19.1. General High Availability¶
High Availability in VT AIR is composed of three different and independent settings:
Configuration Synchronization
States Synchronization
VRRP Virtual IPs
Each of these settings can be enabled independent of each other and they do not influence the other settings. A complete HA setup though, only makes sense when all three parts are activated.
The High Availability Synchronization will only start, if both devices have the same VT AIR version running.
A High Availibility Wizard is available for an easy onboarding of the secondary firewall.
19.1.1. Interface setup¶
The interfaces will only be synced if the two devices have the same VT AIR model. If that’s not the case there is an interface requirement before you start the High Availability setup. Since two devices do not need to be the same make and model, you have to configure the interfaces individually first.
The synchronizations depend on stable internal interface names (WAN, LAN, INT1, INT2, ….). These names have to match on both ends of a sync master and client. The INTX numbers are set automatically by the system in the background and can be seen in Interfaces → Assign or on each interface settings page on the upper left corner.
Please make sure to have the same amount of interfaces and that the names match up on both ends. Also make sure that the Interfaces IPs are different and do not conflict.
If you do not have the same amount of interfaces, please create dummy interfaces on the secondary firewall with hardware interface none. The interface can stay disabled.
19.1.2. Synchronization Interface¶
It is highly recommended to use a Synchronization Interface for all sync activities. The data are partially unencrypted and it is important that they arrive on each box in a timely and safe manner.
Use either a seperate VLAN or a seperate physical Interface.
Give all VT AIR a static IP Address in this network and do not enable the DHCP Server.
Make sure that there is a Firewall Rule to allow all Traffic to the Interface IP Address on the Sync Interface on each VT AIR.
Set the same password for the hasync user on each VT AIR.
Mode is Multicast by default. It allows for multiple Firewalls to exchange state information. If you have a special requirement, you can change the mode to Unicast and send state information to one peer only. Please define the peer IP Address. This setting needs to be set on both VT AIRs.
19.1.3. VRRP Mode¶
The VRRP mode is Multicast by default. The exchange of VRRP state information is done on each Interface a VRRP IP is defined via Multicast. This also makes sure that a Layer 2 check is performed.
In certain cloud or virtual environments, there might not be a Layer 2 Multicast connection between firewalls. In that case, set the Mode to Unicast and a new option will show to also change the VRRP mode from Multicast to Unicast.
The Unicast mode will send all VRRP information on the Sync Interface to the Peer IP Address and not information on the interfaces the VRRP IP is defined. The Layer 2 check on each interface is also lost in this scenario.
19.1.4. High Availability Nodes¶
There is no limit to the amount of nodes you can add to the HA setup. You can daisy chain nodes in VT AIR, you only need to have the Configuration Sync enabled on each node that should sync to the next one.
Some systems like DHCP do not support to have more than three members though.
19.1.5. Secondary Firewall¶
The secondary firewall will show a red sign in the upper right corner.
Note
Please do not make any configuration changes to the secondary firewall as they will be overriden by the master.
19.1.6. Onboarding Wizard¶
The master firewall will show an onboarding wizard on the first time you click on High Availibility in the menu.
You can configure the main settings and the wizard will connect to the secondary firewall in order to set it up for High Availiblity.
States Sync enables the synchronization of states DHCP HA enables the HA mode for the DHCP Server Configuration Sync enables the configuration sync from the master to the Secondary
Sync Interface should be a seperate Interface (or VLAN Interface) where the Master will synchronize data with the Secondary. Remote Webgui is the URL of the secondary firewall to enable the HA settings. It does not need to be the Sync Interface the Master Firewall only needs access to the Secondary Firewall on that interface to set it up for HA. Admin User for the secondary firewall for the onboarding operation. Password for the admin user.
The Wizard will setup the secondary firewall and configure it for the HA mode. The special user hasync will be used for the configuration sync. The password will be randomily generated.