Restrictions on using hot standby together with NAT on the USG2000 and USG5000 series

14

Restrictions on using hot standby together with NAT: 1. When hot standby runs together with NAT, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. In the load balancing networking, if you configure only one NAT address pool and do not configure port translation in the address pool-based source NAT policy, the two firewalls may translate the source IP addresses of traffic from different hosts to the same IP address, causing address conflicts. 3. When you configure the VRRP group, bind the NAT address pool or NAT server with the management group.

Other related questions:
Restrictions on using hot standby together with IPSec on the USG2000 and USG5000 series
Restrictions on using hot standby together with IPSec: 1. The device supports the interworking of IPSec and hot standby in active/standby mode but not in load balancing mode. 2. When hot standby runs together with IPSec, the upstream and downstream service interfaces of the active and standby devices must be Layer-3 interfaces. 3. When hot standby runs together with IPSec, the hot standby configuration and IPSec configuration are the same as they run alone. 4. The IPSec policy needs to be configured only on the active device. 5. If the local device is the initiator of an IPSec tunnel, set the local gateway IP address at phase 2 to the virtual IP address of the VRRP group.

Restrictions on using hot standby together with NAT on the USG9000 series
Restrictions on using hot standby together with NAT: 1. When hot standby runs together with NAT, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. In the load balancing networking, if you configure only one NAT address pool and do not configure port translation in the address pool-based source NAT policy, the two firewalls may translate the source IP addresses of traffic from different hosts to the same IP address, causing address conflicts. 3. In load balancing mode, if a NAT address pool is required on both NGFWs, you must run hrp nat ports-segment primary on one NGFW and hrp nat ports-segment secondary on the other NGFW to prevent port conflicts during NAT.

Restrictions on using hot standby together with NAT on the USG6000 series
Restrictions on using hot standby together with NAT: 1. When hot standby runs together with NAT, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. In the load balancing networking, if you configure only one NAT address pool and do not configure port translation in the address pool-based source NAT policy, the two firewalls may translate the source IP addresses of traffic from different hosts to the same IP address, causing address conflicts. 3. In load balancing mode, if a NAT address pool is required on both NGFWs, you must run hrp nat ports-segment primary on one NGFW and hrp nat ports-segment secondary on the other NGFW to prevent port conflicts during NAT.

Hardware restrictions of hot standby on the USG2000 and USG5000 series
Hardware restrictions of hot standby: 1. Currently, hot standby can be implemented only between two devices. 2. The active and standby devices must have the same product model and version. 3. The active and standby devices must have the same number and types of boards installed in the same arrangement. Otherwise, the information synchronized from the active device does not match the physical configuration of the standby device. As a result, faults occur after an active/standby switchover. 4. If you want to use a Layer 2 interface as the heartbeat interface, you need to add it to the VLAN, create the VLANIF interface, and configure the IP address of the VLANIF interface. Then use the VLANIF interface as the heartbeat interface and specify the heartbeat interface IP address of the peer device.

Software restrictions of hot standby on the USG2000 and USG5000 series
Software restrictions of hot standby: 1. The software versions on the active and standby devices must be the same. 2. The BootROM versions on the active and standby devices must be the same. 3. The operating mode of the active and standby devices must be the same, that is, both the active and standby devices must be in firewall mode or UTM mode. 4. You are advised to use the initial configuration file on both devices. 5. The names, quantities, and configuration sequence of virtual firewalls on the active and standby devices must be the same. 6. The interfaces on the same slot of the active and standby devices must be added to the same security zone. 7. Configurations of heartbeat interfaces (HRP heartbeat link) on the active and standby devices must be consistent. 8. The service interfaces of the active and standby devices use fixed IP addresses. Therefore, you cannot use the dual-system hot backup function together with functions for obtaining IP address automatically, such as PPPoE dial-up, DHCP client, 3G, and XDSL.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top