High availability screen

Communication between firewalls in the high availability cluster

Main link Main interface used to link two firewalls that make up the cluster.
Select it from the list of objects in the drop-down list.
Use a second communication link Select this option to enable the fields below it and to define a secondary link for your cluster.
Secondary link Secondary interface used to link both firewalls that make up the cluster.
Select it from the list of objects in the drop-down list.

WARNING
You are advised to use a secondary link when you wish to change the interface used as the main link. Communications between members of the cluster may be disrupted when the link is changed, which may cause the cluster to stop functioning.

Advanced properties

Change the pre-shared key between the firewalls in the high availability cluster

New pre-shared key In this field, the pre-shared key or the password defined during the creation of the cluster can be changed.
Confirm password Confirm the password/pre-shared key that you have just entered in the previous field.
Password strength This progress bar indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, “Good” or “Excellent”. You are strongly advised to use uppercase letters and special characters.

Quality indicator

Active firewall if equal

This option designates one firewall as the active firewall in the event both firewalls have the same quality.

The aim of designating an active firewall is to keep as many logs as possible on the same firewall or give priority to the traffic on a specific firewall. If the active firewall fails, or if a cable is accidentally unplugged, the other firewall will take over as the active firewall.

Automatic If you select this option, no priority will be assigned.
This firewall (<its serial number >) By selecting this option, you will set this firewall as the active firewall; the second firewall will take over from it if it malfunctions or is unplugged.
The other firewall (remote) (<its serial number >) By selecting this option, you will set the remote firewall as the active firewall; it will take over if the first firewall malfunctions or is unplugged.

WARNING
Selecting this option will cause the firewalls to swap immediately, or make this firewall the active firewall, logging the user out of the administration interface.

Session synchronization

Enable synchronization based on connection duration

This option makes it possible to activate session synchronization depending on the duration of these sessions. Only connections with durations higher than or equal to the value specified in the Minimum duration of connections to be synchronized (seconds) field will be synchronized.
Sessions shorter than the specified value will be ignored during synchronization. This option therefore makes it possible to avoid synchronizing very short connections that may exist in large numbers, such as DNS requests, for example.
Minimum duration of connections to be synchronized (seconds) Specify the minimum duration (in seconds) of connections that need to be synchronized.
A value of 0 means this option has been disabled.

Swap configuration

When surrounding appliances change from a cluster to bridge mode, the change is applied faster with this option.

Reboot all interfaces during switchover (except HA interfaces)

If this option is enabled, interfaces on the bridge are reinitialized during the swap to force switches connected to the firewall to renew their ARP tables.

Enable link aggregation when the firewall is passive

When this option is enabled in a configuration that uses link aggregation (LACP), aggregates will be enabled even on the passive member of the cluster.
Periodically send gratuitous ARP requests If this option is selected, you will send ARP announcements at regular intervals so that the different devices on the network (switches, routers, etc) can update their own ARP tables.

NOTE
Even during the passive stage, the firewall will still send an ARP announcement, regardless of this option.

Frequency (in seconds) The frequency of ARP requests can be defined in this field, up to a maximum of 9999 seconds.
Force MAC address synchronization

This option lets you choose whether MAC address synchronization should be forced during a cluster failover. The activation or deactivation of this synchronization is immediate.

MAC address synchronization is enabled by default on physical firewalls and disabled by default on virtual machines (EVA).

It may be necessary to disable this option in configurations using link aggregation (LACP), for example.

Impact of the unavailability of an interface on a firewall's quality indicator

Interface This column lists all of your firewall’s Ethernet interfaces.
Weight [0-9999] The weight assigns a relative value to the interface. “100” has been set by default for the listed interfaces. They all therefore have the same weighting.
This criterion can be modified by selecting the relevant checkbox. E.g. specifying that the “in” interface is more important than the “out” interface and the other interfaces by assigning it a value of 150.

NOTE
Set all unused interfaces to 0 so that they will not affect the quality calculation.

NOTE
Disabled network interfaces do not appear in the high availability quality calculations.

 

Next, click on Apply.