Overview

High Availability (HA) is a clustering technology that is used to maintain uninterrupted service in the event of power, hardware or software failure.

High availability is the ability of the service/application to function properly without failures or interruptions for a long period of time.

The HA feature in Seqrite UTM (Ver.2.2 and above releases) ensures that the UTM appliance is available at all times and has in-built redundancy and reliable crossover.

Seqrite UTM supports Active-Passive HA mode. In Active-Passive mode, only the Primary Device processes traffic while the Auxiliary Device remains in stand-by mode, ready to take over if the Primary Device experiences a power/hardware/software failure.The feature actually utilizes 2 identical UTM hardware appliances in which passive appliance will take over in case active appliance fails or develops a fault. In the document, it may also be termed as Primary-Secondary/Master-Backup/Master-Slave. Both Devices (The Primary and Secondary Devices) are physically connected over a dedicated HA link port.

Applicable Version: 2.2 and Above

Prerequisites:

1. The hardware configuration of 2 appliances used for HA must be identical, that is it must be the same model. Both UTM appliances must be identical in terms of performance and load handling.

2. Both the UTM appliances must have the same firmware version.

3. One interface on the 2 appliances must be linked by a direct cable (point to point connection) or through a switch for the HA dedicated link. For example, the eth 2 interface on appliance 1 must be connected to interface eth 2 on appliance 2 only.

4. Both devices must be registered.

HA Working :

There are 2 identical UTM devices, a primary and a secondary appliance that is configured in HA mode to enable the High Availability feature. The primary appliance normally operates in the active mode and processes all incoming and outgoing traffic based on the configured policies. The secondary appliance is meanwhile in the Active-Standby (Passive) mode and does not process any traffic. A primary IP address is assigned to the primary appliance and a secondary IP address for the secondary appliance for each of the available interfaces. In addition, a virtual IP address is assigned to each interface. This IP address is maintained in case of any failover from primary to secondary and vice versa. The 2 UTM appliances check if the other appliance is alive as per the frequency defined for the heartbeat interval through the dedicated HA link. You can enable the watch status for each interface except the dedicated HA link to be monitored for failure.

Scenarios supported for HA failover:

1.System shutdown or reboot

2.Interface (on watch) failure

HA Status on a dashboard:

The following details related to HA are displayed on the dashboard:

• Whether enabled or disabled
• The dedicated interface for HA link
• Heartbeat interval
• Status of 2 UTM appliances whether active, passive, fault or out of sync.
• Firmware versions of the 2 UTM appliances

Scenario:

Setting up High Availability:

• 1. Navigate to System > High Availability page.

• 2. Toggle the HA service button to enable the HA service.
• 3. Enter the heartbeat interval in seconds. This setting on the heartbeat interval decides the frequency at which the two appliances will check each other if active and alive.
• 4. Select the dedicated HA interface link from the list of interfaces in the drop-down.
• 5. Navigate to the High Availability interface settings. In the interface settings, the primary IP addresses are displayed for the configured interfaces.

• 6. For each interface, enter the secondary IP address and the virtual IP address. The secondary IP address is assigned to the corresponding interface on the secondary appliance. The Virtual IP address is the actual IP address for the HA ready appliance for that interface.
• 7. Note: The primary, secondary and the virtual IP addresses for each interface must be in the same IP address subnet class. For example, Primary IP: 172.168.121.3, Secondary IP: 172.168.121.4 and Virtual IP: 172.168.121.7
• 8. Toggle the watch button to enable the watch status for that interface. If you enable the Watch status, HA will monitor the interface for link failure or hardware failure and then initiate a failover to the secondary UTM appliance.
• 9. Note: You cannot enable watch on the dedicated HA link.
• 10. Click Apply to save. To re-enter, click Reset and the previous values will be restored. The HA status will be updated on the dashboard.

Synchronization between the 2 appliances :

As the 2 appliances are configured in failover mode for high availability, data from the 2 appliances will have to be synchronized. Each time HA is turned from OFF to ON configuration sync up is performed between the two appliances. You can also perform a forceful synchronization between the two appliances if peer appliance is in Out-of-Sync state to synchronize the following data on the two appliances:

• Interface configuration
• Definitions
• Policies
• Network settings
• Firewall settings
• VPN settings
• User Management settings
• Support
• Antivirus configuration settings
• IPS configuration settings
• Mail protection settings
• ACC settings
• System parameters

-To sync logs (DHCP, VPN) & reports of both UTM appliances, in the Sync Settings area, select and enable Synchronization of logs & reports checkbox on HA page.

- To receive SNMP data of both the appliances on the SNMP server, in the Sync Settings area, select and enable the Get SNMP data from both appliances checkbox on HA page.

Note: If the appliances go in out of sync state, a banner will be displayed on the dashboard with a Force Sync up button. Click Force Syncup to complete the synchronization of the active and passive appliance.

Note: The Force Syncup operation may take some time depending on the configuration, load and the User Interface will not be available till the operation is completed.

Please contact Seqrite Technical Support for more assistance