What are differences between hrp auto-sync and hrp sync

58

hrp auto-sync automatically synchronizes all subsequent configurations and status entries to the standby firewall. hrp auto-sync is enabled by default. The command does not synchronize existing configurations and status entries.

hrp sync immediately synchronizes the existing configurations and status entries from the active firewall to the standby firewall. The command takes effect immediately and does not affect subsequent configurations and status entries.

Other related questions:
HRP information that can be synchronized in hot standby deployment on the USG6000
1. HRP configurations that can be backed up on the USG6000 include: a. Policies: security policy, NAT policy, bandwidth management, authentication policy, attack defense, blacklist, and ASPF. b. Objects: address, area, service, application, user, authentication server, time range, URL category, keyword group, mail address group, signature, security profile (for antivirus, intrusion prevention, URL filtering, file blocking, data filtering, application behavior control, and mail filtering). c. Network: new logical interface, security zone, DNS, IPSec, SSL VPN, TSM interworking, and static route (supported in V100R001C30SPC100 and later versions only). d. System: administrator and log configuration. Note: In most cases, display, reset, and debugging commands cannot be backed up. Based on the preceding descriptions, we can see that basic network configurations of the firewall, such as interface addresses and routes, cannot be backed up. All these configurations need to be configured before the hot standby status is successfully established. As for the preceding configurations that can be backed up, configure them only on the active device after the hot standby status is successfully established. 2. USG status information that can be backed up is as follows: a. Session table b. Server map table c. IP monitoring table d. Fragment cache table e. GTP table f. Blacklist g. PAT-based port mapping table h. NO-PAT-based address mapping table

Whether a security policy shall be configured between the zone where the heartbeat interface resides and Local zone
If remote is not set when heartbeat interfaces are configured, the heartbeat packets are encapsulated into VRRP packets, and the device that has no security policy can properly process the heartbeat packets. If remote is set when heartbeat interfaces are configured, the heartbeat packets are encapsulated into UDP packets, and a correct security policy needs to be configured for the interzone between the Local zone and the security zone where the heartbeat interfaces reside, which enables the device to properly send and receive the heartbeat packets.

Configuring the monitoring port for hot standby on the firewall
VGMP groups can detect interface or device faults. Interface or device faults decrease the priority values of VGMP groups, which changes the active/standby status of the VGMP groups and the active/standby status of devices. Each time an interface monitored by a VGMP group fails, the priority of the VGMP group decreases by 2. The priority of a VGMP group is calculated using this formula: Priority of a VGMP group = Default priority of the VGMP group - 2 x N (N indicates the number of interface faults). The VGMP group can detect interface faults in the following ways: 1. Use a VRRP group to monitor interfaces. This method applies when the service interfaces of each device work at Layer 3 and are directly connected to switches. The devices use static routes to communicate with the routers or PCs directly connected to the switches. For the configuration method, see the examples in the product documentation: active/standby networking in which the service interfaces of each NGFW work at Layer 3 and directly connect to switches; load balancing networking in which the service interfaces of each NGFW work at Layer 3 and directly connect to switches. 2. Directly monitor interfaces. This method applies when the service interfaces of each NGFW work at Layer 3 and are directly connected to routers. The NGFWs and routers run OSPF. For the configuration method, see the examples in the product documentation: active/standby networking in which the service interfaces of each NGFW work at Layer 3 and directly connect to routers; load balancing networking in which the service interfaces of each NGFW work at Layer 3 and directly connect to routers. 3. Monitor the VLAN to which the service interfaces of each NGFW belong. This method applies when the service interfaces of each NGFW work at Layer 2. For the configuration method, see the examples in the product documentation: load balancing networking in which the service interfaces of each NGFW work at Layer 2 and are directly connected to routers

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top