It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see for further information on our EoS policy.

How to Set Up a High Availability Cluster

  • Last updated on

Both of the systems that you set up in a high availability (HA) cluster must be the same model and firmware version. For instructions on how to configure an HA cluster using different revisions of the same appliance model, see How to Restore a Configuration on Appliances After an RMA.

A high availability (HA) cluster can transparently failover to the secondary unit if your primary unit goes down unexpectedly or requires maintenance. You can set up an HA cluster on a Barracuda NG Control Center or a standalone HA cluster. A standalone HA cluster includes two standalone Barracuda NG Firewalls or two Barracuda NG Control Centers.

To protect against failure of network components, you can use a dedicated private link as a secondary HA connection.

In this article:

Standalone Barracuda NG Firewall HA Cluster


Before you Begin
  • Connect the primary unit and secondary unit to a network switch.
  • Verify the Product Type in the Box Properties and Server Properties match your appliance.
  • Verify that the Product Name of the primary NG Firewall is different from the Product Name of the secondary NG Firewall.
Step 1. (Virtual NG Firewalls only) Verify the Product Type

Set the product type matching your license if you are using a virtual Barracuda NG Firewall. This is not necessary on hardware appliances.

  1. Open the Box Properties page (Configuration > Full Configuration > Box).
  2. Click Lock.
  3. Select the Barracuda NG Firewall Model from the Product Type list. E.g., NG Firewall VF50
  4. Select the Barracuda NG Firewall Model from the Hardware Type list.
  5. Click Send Changes and Activate.
Step 2. Create the DHA Unit

On the primary unit, create DHA configuration for the secondary unit.

  1. Open the Configuration > Full Configuration page.
  2. Right-click Box and select Create DHA box. At the bottom of the Config Tree, the HA Box configuration node is added.
  3. Open the HA Network page (Configuration > Full Configuration > Box > HA Box).
  4. Enter the Management IP (MIP) for the secondary unit.
  5. Click Send Changes and Activate.
Step 3. Create the PAR File for the Secondary Unit

On the primary unit, export the PAR file for the secondary unit.

  1. On the primary unit, create the PAR file:
  2. Go to the Config>Full Config page.
  3. From the Config Tree, right-click Box and select Create PAR file for HA box.
  4. Save the PAR file to your local hard disk drive.
Step 4. Import the PAR File on the Secondary Unit

On the secondary unit, import the boxha.par PAR file created on the primary unit:

  1. Open the Configuration > Full Configuration page.
  2. From the Config Tree, right-click Box and select Restore from PAR file.
  3. Click OK.
  4. Select the boxha.par file created in Step3 and click OK.
  5. Click Activate.
Step 5. Activate the New Network Configuration for the Secondary Unit

On the secondary unit, activate the network configuration.

  1. Go to the Control Box page.
  2. In the left navigation pane, expand Network and click Activate new network configuration.
  3. Select Failsafe as the activation mode.
  4. In the left menu, expand Operating System and click Reboot.
Step 6. Select the Active and Backup Unit on the Primary Unit

In the virtual server settings of the primary unit, select where the virtual server should be running.

  1. Open the Server Properties page (Configuration > Full Configuration > Box > Virtual Server > your virtual server).
  2. Click Lock.
  3. Verify that the Product Type matches your license.
  4. To run the virtual server on the primary unit per default:
    1. Active Box – Select This-Box.
    2. Backup Box – Select Other-Box.
  5. To run the virtual server on the secondary unit per default:
  6. Click Send Changes and Activate.
Step 7. Install Licenses

You must install licenses on both units. For instructions, see How to Activate and License a Barracuda NG High Availability Cluster.

Set Up an HA Cluster in the Barracuda NG Control Center

Before you Begin

Select two Barracuda NG Firewalls in the same cluster.

Set up an HA Cluster
  1. Log into the Barracuda NG Control Center.
  2. Open the Config page.
  3. From the Config Tree, expand Multi-Range and navigate to the cluster that contains your HA units.
  4. Create a virtual server.
  5. Open the Server Properties page.
  6. In the Virtual Server Definition section, define the primary unit and secondary unit.
    • Primary Box – The active system.
    • Secondary Box – The HA partner.
  7. Click Send Changes and Activate.

The primary and secondary servers are created and configured as HA partners on both units. 

Figure 3. Virtual Server Settings for an HA Cluster on the Barracuda NG Control Center


Configure a Private Uplink

After setting up an HA cluster, you can also configure a private uplink for it. For the private uplink, you must configure a 2-bit network as a subnet and provide exclusive network devices for the private uplink.

To configure a private uplink, complete the following steps on the primary unit:

These steps use the example IP addresses from the following figure:

Figure 4. HA Cluster with Private Uplink


Before You Begin

To avoid any errors when you configure the private uplink, connect the primary unit and secondary unit with a crossover cable.

Step 1. Define Alternative HA IP Addresses
  1. Open the Network page (Config > Full Config > Box > Network).
  2. Click Lock.
  3. From the Configuration Mode menu in the left navigation pane, click Switch to Advanced View.
  4. In the Additional Local IPs section, add the IP address for the unit in the additional subnet. For example,
  5. From the Responds to Ping and Management IP lists, select yes.
  6. Click OK.
  7. Click Send Changes and Activate.
Step 2. Activate the Private Uplink
  1. Open the Control page (Config > Full Config > Box > Infrastructure Services).
  2. Click Lock.
  3. In the HA Monitoring Parameters section, add entries for the primary unit and secondary unit. In each entry, specify these settings:
    • Translated HA IP – Enter the original management IP address (for example:
    • Alternative HA IP– Enter the additional local network IP of the unit (for example:
  4. Click OK.
  5. Click Send Changes and Activate.

Figure 5. HA Monitoring Settings on Both HA Units

Step 3. Add the Alternative HA IP to the ACL List

To grant administrative access rights for alternative HA IP address usage, add the alternative HA IP address to the ACL list:

  1. Open the Administrative Settings page (Config > Full Config > Box > Administrative Settings).
  2. Click Lock.
  3. In the Access Control List section, add the alternative HA IP address.
  4. Click Send Changes and Activate.

Check Virtual Server HA Status

 Check the server status on both HA units to verify that the virtual servers have been correctly assigned.

  1. On the primary unit:
    • Go to the Control Server page.
    • In the Server Status table, verify that the virtual server is correctly assigned. The Status column must display primary. The Status HA Partner column must display standby.
  2. On the secondary unit:
    • Go to the Control Server page.
    • In the Server Status table, verify that the virtual server is correctly assigned. The Status column must display standby. The Status HA Partner column must display primary.

When the primary unit goes down, the secondary unit changes its status to primary and replaces the primary unit with all its functionalities. Depending on whether your primary unit is running or down, the Control Server page displays as follows:

Primary Unit StateSecondary Unit State
N/A - Primary unit downHA_state_down_secondary.png
Last updated on