SonicOSX 7 Getting Started Guide for NSsp 15700

Configuring High Availability > Setting Up Unit-to-Unit HA
Table of Contents

Setting Up Unit-to-Unit HA

This section provides instructions for setting Active/Standby HA between two NSsp appliances.

Prerequisites

  • Both Primary and Secondary units must be Internet addressable and inter-accessible.
  • The Root Instance versions on each unit must be identical.
  • The composition of the Root Instances on each unit must be the same in terms of the numbers of control and data plane cores.

To configure Active Standby HA

  1. Log into the Primary appliance and navigate as shown to DEVICE | High Availability > Settings. The following display appears.

  2. For Mode, select Active/Standby.

    With Enable Preempt Mode off, select Enable Stateful Synchronization. This option is not selected by default.

    When Stateful High Availability is not enabled, session state is not synchronized between the Primary and Secondary firewalls. If a failover occurs, any session that had been active at the time of failover needs to be renegotiated.

  3. Select Enable Preempt Mode. This feature controls the behavior in which the Primary unit seizes the Active role from the Backup after it recovers from an error condition, reboots or firmware upgrades, after it successfully communicates to the backup unit that it is in a verified operational state.
  4. Select Enable Virtual MAC to allow the Primary and Secondary firewalls to share a single MAC address.

    This greatly simplifies the process of updating network ARP tables and caches when a failover occurs. This option is not selected by default.

  5. Selecting Enable Encryption for Control Communication is recommended when the HA units are not co-located.
  6. Under HA Devices, enter the Secondary firewall serial number. The serial number for the Primary is dimmed out and cannot be changed.
  7. Under HA Interfaces, select the interface for the HA Control Interface. This option is dimmed and the interface displayed if the firewall detects that the interface is already configured.
  8. Select the interface for the HA Data Interface. This option is dimmed and the interface displayed out if the firewall detects that the interface is already configured.
  9. When finished with all High Availability configuration, click ACCEPT. All settings are synchronized to the Secondary firewall, and the Secondary firewall reboots.