It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Set Up a High Availability Cluster

  • Last updated on

The functionality of stand-alone and managed high availability clusters are the same. However, the configuration differs. For a stand-alone HA cluster, the primary firewall downloads the licenses for both firewalls, and when the secondary firewall is joined to the HA cluster, the license for the secondary firewall is transferred over. The licenses are bound to the MAC addresses of the primary and secondary firewall. The primary firewall is also the configuration master for all configurations, except the Network page. All configurations and session information are synced from the primary firewall to the secondary firewall. To protect against failure of network components, you can use a dedicated private link as a secondary HA connection.

Standalone HA Cluster

ha_sync_01-01.png

Before You Begin
  • Connect the primary firewall and secondary firewall to a network switch.
  • Verify the Product Type in the Box Properties and Server Properties match your appliance.
Step 1. (Virtual only) Verify the Product Type

Set the product type matching your license if you are using a virtual Barracuda CloudGen Firewall. This is not necessary on hardware appliances.

  1. Go to CONFIGURATION > Configuration Tree > Box > Box Properties.
  2. Click Lock.
  3. Select the model from the Product Type list. E.g., CloudGen Firewall VF50
  4. Select the model from the Hardware Model list.
    HA_set_product_type.png
  5. Click Send Changes and Activate.
Step 2. Create the DHA Firewall

On the primary firewall, create DHA configuration for the secondary firewall.

  1. Go to CONFIGURATION > Configuration Tree > Box.
  2. Right-click Box and select Create DHA box. At the bottom of the Config Tree, the HA Box configuration node is added.
  3. Open the HA Network page (Configuration > Full Configuration > Box > HA Box).
  4. Enter the Management IP (MIP) for the secondary firewall.
  5. Click Send Changes and Activate.
Step 3. Create the PAR File for the Secondary Firewall

On the primary firewall, export the PAR file for the secondary firewall.

  1. On the primary firewall, create the PAR file:
  2. Go to CONFIGURATION > Configuration Tree > Box.
  3. From the Config Tree, right-click Box and select Create PAR file for HA box.
  4. Save the PAR file to your local hard disk drive.
Step 4. Import the PAR File on the Secondary Firewall

On the secondary firewall, import the boxha.par PAR file created on the primary firewall:

  1. Go to CONFIGURATION > Configuration Tree > Box.
  2. From the Config Tree, right-click Box and select Restore from PAR file.
  3. Click OK.
  4. Select the boxha.par file created in Step3 and click OK.
  5. Click  Activate .
Step 5. Activate the New Network Configuration for the Secondary Firewall

On the secondary firewall, activate the network configuration.

  1. Go to CONTROL > Box.
  2. In the left navigation pane, expand Network and click Activate new network configuration.
  3. Select Failsafe as the activation mode.
  4. In the left menu, expand Operating System and click Reboot.
Step 6. Select the Active and Backup Firewall

In the virtual server settings of the primary firewall, select where the virtual server should be running.

  1. Open the Server Properties page (Configuration > Full Configuration > Box > Virtual Server > your virtual server ).
  2. Click Lock.
  3. Verify that the Product Type matches your license.
  4. To run the virtual server on the primary firewall per default:
    • Active Box – Select This-Box.
    • Backup Box – Select Other-Box.
  5. To run the virtual server on the secondary firewall per default:
    • From the Active Box list, select HA-Box.
    • From the Backup Box list, select Other-Box or No-Backup if you do not want this virtual server to be part of the high availability cluster.

  6. Click Send Changes and Activate.
Step 7. Install Licenses

You must install licenses on both firewalls. For instructions, see How to Activate and License a Standalone High Availability Cluster.

Set up an HA Cluster in the Control Center

Before you Begin

Select two firewalls in the same cluster.

Set up an HA Cluster
  1. Log into the Barracuda Firewall Control Center.
  2. Open the Config page.
  3. From the Config Tree, expand Multi-Range and navigate to the cluster that contains your HA firewalls.
  4. Create a virtual server.
  5. Open the Server Properties page.
  6. In the Virtual Server Definition section, define the primary firewall and secondary firewall.
    • Primary Box – The active system.
    • Secondary Box – The HA partner.
  7. Click Send Changes and Activate.

The primary and secondary servers are created and configured as HA partners on both firewalls. 

Figure 3. Virtual Server Settings for an HA Cluster on the Control Center

cc_adm1.jpg

Next Steps

Configure a Private Uplink

To avoid the switch connecting the primary and secondary firewall from becoming the single point of failure for the HA cluster, configure a private uplink for HA sync. Connect both firewalls with a crossover cable. Each firewall receives an additional management IP address in the /30 subnet used for the private uplink. The HA sync can use the private uplink as an alternative to the normal connection between the management IPs, or it can use both links simultaneously.

For more information, see How to Configure a Private Uplink for a High Availability Cluster.

Check the Virtual Server HA Status

Check the server status on both HA firewalls to verify that the virtual servers have been correctly assigned.

  1. On the primary firewall, go to the CONTROL > Server page. In the Server Status table, verify that the virtual server is correctly assigned. The Status column must display primary. The Status HA Partner column must display standby.
  2. On the secondary firewall, go to the CONTROL > Server page. In the Server Status table, verify that the virtual server is correctly assigned. The Status column must display standby. The Status HA Partner column must display primary.

When the primary firewall goes down, the secondary firewall changes its status to primary and replaces the primary firewall with all its functionalities. Depending on whether your primary firewall is running or down, the Control > Server page displays as follows:

Primary firewall state Secondary firewall state
HA_state_up_primary.png HA_state_up_secondary.png
Not available - primary firewall is down HA_state_down_secondary.png