Concepts of configuring active and standby firewalls

68

On a load balancing network, to enable both devices to work in master state, consider the following issues: How to back up information between the devices? Which commands need to be backed up? Which is the backup direction?

To avoid errors during the backup, the USG introduces the concept of designated active and standby devices. The firewall that sends backup configurations is called the designated active device (whose system name starts with "HRP_M"), and the firewall that receives backup configurations is called the designated standby device (whose system name starts with "HRP_S"). A firewall must meet the following requirements to become the designated active device:

In the VRRP group, only the firewalls in master state have the chance to be the designated master device.
In load balancing mode, the two hot standby USGs are both master devices. In this case, the designated master device is selected according to the priorities of the VRRP groups and the descending order of the real IP addresses of the heartbeat interfaces.
The switchover between designated active and standby devices is not implemented unless a fault occurs on the designated active device or the designated active device quits the VRRP group for the stability of the designated active device.

Other related questions:
Testing the active/standby firewall switchover
The priority of the VGMP group on the USG cannot be manually changed. To implement active/backup switchover, disable the interface with the VRRP group configured and lower the priority of the VGMP group on the active firewall. If services are available on the live network and the service interface cannot be disabled, run the hrp track master command on the interface in Down state and lower the priority of the VGMP group on the active firewall to trigger active/backup switchover.

Why are not commands executed on the active firewall synchronized to the standby firewall
If you disable the automatic configuration synchronization function, the configurations are not synchronized. Besides, not all commands can be synchronized. For example, interface and routing configurations cannot be synchronized. For commands that can be synchronized, see Specifications.

Why are the session tables on the active and standby firewalls different
Check the status of the heartbeat link. If the heartbeat link fails, the sessions on the active firewall cannot be synchronized to the standby firewall. If the automatic session backup function is disabled, the sessions on the two firewalls are different. Even when the automatic session backup function is enabled, sessions are not synchronized in real time. Only when the sessions to be synchronized are detected by the session aging thread, the sessions are synchronized to the standby firewall. Therefore, established sessions are synchronized to the standby firewall after a period (about 10 seconds). The firewalls do not back up sessions of the following types when the automatic session backup function is enabled: -Sessions to the firewall -Half-open TCP connections -Sessions in which the first packets are UDP packets and subsequent packets are not (such as the BitTorrent packets)

Whether USG2000&5000&6000 series virtual firewalls support hot standby
Hot standby cannot be implemented between virtual firewalls.

Why are the same configuration Items arranged in different orders in the configuration files on the active and standby firewalls
The fault usually results from inconsistent initial configurations of the two firewalls. You need to delete the configuration items in different orders and reconfigure them. You are advised to configure hot standby based on the default settings.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top