HA, the abbreviation for High Availability, provides a failover solution for communications line or device failure to ensure the smooth communication and effectively improve the reliability of the network. To implement the HA function, you need to configure the two security devices as HA clusters, using the identical hardware platform, firmware version, both enabling VR and AV functions, with anti-virus license installed. When one device is not available or can not handle the request from the client properly, the request will be promptly directed to the other device that works normally, thus ensuring uninterrupted network communication and greatly improving the reliability of communications.
Security devices support two HA modes: Active-Passive (A/P) and Active-Active (A/A).
For the external network devices, a HA cluster is a single device which handles network traffic and provides security services. The HA cluster is identified by its cluster ID. After specifying a HA cluster ID for the device, the device will be in the HA state to implement HA function.
System will select the primary and backup device of the same HA group ID in a HA cluster according to the HCMP protocol and the HA configuration. The primary device is in active state and processes network traffic. When the primary device fails, the backup device will take over its work.
When assigning a cluster ID to the device, the HA group with ID 0 will be automatically created. In Active-Passive (A/P) mode, the device only has HA group 0. In Active-Active (A/A) mode, the latest system version supports two HA groups, i.e., Group 0 and Group 1.
In the HA environment, each HA group has an interface to forward traffic, which is known as Virtual Forward Interface. The primary device of each HA group manages a virtual MAC (VMAC) address which is corresponding with its interface, and the traffic is forwarded on the interface. Different HA groups in a HA cluster cannot forward data among each other. VMAC address is defined by HA cluster ID, HA group ID and the physical interface index.
In a HA cluster, if the group ID of the HA devices is the same, the one with higher priority will be selected as the primary device.
To ensure the backup device can take over the work of the primary device when it fails, the primary device will synchronize its information with the backup device. There are three types of information that can be synchronized: configuration information, files and RDO (Runtime Dynamic Object). The specific content of RDO includes:
System supports two methods to synchronize: real-time synchronization and batch synchronization. When the primary device has just been selected successfully, the batch synchronization will be used to synchronize all information of the primary device to the backup device. When the configurations change, the real-time synchronization will be used to synchronize the changed information to the backup device. Except for the HA related configurations and local configurations (for example, the host name), all the other configurations will be synchronized.
Related Topics: