VRRP+NAT in hot standby deployment on the USG2000&5000

3

For the complete configuration example, see "Combining Dual-System Hot Backup with NAT" in the USG2000/5000 product documentation.

Other related questions:
Precautions for active/standby upgrade in hot standby deployment on the USG2000&5000
Precautions for active/standby upgrade in hot standby deployment on the USG2000&5000 are as follows: As for software version upgrade in hot standby deployment, you shall comply with a primary principle. That is, you shall upgrade the active and standby devices individually and upgrade the standby device first and then the active device. In addition, you must disable the HRP function during the upgrade. Note: For software version upgrade in hot standby deployment, the target software versions of the active and standby devices must be the same. Otherwise, the HRP function may fail to be enabled simultaneously. Hardware restrictions Currently, hot standby can be implemented only between two devices. The active and standby devices must have the same product model and version. The active and standby devices must have the same number and types of boards installed in the same arrangement. Otherwise, the information synchronized from the active device does not match the physical configuration of the standby device. As a result, faults occur after an active/standby switchover. If you want to use a Layer-2 interface as a heartbeat interface, add the Layer-2 interface to a VLAN. Then create a VLANIF interface and configure an IP address for it. Use the VLANIF interface as a heartbeat interface and specify remote to specify the IP address of the heartbeat interface on the remote device. Software restrictions The active and standby devices must use the same software version. Otherwise, configuration commands or session list structures of the different software versions may be different. In this case, errors may occur on the active and standby devices when you back up configuration commands and status. The BootROM versions on the active and standby devices must be the same. The operating mode of the active and standby devices must be the same, that is, both the active and standby devices must be in firewall mode or UTM mode. You are advised to use the initial configuration file on both devices. Otherwise, faults may occur after the active/standby switchover because of configuration conflicts. The names, quantities, and configuration sequence of virtual firewalls on the active and standby devices must be the same. The interfaces on the same slot of the active and standby devices must be added to the same security zone. For example, if the GigabitEthernet0/0/1 interface on the active device is added to the Trust zone, the GigabitEthernet0/0/1 interface on the standby device must also be added to the Trust zone. Configurations of heartbeat interfaces (HRP heartbeat link) on the active and standby devices must be consistent. Note: The USG2110-X/2100 and USG2100 BSR/HSR do not support the function of specifying the heartbeat interface IP address of the peer device. Therefore, you cannot use the VLANIF interface as the heartbeat interface. The service interfaces of the active and standby devices use fixed IP addresses. Therefore, you cannot use the dual-system hot backup function together with functions for obtaining IP address automatically, such as PPPoE dial-up, DHCP client, 3G, and XDSL.

Whether the standby device in hot standby deployment can be configured
By default, configurations that can be backed up can be configured only on the active device and automatically synchronized to the standby device. You cannot configure them on the standby device. After you run the hrp slave config enable command on the active device, the standby device obtains the permission for configuring these commands when this command is backed up to the standby device. The configurations on the standby device are also synchronized to the active device. Configurations that cannot be backed up, such as interface IP addresses, can be configured on the standby device.

Hot standby IPSec configuration on the USG2000 series
The USG supports hot standby IPSec. For the configuration method, see the example in the product documentation: IPSec gateway hot standby.

Concepts of configuring active and standby firewalls
On a load balancing network, to enable both devices to work in master state, consider the following issues: How to back up information between the devices? Which commands need to be backed up? Which is the backup direction? To avoid errors during the backup, the USG introduces the concept of designated active and standby devices. The firewall that sends backup configurations is called the designated active device (whose system name starts with "HRP_M"), and the firewall that receives backup configurations is called the designated standby device (whose system name starts with "HRP_S"). A firewall must meet the following requirements to become the designated active device: In the VRRP group, only the firewalls in master state have the chance to be the designated master device. In load balancing mode, the two hot standby USGs are both master devices. In this case, the designated master device is selected according to the priorities of the VRRP groups and the descending order of the real IP addresses of the heartbeat interfaces. The switchover between designated active and standby devices is not implemented unless a fault occurs on the designated active device or the designated active device quits the VRRP group for the stability of the designated active device.

TSM interworking in USG2000/5000 hot standby in-path mode
This example describes the typical network and configuration method for TSM interworking in USG2000/5000 hot standby in-path mode. The networking requirements of this example are as follows: A company deploys a TSM server group and USG firewalls in hot standby mode. Requirements are as follows: ?wo TSM Controllers are deployed. If the USGs cannot interwork with both TSM Controllers, the USGs do not control terminal hosts. That is, all traffic from the terminal hosts is permitted. ?erminal hosts in the company network have the TSM proxy software installed. To authenticate guests, the NGFWs must be configured to authenticate end users on the web UI, who do not have the TSM proxy software installed. ?sers in different roles can access specific network resources. The account lee is used as an example. The user can access only the "service system," not resources in the post-authentication domain. ?f an end user passes identity authentication but fails security authentication, fixing measures must be taken in the isolation domain, such as patch download and virus database updates.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top