Configuring Monitor Threshold; Vsys Clusters Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Configuring Monitor Threshold

Related
Documentation

Vsys Clusters Overview

378
If a monitored zone has multiple interfaces, but only one interface in the zone is active,
the device considers the zone active.
If a monitored zone has a single interface bound to it and that interface fails, the device
considers the zone failed.
If a monitored zone has no interfaces bound to it, the zone cannot fail.
If you unbind a downed interface from a zone that contains only that interface, the
device no longer considers the zone failed. Similarly, if you unbind an active interface
from a monitored zone where the remaining interfaces are down, the device considers
the zone failed.
The monitor threshold is the failure threshold for the device or VSD group. All failure
weights for all monitored objects in the device or VSD group contribute to the monitor
threshold when a failure occurs; if the total sum of these failure weights meets or exceeds
the monitor threshold, the device or VSD group fails over.
Alternatively, even if all IP addresses, interfaces, and the zone fail in the device or VSD
group, if the sum of their failure weights does not meet or exceed the monitor threshold,
the device or VSD group does not fail over to the backup VSD group. To ensure that the
device or VSD group fails over at the appropriate time, configure the failure weights of
each monitored object in relation to the monitor threshold.
NSRP Clusters Overview on page 363
Creating an NSRP Cluster on page 365
Active/Active Configurations Overview on page 370
Changing VSD Group Member States (NSM Procedure) on page 373
A vsys cluster is a vsys device that has a cluster as its root device.
To enable failover from one virtual system to another, you must create a virtual system
interface (VSI) for each virtual system. A logical entity at Layer 3 is linked to multiple
Layer 2 physical interfaces in a VSD group. The VSI binds to the physical interface of the
device acting as primary of the VSD group. The VSI shifts to the physical interface of
another device in the VSD group if there is a failover and it becomes the new primary.
Trust zone VSIs—Each vsys has its own trust zone VSI by default. All trust zone VSIs
must be in different subnets.
Untrust zone VSIs—You can configure each vsys to use its own untrust zone VSI or
share the untrust zone VSI from the root device. When virtual systems have their own
untrust zone VSIs, the VSIs must be in different subnets from each other and from the
untrust zone VSI at the root level.
After creating VSI, you must also create VSD groups to contain these VSIs.
Copyright © 2010, Juniper Networks, Inc.