Restrictions on using hot standby together with IPSec on the USG9000 series

9

Restrictions on using hot standby together with IPSec: 1. When hot standby runs together with IPSec, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. When hot standby runs together with IPSec, the hot standby configuration and IPSec configuration are the same as they run alone. 3. The IPSec policy needs to be configured only on the active device. 4. When hot standby is used together with IPSec and the load balancing mode is used, the forward and reverse paths of traffic must be the same. 5. If the local device is the initiator of an IPSec tunnel, the tunnel local ip-address command must be run to set the local address that initiates negotiation to the virtual IP address of the VRRP backup group.

Other related questions:
Restrictions on using hot standby together with NAT on the USG9000 series
Restrictions on using hot standby together with NAT: 1. When hot standby runs together with NAT, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. In the load balancing networking, if you configure only one NAT address pool and do not configure port translation in the address pool-based source NAT policy, the two firewalls may translate the source IP addresses of traffic from different hosts to the same IP address, causing address conflicts. 3. In load balancing mode, if a NAT address pool is required on both NGFWs, you must run hrp nat ports-segment primary on one NGFW and hrp nat ports-segment secondary on the other NGFW to prevent port conflicts during NAT.

Restrictions on using hot standby together with IPSec on the USG2000 and USG5000 series
Restrictions on using hot standby together with IPSec: 1. The device supports the interworking of IPSec and hot standby in active/standby mode but not in load balancing mode. 2. When hot standby runs together with IPSec, the upstream and downstream service interfaces of the active and standby devices must be Layer-3 interfaces. 3. When hot standby runs together with IPSec, the hot standby configuration and IPSec configuration are the same as they run alone. 4. The IPSec policy needs to be configured only on the active device. 5. If the local device is the initiator of an IPSec tunnel, set the local gateway IP address at phase 2 to the virtual IP address of the VRRP group.

Restrictions on using hot standby together with NAT on the USG6000 series
Restrictions on using hot standby together with NAT: 1. When hot standby runs together with NAT, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. In the load balancing networking, if you configure only one NAT address pool and do not configure port translation in the address pool-based source NAT policy, the two firewalls may translate the source IP addresses of traffic from different hosts to the same IP address, causing address conflicts. 3. In load balancing mode, if a NAT address pool is required on both NGFWs, you must run hrp nat ports-segment primary on one NGFW and hrp nat ports-segment secondary on the other NGFW to prevent port conflicts during NAT.

Software restrictions of hot standby on the USG9000 series
Software restrictions of hot standby: 1. The software versions on the active and standby devices must be the same. 2. The BootROM versions on the active and standby devices must be the same. 3. The hash board selection modes and hash factors on the active and standby devices must be the same. 4. In hot standby deployment, the consistency between the active and standby device configurations is checked every 24 hours. It is required that the security policies, NAT policies, traffic policies, audit policies, and PBRs on the active and standby devices be exactly the same. The configuration sequences between policies must also be the same. 5. You are advised to use the initial configuration file on both devices. 6. The service interfaces and heartbeat interfaces used by active and standby devices must be the same. 7. The interfaces on the same slot of the active and standby devices must be added to the same security zone. 8. The interfaces with vrrp virtual-mac enable configured cannot function as the heartbeat interfaces. 9. The service interfaces of the active and standby devices use fixed IP addresses. Therefore, you cannot use the dual-system hot backup function together with functions for obtaining IP address automatically, such as PPPoE dial-up, DHCP client, 3G, and XDSL. 10. The MTU of the heartbeat interfaces must be set to 1500. 11. When hot standby is used together with the virtual system, you need to ensure that the VSYS names and IDs on the active and standby devices are the same.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top