High availability screen

Communication between firewalls in the high availability cluster

Main link

Main interface used for linking both firewalls that make up the

cluster.

Select it from the list of objects in the drop-down list.

Use a second communication link

Select this option in order to enable the fields below it and to define a secondary link for your cluster.

Secondary link

Secondary interface used for linking both firewalls that make up the

cluster.

Select it from the list of objects in the drop-down list.

WARNING

You are advised to use a secondary link when you wish to change the interface used as the main link. Changing the link may indeed cause interruptions to communications between members of the cluster, which may lead to a nonoperational cluster.

Advanced properties

Modifying the pre-shared key between firewalls in the high availability cluster

New pre-shared key

This field allows modifying the pre-shared key or the password defined during the creation of the cluster.

Confirm

Confirm the password/pre-shared key that you have just entered in the previous field.

Mandatory password strength

This field indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, “Good” or “Excellent”. You are strongly advised to use uppercase letters and special characters.

Quality indicator

Active firewall if equal

This option allows favoring one firewall as the active firewall in the event both firewalls have the same quality.

The aim of favoring an active firewall is to keep as many logs as possible on the same firewall or to favor traffic on a specific firewall. If the active firewall fails, or if a cable is accidentally unplugged, the other firewall will take over as the active firewall.

Automatic

If you select this option, no priority will be assigned.

This firewall (<its serial number >)

By selecting this option, you will set this firewall as the active firewall and the second firewall will take over from it if it malfunctions or is unplugged.

The other firewall (remote) (<its serial number >)

By selecting this option, you will set this firewall as the active firewall and the second firewall will take over from it if it malfunctions or is unplugged.

WARNING

Selecting this option will cause the firewalls to swap immediately, or switch from this firewall as the active firewall, causing a disconnection from the administration interface.

Session synchronization

Enable synchronization based on connection duration

This option makes it possible to activate session synchronization depending on the duration of these sessions. Only connections with durations higher than or equal to the value specified in the Minimum duration of connections to be synchronized (seconds) field will be considered.

Sessions shorter than the specified value will be ignored during synchronization. This option therefore makes it possible to avoid synchronizing very short connections that may exist in large numbers, such as DNS requests, for example.

Minimum duration of connections to be synchronized (seconds)

Specify the minimum duration (in seconds) of connections that need to be synchronized.

A value of 0 means this option has been disabled.

Swap configuration

When surrounding appliances change from a cluster to bridge mode, the change is applied faster with this option.

Reboot all interfaces during switchover (except HA interfaces)

Reboot interfaces in a bridge during the swap If this option is enabled, interfaces on the bridge are reinitialized at the time of the switch in order to force switches connected to the firewall to renew their ARP tables.

Enable link aggregation when the firewall is passive

If this option is selected, you will be enabling link aggregation on the firewall even if it has become passive in the cluster.

Periodically send gratuitous ARP requests

If this option is selected, you will send ARP announcements at regular intervals so that the different devices on the network (switch, routers, etc) can update their own ARP tables.

NOTE

Even during the passive stage, the firewall will still send an ARP announcement, regardless of this option.

Frequency (in seconds)

This field enables defining the frequency of ARP requests in seconds, to a maximum of 9999 seconds.

Impact of the unavailability of an interface on a firewall's quality indicator

Interface

This column lists all of your firewall’s Ethernet interfaces.

Weight [0-9999]

The weight allows giving the interface a relative value. “100” has been set by default for the listed interfaces. They all therefore have the same weighting.

This criterion can be modified by selecting the relevant checkbox. E.g. specifying that the “in” interface is more important than the “out” interface and the other interfaces by assigning it a value of 150.

NOTE

It may be useful to set all unused interfaces to 0 so that they will not affect the quality calculation.

NOTE

Disabled network interfaces do not appear in the high availability quality calculations.

 

Next, click on Apply.