Configuring High Availability

In the Device > High Availability page you can create a cluster of two Security Gateways for High Availability.

Note - You cannot create a cluster when you have a switch or bridge defined in your network settings on the gateway. If necessary, change network settings in the Device > Local Network page.

To create a cluster:

Click Configure Cluster.

The New Cluster Wizard opens.
In Step 1: Gateway Priority, select one of the options:
1. Configure as primary member - If this gateway must be configured first.
2. Configure as secondary member - If a primary member is already configured and this gateway connects to it.
Click Next.

For a primary member:

In Step 2: SIC Settings, enter a password and confirm it. This password is used for establishing trust between the members.

Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ Maximum number of characters: 255

The default Sync interface is LAN2. If it is necessary to change it, click Advanced and select a different Sync Interface. You can also change the predefined Sync IP Address and Sync IP Subnet.

Note - All changes made here must also be made on the other cluster member.

Click Next.
In Step 3: Gateway Interfaces (1 out of N), you can define the cluster IP on the related interfaces. Enter the necessary details.

By default, the appliance monitors the interface condition. If there is a failure, it automatically fails over to the secondary cluster member. When the interface is also enabled for high availability, it acts as single interface towards the network.

Click Next. Do Step 4d again for all related interfaces in your network.

Note - For Internet connections, you can only enable High Availability on Static IP Internet connections. Other types of Internet connections can be used for monitoring only.

For a secondary member:
1. In Step 2: SIC Settings, enter the Secure Internal Communication password.
2. Click Establish Trust.
Click Finish.

When the cluster is successfully configured, you see the status of the members on this page.

After the cluster is configured, when you connect to the cluster IP address you are automatically redirected to the Active cluster member. To log in to specified member, you must log in with the member's IP address.

All cluster management is done from the Active member. On the WebUI of the Standby member, there are only options for fine tuning (for a locally managed cluster: basic network settings and logs. A cluster managed by Quantum Spark Portal cluster also has Cloud Services).

High Availability cluster only supports IPv6 in dual mode.

Interface options in cluster mode:

High Availability - Two physical interfaces in 2 cluster members act as a single interface toward the network and use a single virtual IP address.

Note - In this cluster solution, each interface has a local IP address in addition to the shared single virtual IP address.

Sync - Two physical interfaces must be defined as Sync interfaces and connected between the members to allow proper failover as needed. The default is to use LAN2/Sync physical port.
Non HA (also called private) - The physical interface in this member does not participate in High Availability functions.
Monitored (also called private monitored) - The physical interface in this member is not coupled with another interface on the other member as in High Availability interface mode. The interface's status is still monitored, and if a problem occurs the member will fail over to the second one.

The High Availability page shows the cluster member status:

Cluster state: Enable or Disable
Cluster status of the local and peer gateways (Active/Standby/Inactive)
Interfaces’ configuration including cluster IP address and physical interface IP address

When you add a new interface (LAN, Internet Connection, or VLAN), you can add it to an existing cluster without the need to reset the cluster configuration.

To add a new cluster interface after the cluster is already configured:

Add the new interface in the Local Network or Internet tab.
In the Device > High Availability page double click the newly added interface.
In the Edit window, select the checkbox Enable High Availability on interface.

Enter the physical IP addresses, subnet mask and cluster IP address.

If the interface is part of the Local Network, the interface now appears as “LANX (High Availability)."

Note - High Availability can only be enabled on Static IP addresses.

Select the checkbox Monitor interface state (fail over when interface is down).
Click Finish.

To reset configuration settings:

Click Reset Cluster Configuration.

Note - This deletes all configuration settings. You must run the wizard again to configure the cluster.

In a healthy cluster, one member of the cluster is the Active member and the other member is the Standby.

To failover from the Active member to the Standby member:

Click Force Member Down on the Active member.

A confirmation message shows.
Click Yes.

The formerly Active member is now Inactive (down). The formerly Standby member is now Active.

To restore Active/Standby functionality:

Click Disable Manual Failover on the Inactive member.

To failover to the original primary member:

Click Force Member Down on the current Active member.

A confirmation message shows.
Click Yes.
Reconnect to the member and click Disable Manual Failover.

The original Active member is now the Active member of the cluster.

To see detailed information about the cluster status:

Click Diagnostics.

Upgrading a cluster member

You must upgrade each cluster member individually. Start with the Standby member. After upgrade, the appliance automatically reboots.

Note - Only manual upgrade is supported.

To upgrade a cluster manually:

Go to Device > System Operations.
Click Manual Upgrade.

The Upgrade Software Wizard opens.
Follow the wizard instructions.

Cluster Managed by Quantum Spark Portal

You can configure a cluster in which both gateways are managed by Quantum Spark Portal. Make sure the gateways are connected to Quantum Spark Portal before you create the cluster.

A cluster supported by Quantum Spark Portal is very similar to a locally managed cluster. One member is Active, and the other is Standby. To change the status of the Active member, click Force Member Down.

To configure the cluster (on the gateway side):

Note - The procedure is similar to the one to create a local cluster that does not involve the Quantum Spark Portal.

Log in to the WebUI of the gateway you want to use as the primary member of the cluster.
In the Device > High Availability page, click Configure Cluster.

The New Cluster Wizard opens.
In Step 1: Gateway Priority, select Configure as primary member.
Click Next.
In Step 2: SIC Settings, you see a message that you do not need to establish trust as the cluster is managed by Quantum Spark Portal Cloud Services.

Optional - Under Advanced, enter this information:
- Sync interface
- Sync IP address
- Sync IP subnet
- Other member sync IP address
Click Next.

In Step 3: Gateway Interfaces, configure the addresses of each interface. Select Enable High Availability on interface and enter the networking details for both member gateways and the cluster entity.

Note - This step is divided into several sub-steps, one for each interface.

Click Finish.
Log in to the WebUI of the other cluster member.
Under Device > High Availability, click Configure Cluster.

The New Cluster Wizard opens.
Select Configure as secondary member.
Click Next.
Click Finish.

The appliance fetches the settings from the primary member and applies them.

Note - - When the cluster is managed by Quantum Spark Portal, connections are not synchronized. In the event of cluster failover, you must re-establish the connections.

After the cluster is set up, you see the High Availability cluster between the two appliances. If both gateways are properly configured, one gateway is marked as Active, and the peer gateway is marked as Standby. A list of configured interfaces is displayed.

To see information about the cluster members and the High Availability status, click Diagnostics.