Configuring Full High Availability on Appliances

After you set up the appliances for Full High Availability, configure this deployment in SmartConsole. You must configure both cluster members before you open the cluster configuration wizard in SmartConsole.

The LAN1 interface serves as the SYNC interface between cluster members. If not configured, SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. If these addresses are already in use, their values can be manually adjusted. If you manually adjust the default IP SYNC addresses, verify that both reside on the same subnet.

Note - All interfaces in the cluster must have unique IP addresses. If the same IP address is used twice, policy installation will fail. This error message will show: A load on gateway failed

The cluster has a unique IP address, visible to the internal network. The unique Virtual IP address makes the cluster visible to the external network, and populates the network routing tables. Each member interface also has a unique IP address, for internal communication between the cluster members. These IP addresses are not in the routing tables.

To configure Full High Availability:

1. Open SmartConsole and connect to the primary appliance and then click Approve to accept the fingerprint as valid.

   The Security Cluster wizard opens. Click Next.

2. Enter the name of the Full High Availability configuration. Click Next.
3. Configure the settings for the secondary appliance:
   1. In Secondary Member Name, enter the hostname.
   2. In Secondary Member Name IP Address, enter the IP address of the management interface.
   3. Enter and confirm the SIC activation key.
4. Click Next.
5. Configure the IP address of the paired interfaces on the appliances. Select one of these options:
   • Cluster Interface with Virtual IP - Enter a virtual IP address for the interface.
   • Cluster Sync Interface - Configure the interface as the synchronization interface for the appliances.
   • Non-Cluster Interface - Use the configured IP address of this interface.
6. Click Next.
7. Do step 5 again for all the interfaces. Click Finish.

Removing a Cluster Member

You can remove one of the two members of a cluster without deleting the cluster object. A cluster object can have only a primary member, as a placeholder, while you do maintenance on an appliance. You must remove the cluster member in the Gaia Portal and in the CLI.

To remove a cluster member:

1. Open the Gaia Portal of the member to keep.
2. Open Product Configuration > Cluster.
3. Click Remove Peer.
   • If the current member is the primary member, the secondary member is deleted.
   • If the current member is the secondary member, the secondary member is promoted to primary. Then the peer is deleted.

   Services running on the appliance are restarted.

4. Open SmartConsole.
5. Delete the peer cluster member from the cluster object.
6. Publish (Ctrl+S).
7. On the appliance command line, run: cp_conf fullha disable

   This command changes back the primary cluster member to a Standalone configuration.

8. Reboot.

The former cluster object is now a locally managed gateway and Security Management Server.

Adding a New Appliance to a High Availability Cluster

You can add a Standalone appliance to a cluster, after the High Availability cluster is defined. You can change which member is primary.

To add an existing appliance to a cluster:

1. Open the Gaia Portal of the appliance.
2. On the Product Configuration, Cluster page, select Make this Appliance the primary member of a High Availability Cluster.
3. Click Apply.
4. Reboot the appliance.
5. In SmartConsole, open the object of the primary member.

   The first-time cluster configuration wizard opens.

6. Complete the wizard to configure the secondary cluster member.

Troubleshooting network objects:

In SmartConsole, the network object of the Standalone appliance is converted to a cluster object. If the Standalone appliance was in the Install On column of a rule, or in the Gateways list of an IPSec VPN community, the cluster object is updated automatically. For all other uses, you must manually change the Standalone object to the cluster object. These changes can affect policies.

To see objects and rules that use the object to change:

1. Right-click the Standalone object and select Where Used.
2. Select a line and click Go To.
3. In the window that opens, replace the Standalone object with the cluster object.

   If the Where Used line is a:

   • Host, Network, Group - Browse through the pages of the properties window that opens, until you find the object to change.
   • Policy (for example, dlp_policy) - Open the Gateways page of the Software Blade. Remove the Standalone object. Add the cluster object.
4. In Where Used > Active Policies, see the rules that use the Standalone object.
5. Select each rule and click Go To.
6. Edit those rules to use the cluster object.

Note - The icon in SmartConsole changes to show new status of the appliance as a primary cluster member. The Name and UID of the object in the database stay the same.

Recommended Logging Options for High Availability

In High Availability, log files are not synchronized between the two cluster members. For this reason, we recommend that you configure the logs of the cluster.

To forward cluster logs to an external log server:

1. Open the properties of the cluster object.
2. Open Logs > Additional Logging.
3. Click Forward log files to Log Server, and select the Log Server.
4. Select or define a time object for Log forwarding schedule.

   Or:

   Configure SmartEvent and SmartReporter with standard reports, to use only one of the cluster members as a source for log file correlation and consolidation.