Network Security Blog

HA1 (control link), HA1 backup, Heartbeat backup

     Config synchronization
     Management plane runtime state synchronization
     FIB, user-group mappings, DHCP leases, DNS cache, etc.
     HA state communication

HA2 (data link) & HA2 backup

used to synchronize state, sessions, routing tables, IPSec security
associations, and ARP tables between devices in a HA cluster
     Session synchronization
     A/P – We do not sync ICMP sessions.
     A/A – We do not sync Multicast sessions.
     Data plane runtime state synchronization
     ARP table, Neighbor table, user-IP mappings, etc.
     You cannot ping the HA2 interface

HA3
     Packet forwarding link (Active/Active only)
     This link is used as packet forwarding link for session setup and asymmetric traffic handling.

------------------------------------------------------------------------------------------------------------------------------

NAT device binding options include the following:-

 * Device 0 and Device 1—Translation is performed according to device-specific bindings only if the session owner and the device ID in the NAT rule match. evice-specific NAT rules are commonly used when the two firewalls use unique public IP addresses for translation

   * Both—This option allows either device to match new sessions to the NAT rule and is commonly used for destination NAT

   * Primary—This option allows only the active-primary device to match new sessions to the NAT rule. This setting is used mainly for inbound static NAT, where only one firewall should respond to ARP requests. Unlike device 0/1 bindings, a primary device binding can move between devices when the primary role is transferred

Session OWNER:

==========

------(PA1-act-prim)-------

------(PA2-act-sec)-------

First packet

First come first server :)

when packet rx to PA1 or PA2 then that Firewall will become session owner

Primary device

Only Active-Primary device will be the SESSION OWNER

++If PA2 rx any first packet then it sends to PA1  to OWN the SESSION

session SETUP:

=========

------(PA1-act-prim)-------

------(PA2-act-sec)-------

•IP modulo

Load sharing

For one packet PA1 will be-------SESSION SETUP

For Another packet PA2 will be---SESSION SETUP

Load sharing is done in round robin...based on source IP

•IP Hash

Load sharing

For one packet PA1 will be-------SESSION SETUP

For Another packet PA2 will be---SESSION SETUP

Hash of either source or combination source/destination IP address is used for Loadsharing

•Primary device

Only Active-Primary device will be the SESSION SETUP

++If PA2 rx any first packet then it sends to PA1  to SETUP the SESSION

====================================================================

ARP load sharing:-

SAME like HSRP - has one virtual ip

FLOATING IP:-

SAME like HSRP :- has TWO virtual IP

Floating ip + ARP loading sharing

--->ARP load sharing 
This can only be done where the hosts are on the same L2 network as the firewall (which means you'd only do it on your LAN side). 

--->Setting the session owner and the setup device to be the primary device is not recommended
--->recommended setting is to use “First Packet” for session owner and “IP modulo” for session setup.

Setting for First Packet and IP Modulo will ensure that both Active and Secondary device will both participate as a session owner and in session setup about equally. 

-->If we disable Packet Forwarding, session setup and session owner will be same, it will work for asymetric traffic also.

#set deviceconfig setting session tcp-reject-non-syn no 

USING FLOATING IP:

================

Configuration:

==========

>show high-availability virtual-address

+Router should learn arp for 172.17.1.2--172.17.1.3-172.17.1.4--172.17.1.5==>1.4 and 1.5 are virtual mac's

Please use translated address instead of interface address when you configure source NAT for floating ip in A/A environement.