11.3. Setting Up HA
This section provides a step-by-step guide for setting up an HA Cluster.
11.3.1. HA Hardware Setup
The steps for the setup of hardware in an HA cluster are as follows:
1.
Start with two physically similar NetDefend Firewalls. Both may be newly purchased or an
existing unit may have a new unit added to it.
The master hardware does not need to exactly match the slave, however it is recommended that
hardware with similar performance is used in order to avoid any performance changes after a
failover.
2.
Make the physical connections:
•
Connect the matching interfaces of master and slave through separate switches or separate
broadcast domains. It is important to keep the traffic on each interface pair separated from
other pairs.
•
Connect together the sync interfaces. This can be done directly with a crossover cable or
through a separate switch (or broadcast domain).
3.
Decide on a shared IP address for each interface in the cluster. Some interfaces could have
shared addresses only while others could also have unique, individual IP addresses for each
interface specified in a IP4 HA Address object. The shared and individual addresses are used as
follows:
•
The individual addresses specified for an interface in an IP4 HA Address object allow
remote management through that interface. These addresses can also be "pinged" using
ICMP provided that IP rules are defined to permit this (by default, ICMP queries are
dropped by the rule set).
If either unit is inoperative, its individual IP addresses will also be unreachable. These IP
addresses are usually private but must be public if management access across the public
Internet is required.
If an interface is not assigned an individual address through an IP4 HA Address object then
it must be assigned the default address localhost which is an IP address from the
sub-network 127.0.0.0/8.
ARP queries for the individual IP addresses specified in IP4 HA Address objects are
answered by the firewall that owns the address, using the normal hardware address, just as
with normal IP units.
•
One single shared IP address is used for routing and it is also the address used by dynamic
address translation, unless the configuration explicitly specifies another address.
Note: Management cannot be done through the shared IP
The shared IP address cannot be used for remote management or monitoring
purposes. When using, for example, SSH for remote management of the
NetDefend Firewalls in an HA Cluster, the individual IP addresses of each
firewall's interfaces must be used and these are specified in IP4 HA Address
objects as discussed above.
Typical HA Cluster Network Connections
11.3. Setting Up HA
Chapter 11. High Availability
494
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...