-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
MSS FW Best Practices: High Availability
12/11/2024 
2 People found this article helpful
9,174 Views
Description
CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration.
MSS Recomended SonicWall Firewall Best Practices Index
Notes
- The Secondary unit is never licensed automatically.
- You must manually login to it via one of its Monitoring IP addresses, put in the registration code and sync its licensing with MySonicwall. If both units have been properly associated in MySonicwall it will get all licensing.
- Firewall changes requiring a reboot can easily cause an outage.
- Reason: When a change requiring a firewall reboot is made, the “Status” shown at the bottom left-hand corner of the firewall’s administration GUI changes from “Status: Ready” to “Status: Reboot…”. When this happens in a HA pair, the behavior is the Standby firewall will reboot when the change is made prior to clicking on “Status: Reboot”. So, if you click Reboot while the Standby unit is rebooting both firewalls will be unavailable, and you just brought the network down.
Recommendations
- Never enable “Preempt Mode”.
- Never use a cable shorter than 1m(3ft) for the HA links.
- Try and always use X0 and configure its Monitoring IP addresses.
- The X0 interface of each firewall must be connected (and able to communicate with each other) even if not in use.
- X0 is hardcoded in SonicOS as the backup heartbeat link.
- If no WAN interface has Monitoring IP addresses configured, it is the Secondary/Standby unit’s path to Internet for GRID and License Manager communication.
- Use the Virtual Mac option: This simply reduces ARP convergence time during a failover.
- Make sure that the Switch Ports connected to the SonicWALL Interfaces have STP (Spanning Tree Protocol) disabled. Essentially STP has a real problem with our Virtual MAC being seen on multiple interfaces and will cause a flapping effect to the firewalls.
- Use LAGs on switches for each SonicWall interface. (Separate LAG for the Switchports for each SonicWall Interface)
Configuration/Setup
- See the following KB on configuring High Availability: How to Configure High Availability (HA) | SonicWall
- If licensing is available, always enable Stateful HA. For more information on Stateful HA see the following SonicWall KB: What is a Stateful High Availability? | SonicWall
Related Articles
- MSS FW Best Practices: CLI/Console
- MSS FW Best Practices: DPI-SSL (Client)
- MSS FW Best Practices: Configuration Export & Import
Categories
- Managed Security Services > Firewall Monitoring and Management > Firewall Configuration and Best Practices
YES
NO