Configuring preemption mode for hot standby on the USG2000&5000

47

Configure the preemption function for the hot standby VGMP group on the USG as follows:
hrp preempt

Command function

The hrp preempt command enables the preemption function for the VGMP group and configures the preempt delay of the VGMP group.
The undo hrp preempt command disables the preemption function for the VGMP group.

Syntax

hrp preempt [ delay interval ]
undo hrp preempt

Parameter description
interval indicates the preemption delay of the VGMP group. The value ranges from 0 to 1800, in seconds.

View

System view

Usage guide

The preemption function of the VGMP group is enabled by default, and the default preemption delay is 30 seconds.
Example

# Set the preemption delay of the VGMP group to 100 seconds.
system-view
[sysname] hrp preempt delay 100

Other related questions:
TSM interworking in USG2000/5000 hot standby in-path mode
This example describes the typical network and configuration method for TSM interworking in USG2000/5000 hot standby in-path mode. The networking requirements of this example are as follows: A company deploys a TSM server group and USG firewalls in hot standby mode. Requirements are as follows: ?wo TSM Controllers are deployed. If the USGs cannot interwork with both TSM Controllers, the USGs do not control terminal hosts. That is, all traffic from the terminal hosts is permitted. ?erminal hosts in the company network have the TSM proxy software installed. To authenticate guests, the NGFWs must be configured to authenticate end users on the web UI, who do not have the TSM proxy software installed. ?sers in different roles can access specific network resources. The account lee is used as an example. The user can access only the "service system," not resources in the post-authentication domain. ?f an end user passes identity authentication but fails security authentication, fixing measures must be taken in the isolation domain, such as patch download and virus database updates.

Configuring hot standby in load balancing mode on the USG2000
Search for "Connecting to the Internet through multi-ISPs (hot standby)" in the USG2000/5000 product documentation.

VRRP+NAT in hot standby deployment on the USG2000&5000
For the complete configuration example, see "Combining Dual-System Hot Backup with NAT" in the USG2000/5000 product documentation.

Precautions for active/standby upgrade in hot standby deployment on the USG2000&5000
Precautions for active/standby upgrade in hot standby deployment on the USG2000&5000 are as follows: As for software version upgrade in hot standby deployment, you shall comply with a primary principle. That is, you shall upgrade the active and standby devices individually and upgrade the standby device first and then the active device. In addition, you must disable the HRP function during the upgrade. Note: For software version upgrade in hot standby deployment, the target software versions of the active and standby devices must be the same. Otherwise, the HRP function may fail to be enabled simultaneously. Hardware restrictions Currently, hot standby can be implemented only between two devices. The active and standby devices must have the same product model and version. The active and standby devices must have the same number and types of boards installed in the same arrangement. Otherwise, the information synchronized from the active device does not match the physical configuration of the standby device. As a result, faults occur after an active/standby switchover. If you want to use a Layer-2 interface as a heartbeat interface, add the Layer-2 interface to a VLAN. Then create a VLANIF interface and configure an IP address for it. Use the VLANIF interface as a heartbeat interface and specify remote to specify the IP address of the heartbeat interface on the remote device. Software restrictions The active and standby devices must use the same software version. Otherwise, configuration commands or session list structures of the different software versions may be different. In this case, errors may occur on the active and standby devices when you back up configuration commands and status. The BootROM versions on the active and standby devices must be the same. The operating mode of the active and standby devices must be the same, that is, both the active and standby devices must be in firewall mode or UTM mode. You are advised to use the initial configuration file on both devices. Otherwise, faults may occur after the active/standby switchover because of configuration conflicts. The names, quantities, and configuration sequence of virtual firewalls on the active and standby devices must be the same. The interfaces on the same slot of the active and standby devices must be added to the same security zone. For example, if the GigabitEthernet0/0/1 interface on the active device is added to the Trust zone, the GigabitEthernet0/0/1 interface on the standby device must also be added to the Trust zone. Configurations of heartbeat interfaces (HRP heartbeat link) on the active and standby devices must be consistent. Note: The USG2110-X/2100 and USG2100 BSR/HSR do not support the function of specifying the heartbeat interface IP address of the peer device. Therefore, you cannot use the VLANIF interface as the heartbeat interface. The service interfaces of the active and standby devices use fixed IP addresses. Therefore, you cannot use the dual-system hot backup function together with functions for obtaining IP address automatically, such as PPPoE dial-up, DHCP client, 3G, and XDSL.

Hot standby modes on the USG2000 and USG5000 series
Hot standby is in either active/standby or load balancing mode.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top