Chapter 25: High Availability

Home Prev	InControl 3.19.01 Administration Guide	Next

cOS Core High Availability allows two Clavister firewalls, a master and a slave unit, to operate as a single firewall in an HA cluster. If the master unit ceases to function, the slave will detect this and a failover occurs in which the slave takes over the master's functions. This implements hardware redundancy and provides extremely high system availability. HA is more fully explained in the cOS Core Administrators Guide.

An HA cluster can easily be set up and managed through InControl. This chapter describes how this is done.

Creating a New HA Cluster

A High Availability Cluster is defined as a node in the navigation tree of the InControl Firewalls tab.

To create a new HA cluster node, press the Create button in the Firewalls tab toolbar and select the High Availability Cluster option.

The HA Cluster wizard will start to define the cluster. The step in the wizard is to define the cluster name and method of deploying configurations to the cluster can be set.

The configuration deployment options are:

Nodes are kept synchronized

With this option InControl uploads a new configuration to the first unit and then, after a delay, to the second unit. When deployment is initiated, InControl asks which firewall should be deployed to first using the dialog below.

Deploying first to the inactive node means that there will be a minimum of service interruptions since only one failover is required. Deploying to the active node first means that there is an increased interruption to traffic since more than one failover is required but also means that the currently active unit remains the active unit after deployment.

The time delay before uploading to the second unit can also be selected (deploying to both firewalls at the same time should never happen).
Automatic synchronization

With this option, a new configuration is uploaded to just one of the firewalls in the cluster and the firewalls themselves then share and synchronize the new configuration. The administrator can select the firewall for deployment .

When this option is selected, the Sync flag of the cluster is set to Enabled and it cannot then be changed through any management interface.
Manually

This option means that the administrator has complete control over configuration deployment and must explicitly deploy the configuration to each firewall in a cluster in order for both have the same configuration. The administrator manually deploys a new configuration to one firewall and then does the same to the other.

The deployment option chosen can be changed later in the Properties dialog for the cluster.

Adding Firewalls to the Cluster

Once the HA cluster object is created, two types of firewalls can be added to the cluster:

Add an existing firewall

Adding a firewall that is already defined to InControl can be done in one of two ways:
1. In the Firewalls navigation tree, drag the firewall's node with the mouse and drop it into the cluster node.
2. Right-click the cluster node and select the Existing Firewall option within the Create submenu.

Define a new firewall

If the firewall is not yet defined to InControl, it can be defined at the same time it is added to a cluster by right-clicking the cluster node and selecting the New Security Firewall option.

This starts the new firewall wizard with the cluster set to be the parent.

Selecting the Master and Slave

Although the two firewalls in an HA cluster are peers, cOS Core designates one to be the master firewall and the other to be the slave. With InControl, the first firewall added becomes the master unit by default and the second added becomes the slave.

The Slave Configuration is Overwritten

When adding the slave firewall to a cluster, its configuration is automatically overwritten with the master configuration on deployment. InControl displays a warning message so that this is understood.

Selecting the Sync Interface

Whenever a second firewall is added to an HA cluster, the wizard asks the administrator to select the sync interface. An example of this dialog is shown below.

The Sync interface on the master and slave in an HA cluster are used to synchronize the two firewalls. Only one pair of interfaces is chosen to be Sync. The cOS Core Administrators Guide should be consulted for a full explanation of Sync interface operation.

Adding an Existing HA Cluster to InControl

If a firewall is already configured to be part of an HA cluster outside of InControl then it is possible to add the cluster so it can then be managed By InControl.

Some clusters may have been created outside of InControl but it is desirable to bring them under InControl control. To add an existing cluster, there are two methods:

Create a Cluster Node First

First create a new HA Cluster node in the Firewalls tab. Then add the two cluster peers one by one to this cluster as though they were individual firewalls.

The order is important! Add the cluster master first since the first added will always become the master in InControl.
Create the Firewall Nodes First

Instead of adding a new cluster object first, add the cluster master as new firewall objects in the Firewalls tab. When this is done, InControl detects that the unit is already part of a cluster and displays a dialog to ask what should be done with it. The options are:
1. Create a new InControl cluster node and add this firewall to it. This is the selected option in the example below, where the cluster is to be called My_Cluster. The deployment options are also set in this dialog.
2. Select an existing cluster node as the parent. With this option, InControl displays another dialog to choose an existing cluster. The first firewall added automatically becomes the master. The second automatically becomes the slave.
3. Add as a normal firewall. This changes the cluster membership setting in the firewall's configuration.

After Adding the Cluster

The cluster now appears under the Global Domain in the Firewalls tab display.

Mismatching cOS Core Versions Cause an Alert

It is recommended to always have exactly the same version of cOS Core running on both the master and slave units in a cluster. Some mismatched versions may seem to function correctly but there is always a risk for problems in allowing this.

InControl always signals such a mismatch by producing an alert with a severity of Error and a text message indicating that there is a difference in the versions. Such an alert is shown highlighted in the example screenshot below.

Removing a Firewall from a Cluster

Once added to a cluster node in InControl, a firewall cannot then be changed to be a standalone firewall node in InControl. Firewalls must be first deleted from the InControl cluster and then added back to InControl as a new, standalone firewall.

Important: The Sync flag should not be changed

	Important: The Sync flag should not be changed
Once a cluster is under the management of InControl, the administrator should not perform any changes on an individual firewall that affect this management through either the Web Interface or the CLI. In particular, the boolean property Sync should not be changed. When the cluster is under InControl management, the Sync value on both firewalls is set to No and this must NOT be changed by using, for example, the CLI command: `Device:/>` set HighAvailability Sync=Yes

Once a cluster is under the management of InControl, the administrator should not perform any changes on an individual firewall that affect this management through either the Web Interface or the CLI.

In particular, the boolean property Sync should not be changed. When the cluster is under InControl management, the Sync value on both firewalls is set to No and this must NOT be changed by using, for example, the CLI command:

Device:/> set HighAvailability Sync=Yes