User manual
11.3. HA Setup
This section provides a step-by-step guide for setting up an HA Cluster.
11.3.1. HA Hardware Setup
The steps for the setup of hardware in an HA cluster are as follows:
1. Start with two physically similar NetDefend Firewalls. Both may be newly purchased or an
existing unit may have a new unit added to it.
The master hardware does not need to exactly match the slave, however it is recommended that
hardware with similar performance is used in order to avoid any performance changes after a
failover.
2. Both units should have the appropriate licenses for a cluster otherwise HA will not function.
3. Make the physical connections:
• Connect the matching interfaces of master and slave through separate switches or separate
broadcast domains. It is important to keep the traffic on each interface pair separated from
other pairs.
• Connect together the sync interfaces. This can be done directly with a crossover cable or
through a separate switch (or broadcast domain).
4. Decide on a shared IP address for each interface in the cluster. Some interfaces could have
shared addresses only while others could also have unique, individual IP addresses for each
interface specified in a IP4 HA Address object. The shared and individual addresses are used as
follows:
• The individual addresses specified for an interface in an IP4 HA Address object allow
remote management through that interface. These addresses can also be "pinged" using
ICMP provided that IP rules are defined to permit this (by default, ICMP queries are
dropped by the rule set).
If either unit is inoperative, its individual IP addresses will also be unreachable. These IP
addresses are usually private but must be public if management access across the public
Internet is required.
If an interface is not assigned an individual address through an IP4 HA Address object then
it must be assigned the default address localhost which is an IP address from the subnet
127.0.0.0/8.
ARP queries for the individual IP addresses specified in IP4 HA Address objects are
answered by the firewall that owns the address, using the normal hardware address, just as
with normal IP units.
• One single shared IP address is used for routing and it is also the address used by dynamic
address translation, unless the configuration explicitly specifies another address.
Note: Management cannot be done through the shared IP
The shared IP address cannot be used for remote management or monitoring
purposes. When using, for example, SSH for remote management of the
NetDefend Firewalls in an HA Cluster, the individual IP addresses of each
firewall's interfaces must be used and these are specified in IP4 HA Address
objects as discussed above.
11.3. HA Setup Chapter 11. High Availability
427










