The High Availability > Advanced page is used to configure the stateful synchronization and Active/Active UTM features. The Advanced page also provides the ability to fine tune a number of High Availability options that manage the settings that trigger the High Availability pair to fail over from the primary to the backup appliance.
|
1
|
Select a SonicWALL appliance and click the Policies tab. Expand the High Availability tree and click Advanced.
|
|
2
|
Select Enable Stateful Synchronization to configure stateful High Availability. With Stateful High Availability, the primary unit actively communicates with the backup on a per connection and VPN level. As the primary creates and updates connection cache entries or VPN tunnels, the backup unit is informed of such changes. The backup unit remains in a continuously synchronized state so that it can seamlessly assume the network responsibilities upon failure of the primary unit with no interruption to existing network connections.
|
|
3
|
To configure Active/Active UTM select Enable Active/Active UTM.
In an active/active model, both SonicWALL firewall appliances share the processing of Deep Packet Inspection (DPI) UTM services. When Active/Active UTM is enabled on a Stateful HA pair, these DPI UTM services can be processed concurrently with firewall, NAT, and other modules on both the active and idle SonicWALL firewall appliances. Processing of all modules other than DPI UTM services is restricted to the active unit. |
|
4
|
If enabling Active/Active UTM, select an interface in the HA Data Interface pull-down list. This interface is used for transferring data between the two units during Active/Active UTM processing. Only unassigned, available interfaces appear in the pull-down list.
|
|
5
|
Select Enable Preempt Mode to configure the primary SonicWALL appliance to take over from the backup SonicWALL appliance when it becomes available. Otherwise, the backup SonicWALL appliance remains active.
|
|
6
|
Select Generate/Overwrite Backup Firmware and Settings When Upgrading Firmware to overwrite the current firmware backup settings when upgrading. With this option, the current settings at the time of upgrade are saved as backup settings.
|
|
7
|
Select Enable Virtual MAC. When the Stateful High Availability Upgrade is licensed, Virtual MAC capability is also licensed. Virtual MAC allows the backup unit in an HF pair to use the MAC address of the primary unit when a failover occurs. Alternatively, you can manually set a virtual MAC address for both units to use. Virtual MAC addressing contributes to network continuity and efficiency during a failover in the same way as the use of virtual IP addresses. During a failover, the backup unit uses the same virtual IP address that was used by the primary unit. The Virtual MAC feature avoids the need to update the whole network to associate the virtual IP address with the actual physical MAC address of the backup unit.
|
|
•
|
Enter the heartbeat interval (in seconds) in the Heartbeat Interval field.
|
|
•
|
Specify how long the backup waits before replacing the primary (in seconds) in the Failover Trigger Level field.
|
|
•
|
To specify how long the SonicWALL appliance searches, enter the number of seconds in the Election Delay Time field. You can enter a value between 0 and 300 seconds, but the default value of 0 seconds is sufficient in most cases.
|
|
•
|
Optionally, change the value in the Dynamic Route Hold-Down Time field. This setting is used when a failover occurs on a High Availability pair that is using either RIP or OSPF dynamic routing. When a failover occurs, Dynamic Route Hold-Down Time is the number of seconds the newly-active appliance keeps the dynamic routes it had previously learned in its route table. During this time, the newly-active appliance relearns the dynamic routes in the network. When the Dynamic Route Hold-Down Time duration expires, it deletes the old routes and implements the new routes it has learned from RIP or OSPF. The default value is 45 seconds. In large or complex networks, a larger value might improve network stability during a failover.
|
|
9
|
When changes are made to the Primary or Secondary SonicWALL firewall appliance, the changes are automatically synchronized between the two SonicWALL firewall appliances. To cause the synchronization to occur now, click Synchronize Settings. Additionally, selecting Include Certificates/Keys synchronizes certificates and keys between devices.
|
|
10
|
|
11
|
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
|