Monitoring
You can configure the monitoring of additional IP addresses and interfaces. If these IP addresses and interfaces become unreachable, a failover is executed.
On the ADVANCED > High Availability page, in the Monitoring section, add the Reachable IPs and Reachable Interfaces.
Verify the HA Status
To verify the HA status of the firewall, go to the ADVANCED > High Availability page and see the Status section. This section indicates if the appliance is active, standby, primary, or secondary. If the appliance is not part of an HA cluster, this section indicates that it is Stand-Alone.
This figure shows an example of the status for a firewall in an HA cluster.