On a hot standby network, what do designated active device and designated standby device stand for

5

On load balancing networks, the two FWs are active. Therefore, if both FWs synchronize commands to each other, command overwrite or conflict problems may occur. To centrally manage the configurations of the two FWs, you need to configure the designated active and standby devices.

On load balancing networks, the sender of the configuration backup command is the designated active device (identified by HRP_M), and the receiver is the designated standby device (identified by HRP_S).

Configuration commands can be synchronized only from the designated active device to the designated standby device, and status information is mutually backed up between the two devices.

On load balancing networks, the FW with a smaller sysname American Standard Code for Information Interchange (ASCII) character is the designated active device. For example, when FW_A and FW_B share load, FW_A is the designated active device.

Other related questions:
Precautions for active/standby upgrade in hot standby deployment on the USG2000&5000
Precautions for active/standby upgrade in hot standby deployment on the USG2000&5000 are as follows: As for software version upgrade in hot standby deployment, you shall comply with a primary principle. That is, you shall upgrade the active and standby devices individually and upgrade the standby device first and then the active device. In addition, you must disable the HRP function during the upgrade. Note: For software version upgrade in hot standby deployment, the target software versions of the active and standby devices must be the same. Otherwise, the HRP function may fail to be enabled simultaneously. Hardware restrictions Currently, hot standby can be implemented only between two devices. The active and standby devices must have the same product model and version. The active and standby devices must have the same number and types of boards installed in the same arrangement. Otherwise, the information synchronized from the active device does not match the physical configuration of the standby device. As a result, faults occur after an active/standby switchover. If you want to use a Layer-2 interface as a heartbeat interface, add the Layer-2 interface to a VLAN. Then create a VLANIF interface and configure an IP address for it. Use the VLANIF interface as a heartbeat interface and specify remote to specify the IP address of the heartbeat interface on the remote device. Software restrictions The active and standby devices must use the same software version. Otherwise, configuration commands or session list structures of the different software versions may be different. In this case, errors may occur on the active and standby devices when you back up configuration commands and status. The BootROM versions on the active and standby devices must be the same. The operating mode of the active and standby devices must be the same, that is, both the active and standby devices must be in firewall mode or UTM mode. You are advised to use the initial configuration file on both devices. Otherwise, faults may occur after the active/standby switchover because of configuration conflicts. The names, quantities, and configuration sequence of virtual firewalls on the active and standby devices must be the same. The interfaces on the same slot of the active and standby devices must be added to the same security zone. For example, if the GigabitEthernet0/0/1 interface on the active device is added to the Trust zone, the GigabitEthernet0/0/1 interface on the standby device must also be added to the Trust zone. Configurations of heartbeat interfaces (HRP heartbeat link) on the active and standby devices must be consistent. Note: The USG2110-X/2100 and USG2100 BSR/HSR do not support the function of specifying the heartbeat interface IP address of the peer device. Therefore, you cannot use the VLANIF interface as the heartbeat interface. The service interfaces of the active and standby devices use fixed IP addresses. Therefore, you cannot use the dual-system hot backup function together with functions for obtaining IP address automatically, such as PPPoE dial-up, DHCP client, 3G, and XDSL.

Concepts of configuring active and standby firewalls
On a load balancing network, to enable both devices to work in master state, consider the following issues: How to back up information between the devices? Which commands need to be backed up? Which is the backup direction? To avoid errors during the backup, the USG introduces the concept of designated active and standby devices. The firewall that sends backup configurations is called the designated active device (whose system name starts with "HRP_M"), and the firewall that receives backup configurations is called the designated standby device (whose system name starts with "HRP_S"). A firewall must meet the following requirements to become the designated active device: In the VRRP group, only the firewalls in master state have the chance to be the designated master device. In load balancing mode, the two hot standby USGs are both master devices. In this case, the designated master device is selected according to the priorities of the VRRP groups and the descending order of the real IP addresses of the heartbeat interfaces. The switchover between designated active and standby devices is not implemented unless a fault occurs on the designated active device or the designated active device quits the VRRP group for the stability of the designated active device.

Reason why the standby device can be logged in several minutes after the login password of the active device is changed in hot standby deployment on the USG2000/5000
After the hot standby configuration information on the USG2000/5000 changes, the configuration change takes effect on the standby device only after the configuration information synchronization on the standby device completes.

Whether the standby device in hot standby deployment can be configured
By default, configurations that can be backed up can be configured only on the active device and automatically synchronized to the standby device. You cannot configure them on the standby device. After you run the hrp slave config enable command on the active device, the standby device obtains the permission for configuring these commands when this command is backed up to the standby device. The configurations on the standby device are also synchronized to the active device. Configurations that cannot be backed up, such as interface IP addresses, can be configured on the standby device.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top