The following points should be noted when managing and configuring an HA Cluster.

Some ALGs Are Not Synchronized

The FTP and DNS ALGs are not synchronized when an HA failover event occurs. For the FTP ALG, this means restarting file transfers. The SIP ALG has partial synchronization and this is described further at the end of Section 10.3, SIP ALG.

All Cluster Interfaces Need IP Addresses

All interfaces on both HA cluster units should have a valid private IP address object assigned to them. The predefined IP object local host could be assigned for this purpose. The need to assign an address is true even if an interface has been disabled.

Logging

Log data will be coming from both master and slave. This means that the log receiver will have to be configured to receive logs from both. It also means that all log queries will likely have to include both master and slave as sources which will give all the log data in one result view. Normally, the inactive unit will not be sending log entries about live traffic so the output should look similar to that from a single firewall.

Using Private Individual IP Addresses

The unique individual IP addresses of the master and slave cannot safely be used for anything but management. Using them for anything else, such as for source IPs in dynamically NATed flows or publishing services on them, will inevitably cause problems since unique IPs will disappear when the firewall they belong to does.

Changing the Cluster ID

Changing the cluster ID in a live environment is not recommended for two reasons. First, this will change the hardware address of the shared IPs and will cause problems for all units attached to the local LAN, as they will keep the old hardware address in their ARP caches until it times out. Such units would have to have their ARP caches flushed.

Secondly this breaks the connection between the firewalls in the cluster for as long as they are using different configurations. This will cause both firewalls to go active at the same time.

HA Limitations with IPsec

Established IPsec tunnels are preserved during an HA failover. However, the IKE negotiation phase of tunnel setup is not preserved by a failover. In this case, the tunnel will need to be set up again from the beginning.

Statistics and SNMP

System statistics values are HA node specific in order to enable monitoring of each node. This means that statistical values are not explicitly synchronized between HA nodes. However, some statistical values for features that are HA synchronized will be aligned.

Generally, this means that when HA nodes are fully in sync, statistics for the "current state" (like active sessions) are normally aligned between the nodes, while "historical" values (like received packets on an interface) are, in most cases, different. When using SNMP or the CLI command statistics to monitor statistics for an HA cluster, both firewalls in the cluster need to be polled separately.

Duplicate Interface IDs

Each physical Ethernet interface in a firewall has a unique ID and this ID is inspected by both units in a cluster. If the IDs of the two interfaces which make up a cluster interface pair do not match then both master and slave units will register this and both will generate the log event message HA_CfgNotInSync. In addition, a message will appear on their consoles which includes the line:

In VLAN vl: Interface ID change of 'vl'(nnnn->mmmm) is not supported. 

Where nnnn and mmmm are the conflicting IDs. The reason for the ID conflict could be, for example, that the interfaces have been added to the configuration in a different order on each cluster unit.

There are two ways to resolve this condition: