Restrictions on using hot standby together with SSL VPN on the USG6000 series

28

Restrictions on using hot standby together with SSL VPN: When hot standby functions with SSL VPN, the local certificates of the virtual gateways for the active and standby devices must be the same. Otherwise, the SSL VPN service cannot be properly switched over during active/standby device switchover.

Other related questions:
Restrictions on using hot standby together with NAT on the USG6000 series
Restrictions on using hot standby together with NAT: 1. When hot standby runs together with NAT, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. In the load balancing networking, if you configure only one NAT address pool and do not configure port translation in the address pool-based source NAT policy, the two firewalls may translate the source IP addresses of traffic from different hosts to the same IP address, causing address conflicts. 3. In load balancing mode, if a NAT address pool is required on both NGFWs, you must run hrp nat ports-segment primary on one NGFW and hrp nat ports-segment secondary on the other NGFW to prevent port conflicts during NAT.

Restrictions on using hot standby together with NAT on the USG9000 series
Restrictions on using hot standby together with NAT: 1. When hot standby runs together with NAT, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. In the load balancing networking, if you configure only one NAT address pool and do not configure port translation in the address pool-based source NAT policy, the two firewalls may translate the source IP addresses of traffic from different hosts to the same IP address, causing address conflicts. 3. In load balancing mode, if a NAT address pool is required on both NGFWs, you must run hrp nat ports-segment primary on one NGFW and hrp nat ports-segment secondary on the other NGFW to prevent port conflicts during NAT.

Restrictions on using hot standby together with NAT on the USG2000 and USG5000 series
Restrictions on using hot standby together with NAT: 1. When hot standby runs together with NAT, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. In the load balancing networking, if you configure only one NAT address pool and do not configure port translation in the address pool-based source NAT policy, the two firewalls may translate the source IP addresses of traffic from different hosts to the same IP address, causing address conflicts. 3. When you configure the VRRP group, bind the NAT address pool or NAT server with the management group.

Restrictions on using hot standby together with IPSec on the USG2000 and USG5000 series
Restrictions on using hot standby together with IPSec: 1. The device supports the interworking of IPSec and hot standby in active/standby mode but not in load balancing mode. 2. When hot standby runs together with IPSec, the upstream and downstream service interfaces of the active and standby devices must be Layer-3 interfaces. 3. When hot standby runs together with IPSec, the hot standby configuration and IPSec configuration are the same as they run alone. 4. The IPSec policy needs to be configured only on the active device. 5. If the local device is the initiator of an IPSec tunnel, set the local gateway IP address at phase 2 to the virtual IP address of the VRRP group.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top