Firewall / High Availability
Parent topic: High Availability

High Availability Settings

Use the High Availability settings to specify the connection parameters for the master/slave configuration.

The High Availability feature requires two identical systems of the same hardware type (for example UF‑200 with UF‑200 or UF‑500 with UF‑500) and software version. Furthermore, a free network interface (NIC) is required on both systems that is not in use by any other interface (like VLAN or bridge) or any network connection. For more information, see Interfaces and Network Connections. You have to use the same NIC on both systems for cluster interconnection.

The master system synchronizes its initial configuration and any subsequent configuration changes to the slave system to ensure that the same configuration is used in the event of failure.

Important:

High Availability can only be activated if no background processes, such as updates or backups, are running.

Navigate to Firewall > High Availability configure the high availability settings.

The High Availability configuration dialog allows you to configure the following elements:

Input field Description
I/0 A slider switch indicates whether the High Availability feature is active (I) or inactive (0). By clicking the slider switch, you can toggle the state of High Availability. High Availability is deactivated by default.
Status Displays the High Availability status of your LANCOM R&S®Unified Firewall. The following statuses are available:
  • Disabled – High Availability is not enabled on the firewall.
  • No connection – High Availability is enabled on the firewall but the other firewall cannot be reached.
  • Not synced – High Availability is enabled on the firewall and the other firewall can be reached, but the configuration from the master system has not been synchronized to the standby (slave) system yet.
  • Synchronized and ready – High Availability is enabled on the firewall. The other firewall can be reached and is synchronized.
  • Updating – High Availability is enabled on the firewall. The other firewall can be reached. Both systems are being updated.
    Note: The update process consists of multiple steps that can be tracked in Update Settings dialog and in the Info Area.
Initial Role Select the respective radio button to specify the role which your LANCOM R&S®Unified Firewall is to play in the HA cluster:
  • Master – The LANCOM R&S®Unified Firewall is active and synchronizes its configuration to the LANCOM R&S®Unified Firewall being the slave.
  • Slave – The LANCOM R&S®Unified Firewall is not active (i. e. it cannot be reached using the web client) but it receives the master configuration and is prepared for taking over.
HA Interface From the drop-down list, select the interface to be used for the HA cluster communication. This interface cannot be used for any other firewall services.
Important: The same interface (NIC) must be used on both LANCOM R&S®Unified Firewall systems for Cluster Interconnection.
Local IP Enter the IP address which you want to assign to the HA interface on the LANCOM R&S®Unified Firewall in CIDR notation (IP address followed by a slash "/" and the number of bits set in the subnet mask, e. g. 192.168.50.1/24).
Remote IP Enter the IP address under which the LANCOM R&S®Unified Firewall can reach the other LANCOM R&S®Unified Firewall of the HA cluster.
Important:

Local IP and Remote IP must be in the same subnet. HA cluster communication is not supported for routed networks.

If you have modified these settings, use the buttons at the bottom right of the editor panel to confirm (Save) or to discard your changes (Reset). Otherwise, you can close the dialog (Close).

Click Activate in the toolbar at the top of the desktop to apply your configuration changes.

Important:

Before you connect the slave system to the master with the cluster interconnect cable and configure High Availability on the slave, the configuration of the master system must be complete and activated.

Connect the slave system with the same "WAN" and "LAN" network components as the master system (see Figure 1).

Note:

Only the master system can be reached and configured using the web client.

If you want to change the High Availability configuration (for example to change the HA interface), first disable High Availability, then change the configuration. Then, turn High Availability back on with the new configuration.

To use both firewalls with your LANCOM R&S®UF Command Center, you need to configure them separately. When High Availability (HA) is enabled, the LANCOM R&S®UF Command Center settings are synchronized using the slave node to configure your LANCOM R&S®UF Command Center only once. For more information see Command Center

To make the HA feature work properly, the time settings of both firewalls need to be in sync. When you enable the HA feature, the settings are configured as folows:

  1. The NTP client and server are activated on both firewalls.
  2. Cluster link IP addresses are added to both nodes of the NTP server list.

You can find more information under Time Settings

To remove the slave system from the High Availability configuration and operate it as a standalone system, click the slider switch to deactivate the HA feature. The configuration settings of the slave node and the IP addresses of the network interface are set to default.

Important: It is possible that the default IP addresses of the slave node are in conflict with the IP addresses of the master node after the reset. For more information, see Getting Started. Contact our Support team to let them reconfigure the settings of the master node before deactivating the HA feature.
Parent topic: High Availability

www.lancom-systems.com

LANCOM Systems GmbH | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E-Mail info@lancom.de

LANCOM Logo