High availability (HA) refers to the hardware configuration and settings that allow the firewall to continue functioning during a power loss, disk failure, or other events.
Support for HA varies according to the device model. Check your device specifications.
Devices are deployed in a cluster to ensure continuous service. When the primary device in the cluster fails, the auxiliary takes over to prevent the interruption in firewall protection. The devices are physically connected over a dedicated HA link port.
You can check the HA status in the control center.
The process by which a device takes over when it does not receive communication from its peer within the specified time is known as device failover.
Peers in an HA cluster continuously monitor the dedicated HA link and the interfaces configured to be monitored. If any monitored port goes down, the device exits the cluster and link failover occurs.
During device failover or link failover, session failover occurs for forwarded TCP traffic that isn't passing through a proxy service. This doesn't apply to virus scanning sessions in progress, VPN sessions, UDP, ICMP, multicast, broadcast sessions, and proxy traffic.
The HA configuration status is displayed at the top of the page with the following possibilities:
|HA not configured||High availability is not configured on this device.|
|HA configured||High availability has been configured on this device. When high availability is configured, you can see the status of each device in the cluster.|
The devices in an HA cluster can have the following status:
|Active||The device is active and connected. In an active-active cluster, both the primary and auxiliary devices are shown as active.|
|Standby||The device is connected and ready for failover. This is the status of the auxiliary device in an active-passive cluster.|
|Standalone||The device isn't currently part of a high availability cluster. This could be because the connection to the auxiliary device has been lost.|
|Faulty||The device is faulty. The cluster won't work as a high availability system until the faulty node has been recovered to a working state.|
High availability configuration modes
You can configure HA in the following configuration modes:
|QuickHA||QuickHA allows you to set up a high availability system with minimum configuration steps. It automatically selects default configuration values.|
|Interactive mode||Interactive mode allows you more control over the HA settings. In this mode, you can choose parameters that would otherwise be automatically selected when using QuickHA, such as assigned virtual MAC address and peer administration settings. |
In this mode, the devices are configured in sequence with the auxiliary device configured first, followed by the primary.
When HA is active, updating the following settings won't result in downtime:
- Cluster ID
- Monitoring ports
- Peer administration port
- Using the hypervisor-assigned MAC address
- Fail back to the primary device
- Keepalive timer
- Keepalive attempts
You can connect the firewalls in an HA cluster either directly or indirectly through a switch as shown in the network diagrams below.
Dedicated HA link ports connected directly over either a crossover or straight-through cable.
Dedicated HA link ports connected indirectly over a switch.