HA network traffic
The high availability mechanism requires the following traffic between both members of the cluster:
- Kernel to Kernel traffic: this protocol, which is used for real-time synchronization (see table of Objects synchronized in real time), is based on UDP port 44242 (only in IPv4). This port can be customized in the file ~/ConfigFiles/Protocols/hasync/common (all changes must be applied on both members of the cluster, followed by the command enha).
- Traffic over TCP port 1300 (serverd daemon): the firewall that is added to the cluster uses this traffic to retrieve the HA configuration and the network configuration of the cluster.
- Traffic over TCP ports 16058 and 16059 (gatewayd daemon): used in the synchronization of IPsec VPN statuses.
- RSYNC traffic via SSH sessions (TCP port 22): this traffic allows the firewall joining the cluster to retrieve configuration files (synchronize, filtering, etc.) or synchronize changes to the LDAP directory.
- Unicast and multicast traffic over UDP port 5405 (corosync daemon): used by both firewalls to exchange messages relating to HA and to monitor the network dedicated to HA over control links. The multicast address used by default is 184.108.40.206, but can be customized in the file ~/ConfigFiles/HA/highavailability.
If HA links are set up through network switches, IGMP snooping features must be disabled on these devices to allow multicast traffic.
- ICMP echo request traffic (ping): used to monitor a firewall’s functional status from a network viewpoint.
Do note that these various types of traffic are allowed with an implicit filter rule (Allow mutual access between the members of a firewall cluster (HA) ) that is enabled when high availability is set up.
When this rule is disabled, HA will immediately stop functioning.