Electing the active firewall

The process of electing the active member of the cluster takes place when HA starts up.

The following is a flowchart of the election process:

Do note that firewalls can be forced to be active (Configuration > System > Maintenance > Configuration > High availability menu). In this case, the firewall will be active even if its quality factor is lower. You are advised against using this option on clusters in production, as it is used only to debug configurations.

This process relies on the comparison of each firewall’s quality factor, which will be explained further in this section.

Understanding how the quality factor is calculated

The quality factor is derived from a mathematical formula that takes into account various indicators:

  • Status and weight of the firewall's active interfaces (HA interfaces are excluded from this calculation), including aggregated interfaces (LACP/redundancy).

     

    Do note that by default in aggregates (LACP/redundancy), the firewall's quality factor starts to deteriorate after all members of the aggregate are lost. HA can be configured so that the loss of a single interface belonging to the aggregate suffices to deteriorate the quality factor. This parameter can be enabled using the CLI/Serverd commands CONFIG HA CREATE and CONFIG HA UPDATE by changing the value of the parameter below to 1 :

    • For an LACP aggregate: LACPMembersHaveWeight=<0|1>,

    • For a Redundancy aggregate (as of SNS version 4.3): FailoverMembersHaveWeight=<0|1>.

  • Status(es) of the hard disk(s),

  • Status of the TPM on models equipped with one.

    The configuration token TPMQualityIncluded=1 found in the [Global] section of the configuration file ConfigFiles/HA/highavailability indicates that the status of the TPM has been applied.

  • Status of additional modules (network, power supply, fans, etc.) on higher range models.

Example of how the quality index of interfaces is calculated

In this example, only interfaces 1 (out), 2 (in) and 4 (dmz2) are taken into account, since the dmz1 interface is dedicated to HA. Do note that interface 2 (in) has connectivity issues:

The weights assigned to the interfaces are as follows:

The quality index of the interfaces for this firewall is therefore: (1x100 + 0x100 + 1x75) / (100 + 100 + 75)=63%

The indicator calculated according to this method will be included in the overall calculation of the quality factor that takes into account other parameters.