• SonicOS 7.1
• About SonicOS
  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• High Availability
  • About High Availability
    • High Availability Terminology
    • High Availability Modes
    • High Availability Encryption
    • Crash Detection
    • Virtual MAC Address
    • Dynamic WAN Interfaces with PPPoE HA
    • Stateful Synchronization with DHCP
    • Stateful Synchronization with DNS Proxy
    • About HA Monitoring
  • Understanding High Availability
    • Understanding SonicWall High Availability Operation Modes
    • About Active/Standby HA
  • Benefits of Active/Standby HA
    • Working of Active/Standby HA
    • About Stateful Synchronization
    • Benefits of Stateful Synchronization
  • How Does Stateful Synchronization Work?
    • Example of Stateful Synchronization
    • Active/Standby Prerequisites
  • Supported Platforms and Licensing for HA
    • Physically Connecting Your Security Appliances
    • Maintenance
      • Removing an HA Association
      • Replacing a SonicWall Security Appliance
• Replacing an HA Primary Unit
  • Replacing an HA Secondary Unit
    • High Availability Status
    • Active/Standby High Availability Status
    • High Availability Status
• High Availability Config
  • High Availability Licenses
  • Configuring High Availability
• Configuration of HA Active/Standby
  • Configuring Active/Standby High Availability Settings
    • Configuring HA with Dynamic WAN Interfaces
    • Configuring Network DHCP and Interface Settings
    • Disabling the SonicOS DHCP Server
    • Configuring Virtual IP Addresses
    • Configuring Redundant Ports
    • Fine Tuning High Availability
    • Advanced Settings
    • Configuring Advanced High Availability Settings
    • Monitoring High Availability
    • Configuring Active/Standby High Availability Monitoring
• IPv6 High Availability Monitoring
  • IPv6 HA Monitoring Considerations
  • SonicWall Support
• About This Document
  • Configuring Active/Standby High Availability Monitoring
  • IPv6 High Availability Monitoring
  • IPv6 HA Monitoring Considerations
• Azure Use Cases
  • Use Case 1: Manage Azure HA Firewall
  • Use Case 2: Forward LAN traffic to the External Network through the Gateway after HA Failover
  • Use Case 3: Configure DNAT on Azure HA Firewall
  • Use Case 4: Configure DNAT on Azure HA Firewall (Need to move multiple floating IPs support)
• SonicWall Support
  • About This Document

Configuration of HA Active/Standby

Physical Cabling

Because of the virtual MAC, if you are connecting the Primary and Backup appliances to an Ethernet switch that uses the spanning tree protocol, please be aware that it may be necessary to disable spanning tree on the switch port that the SonicWall interfaces connect to.

Example configuration

X0

The LAN (X0) interfaces are connected to a switch on the LAN network. It is important that the X0 interfaces from all units be connected to the same broadcast domain. Otherwise, traffic failover will not work. Also, X0 is the default redundant HA port; if the normal HA Control link fails, X0 is used to communicate heartbeats between units. Without X0 in the same broadcast domain, both units would become active if the HA Control link fails.

X0 interface should always have monitoring IPs configured. If the X0 interface is not in use in your HA environment be sure to connect them directly to each other because the X0 interface with monitoring IPs serves as an additional HA link and improves HA sync and overall stability.

X1

The WAN (X1) interfaces are connected to another switch, which connects to the Internet. If your WAN interface configures via DHCP, then you will need to complete the steps below for HA with DHCP enabled WAN interface.

HA Control and HA Data

High Availability requires additional physical connections among the affected SonicWall firewalls. For all modes, you need connections for HA Control and HA Data.

The dedicated HA interfaces are connected directly to each other using at least a Cat 5e cable or SFP module. Crossover cables are no longer required.

The HA control and HA data links should be configured to use separate interfaces when making the selection within SonicOS.

Once you have the physical cabling done, move on to configuring your appliance.

Configuration

Registering and Associating Firewalls on MySonicWall.com

To use High Availability, you must register both firewalls and associate them for HA on MySonicWall. When you click the link for a registered firewall in your MySonicWall page, the Service Management page displays for that firewall. At the bottom of the Service Management page, you can click the HA Secondary link under Associated Products. Then follow the instructions to select and associate the other unit for your HA Pair. For further information about registering your firewalls, see the Getting Started Guide for your firewalls.

After the firewalls are associated as an HA pair, they can share licenses. In addition to High Availability licenses, this includes the Management Service license, the Support subscription, and the security services licenses. The only licenses that are not shareable are for consulting services, such as the SonicWall GMS Preventive Maintenance Service.

The Primary and Secondary firewalls don’t have to have the same security services enabled. Security services settings will be automatically updated as part of the initial synchronization. License synchronization occurs as well so that the Secondary firewall can maintain the same protection provided before association.

MySonicWall.com provides several methods of associating the two firewalls. You can start by registering a new firewall, and then choosing an already-registered unit to associate it with. Or you can associate two units that are both already registered. You can also start the process by selecting a registered unit and adding a new firewall with which to associate it.

Even if you first register your firewalls on MySonicWall.com, you must individually register both the Primary and the Secondary firewalls from the Management Service management interface while logged into the individual management IP address of each firewall. This allows the Secondary unit to synchronize with the SonicWall license server and share licenses with the associated Primary firewall. When Internet access is restricted, you can manually apply the shared licenses to both firewalls.

HA with DHCP enabled WAN interface

To configure HA with a dynamic WAN interface

Manage | System Setup > Network > Interfaces

Configure a WAN interface as PPPoE Unnumbered.

MANAGE | System Setup > High Availability > Base Setup

Ensure Enable Stateful Synchronization is not selected. This option is not selected by default.

Ensure Enable Preempt Mode is not selected. This option is not selected by default.

Select Enable Virtual MAC. This option is not selected by default.

Click Apply.

MANAGE | System Setup > High Availability > Monitoring settings

Click the Configure icon for the PPPoE Unnumbered interface.

On the Edit HA Monitoring dialog select Enable Physical/Link Monitoring. This option is not selected by default.

Ensure the Primary Address and Secondary Address fields are set to 0.0.0.0.

Ensure none of the other checkboxes are selected.

Click OK.

Firewall Management Interface

MANAGE | System Setup > High Availability > Base Setup

HA General Tab

General Tab

On the General tab, configure the Mode as Active / Standby

Check Enable Stateful Synchronization if your device has been licensed for that feature.

Preempt mode means that, after failover between two Cluster Nodes, the original owner node for the Virtual Group seizes the active role from the standby node after the owner node has been restored to a verified operational state. Generally, it is not needed and may add to recovery time. It is suggested to leave this unchecked unless you have a reason to enable it.

Check Enable Virtual MAC.

Virtual MAC Address

Virtual MAC allows the Primary and Backup appliances to share a single virtual MAC address. This greatly simplifies the process of updating network routing tables when a failover occurs. Only the WAN or LAN switch to which the two appliances are connected needs to be notified. All outside devices will continue to route to the single shared MAC address.

By default, this Virtual MAC address is provided by the SonicWall firmware and is different from the physical MAC address of either the Primary or Secondary Security Appliances.

Without Virtual MAC enabled, the Active and Standby Security Appliances each have their own MAC addresses. Because the Security Appliances are using the same IP address, when a failover occurs, it breaks the mapping between the IP address and MAC address in the ARP cache of all clients and network resources. The Secondary Security Appliance must issue an ARP request, announcing the new MAC address/IP address pair. Until this ARP request propagates through the network, traffic intended for the Primary Security Appliance’s MAC address can be lost.

HA Devices Tab

Move to the HA Devices tab and type the serial number of the secondary device.

HA Devices Tab

HA Interfaces Tab

Move to the HA Interfaces tab and select your HA Control Interface that you chose when physically cabling the appliance. While the example uses the same cable for both, it is suggested that you use use separate interfaces to improve performance if available.

HA Interfaces Tab under Base Setup

Active/Active DPI Interface

For Active/Active DPI, you must physically connect at least one additional interface, called the Active/Active DPI Interface, between the two firewalls in each HA pair, or Cluster Node. The connected interfaces must be the same interface number on both firewalls, and must initially appear as unused, unassigned interfaces in the Network > Interfaces page. For example, you could connect X5 on the Primary unit to X5 on the Secondary if X5 is an unassigned interface. After enabling Active/Active DPI, the connected interface will have a Zone assignment of HA Data-Link.

Certain packet flows on the active unit are selected and offloaded to the standby unit on the Active/Active DPI Interface. DPI is performed on the standby unit and then the results are returned to the active unit over the same interface.

Optionally, for port redundancy with Active/Active DPI, you can physically connect a second Active/Active DPI Interface between the two firewalls in each HA pair. This interface takes over transferring data between the two units during Active/Active DPI processing if the first Active/Active DPI Interface has a fault.

To connect the Active/Active DPI Interfaces for Active/Active DPI

Decide which interface to use for the additional connection between the firewalls in the HA pair. The same interface must be selected on each firewall.

In the Management Service management interface, navigate to the Network > Interfaces page and ensure that the Zone is Unassigned for the intended Active/Active DPI Interface.

Using a standard Ethernet cable, connect the two interfaces directly to each other.

Optionally, for port redundancy with Active/Active DPI, physically connect a second Active/Active DPI Interface between the two firewalls in each HA pair.

The dedicated DPI interfaces are connected directly to each other using at least a Cat 5e cable or SFP module. Crossover cables are no longer required.