Table of Contents
Advertisement
•
The individual addresses specified for an interface in an IP4 HA Address object allow
remote management through that interface. These addresses can also be "pinged" using
ICMP provided that IP rules are defined to permit this (by default, ICMP queries are
dropped by the rule set).
If either unit is inoperative, its individual IP addresses will also be unreachable. These IP
addresses are usually private but must be public if management access across the public
Internet is required.
If an interface is not assigned an individual address through an IP4 HA Address object
then it must be assigned the default address localhost (the loopback address) which is
an IP address from the sub-network 127.0.0.0/8. The localhost object behaves as two
addresses and uses 127.0.0.1 for the master and 127.0.0.2 for the slave.
ARP queries for the individual IP addresses specified in IP4 HA Address objects are
answered by the firewall that owns the address, using the normal hardware address, just
as with normal IP units.
•
One single shared IP address is used for routing and it is also the address used by
dynamic address translation, unless the configuration explicitly specifies another
address.
Note: Master and slave management IPs must be different
The shared IP address cannot be used for remote management or monitoring
purposes. For example, when using SSH for remote management of the NetDefend
Firewalls in an HA Cluster, the individual IP addresses of each firewall's interfaces
must be used and these are specified in IP4 HA Address objects as discussed above.
For this reason the management IP addresses of the cluster units must be different.
It is recommended to change the management IP address of the slave unit so it is
different from the master. Changing the management IP is described in
Section 2.1.2, "Configuring Management Access".
Typical HA Cluster Network Connections
The illustration below shows the arrangement of typical HA Cluster connections in a network. All
interfaces on the master unit would normally also have corresponding interfaces on the slave
unit and these would be connected to the same networks. This is achieved by connecting the
same interfaces on both master and slave via a separate switch (or broadcast domain) to other
network portions.
828
Chapter 11: High Availability
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
