Whether the heartbeat interfaces of the firewall must be directly connected


It depends. The heartbeat interface can be directly connected or connected through an intermediate device, such as a switch or router. Direct connection is recommended.

When the heartbeat interface is connected through an intermediate device, you need to configure the remote parameter to specify the peer heartbeat interface IP address. This is because:

If you do not configure the remote parameter, the heartbeat packet sent from the NGFW is encapsulated with VRRP. VRRP packets are multicast packets, and certain switches and routers send packets of this type to themselves for processing, occupying their CPU resources. Heartbeat packets on the NGFW increase as services increase, overloading the switch and router CPUs and affecting their processing of other multicast packets (such as OSPF packets). The restrictions of the switch and router on VRRP packets also cause NGFW heartbeat packets to be discarded, causing the NGFW status to be unstable.

After you configure the remote parameter, the NGFW encapsulates heartbeat packets into UDP packets. The switch and router do not send UDP packets to themselves for processing. Therefore, the switch and router performance and network services are not affected.

Other related questions:
Whether the subcard interface can serve as the heartbeat interface
Yes. Subcard interfaces can also serve as heartbeat interfaces and support backing up policies, sessions, and table entries.

Problem and solution when the heartbeat interfaces of the firewalls fail to be directly connected
Troubleshoot as follows: 1. Check whether the cable is properly connected. 2. Check whether the interface has been added to the security zone. 3. Check whether service-manage ping permit is configured under the interface.

Must the heartbeat interfaces be directly connected
No. The heartbeat interfaces can be connected either directly or through intermediate devices, such as switches or routers. Directly connection between the heartbeat interfaces is recommended.

