Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual page 388

Configuring ScreenOS Devices Guide
364
cluster, any changes you make to the configuration on one member of the cluster
propagate to the other. Members of the same NSRP cluster maintain identical settings
for policies and policy objects (such as addresses, services, VPNs, users, and schedules)
and system parameters (such as settings for authentication servers, DNS, SNMP, syslog,
and so on).
Before two security devices can provide redundant network connectivity, you must group
them in the same NSRP cluster. In an NSRP cluster, one device acts as a primary and the
other as a backup:
In active/passive configurations, the primary device handles all firewall and VPN
activities while the backup waits to take over when the primary fails. You can configure
the cluster in active/passive operation when the interfaces are in Transparent, NAT,
or Route mode:
Transparent Mode. When interfaces are in Transparent mode, security zone interfaces
do not have IP addresses, and the security device forwards traffic like a Layer 2 switch.
To manage a backup device, you use the manage IP address that you set on the
VLAN1 interface.
NAT or Route Mode. When interfaces are in NAT or Route mode, the security zone
interfaces have IP addresses, and the device forwards traffic like a Layer 3 router.
To manage a backup device, you must use the manage IP address that you set per
security zone interface; you cannot set a manage IP address on a virtual security
interface (VSI) for any virtual security device (VSD) group except VSD group 0.
In active/active configurations, you create two VSD groups for the cluster: One device
acts as the primary device of one VSD group, while the other device acts as the backup
for the same group. In the other VSD group, the device roles are reversed: Each device
is the primary device of one VSD group and the backup in the other VSD group. You
can configure the cluster in active/active operation when the interfaces are in NAT or
route mode. The security zone interfaces have IP addresses, and the device forwards
traffic like a Layer 3 router. To manage a backup device, you must use the manage IP
address that you set per security zone interface; you cannot set a manage IP address
on a VSI for any VSD group except VSD group 0.
Because of the sensitive nature of NSRP communications, you can secure all NSRP traffic
through encryption and authentication. For encryption and authentication, NSRP supports
the DES and MD5 algorithms respectively. However, if the HA cables run directly from
one security device to another (that is, not through a switch forwarding other kinds of
network traffic), it is unnecessary to use encryption and authentication.
In addition to NSRP clusters, which propagate configurations among group members
and advertise each members' current VSD group states, you can configure the devices
as members in a runtime object (RTO) mirror group, which maintains the synchronicity
of RTOs between a pair of devices. When the primary device fails, the backup becomes
the primary device with minimal service downtime by maintaining all current sessions.
Copyright © 2010, Juniper Networks, Inc.