HELP
TABLE OF CONTENTS

High Availability>Configure

Given the critical nature of Internet connections, SonicWALL High Availability is standard on the SonicWALL product line. SonicWALL High Availability eliminates network downtime by allowing the configuration of two SonicWALLs (one primary and one backup) as a High Availability pair. In this configuration, the backup SonicWALL monitors the primary SonicWALL and takes over operation in the event of a failure. This ensures a secure and reliable connection between the protected network and the Internet.

Before Configuring High Availability

Before attempting to configure two SonicWALLs as a High Availability pair, check the following requirements:

Network Configuration for High Availability Pair

All SonicWALL ports being used must be connected together with a hub or switch. Each SonicWALL must have a unique LAN IP Address on the same LAN subnet. If each SonicWALL has a unique WAN IP Address for remote management, the WAN IP Addresses must be in the same subnet.

Alert! The two SonicWALLs in the High Availability pair sends “heartbeats” over the LAN network segment. The High Availability feature does not function if the LAN ports are not connected.

Configuring High Availability on the Primary SonicWALL

The top half of the window displays the primary SonicWALL serial number and network settings. The bottom half of the window displays the backup SonicWALL information boxes.

To configure High Availability:

  1. Connect the primary SonicWALL and the backup SonicWALL to the network, but leave the power turned off on both units.

  2. Turn on the primary SonicWALL unit and wait for the diagnostics cycle to complete. Configure all of the settings in the primary SonicWALL before configuring High Availability.

  3. In the High Availability>Configure page, configure the following settings for the primary SonicWALL:

Alert! This IP address is different from the IP address used to contact the SonicWALL in the General Network settings.

Tip! The Synchronize Now button is used for diagnostics and troubleshooting purposes and is not required for initial configuration.

  1. In the Web Management interface for the primary SonicWALL, configure the backup SonicWALL settings as follows:

Alert! This IP address is different from the IP address used to contact the SonicWALL in the General Network settings.

  1. Check the Enable Preempt Mode box if you want the primary to SonicWALL to takeover from the backup SonicWALL whenever the primary becomes available (for example, after recovering from a failure and restarting). If this option is not used, the backup SonicWALL remains the active SonicWALL.

Tip! The primary and backup SonicWALLs use a “heartbeat” signal to communicate with one another. This heartbeat is sent between the SonicWALLs over the network segment connected to the LAN ports of the two SonicWALLs. The interruption of this heartbeat signal triggers the backup SonicWALL to take over operation from the active unit of the High Availability pair. The time required for the backup SonicWALL to take over from the active unit depends on the Heartbeat Interval and the Failover Trigger Level.

  1. Enter the time for heartbeat intervals in the Heartbeat Interval (seconds) box. Use a value between 3 seconds and 255 seconds. This interval is the amount of time in seconds that elapses between heartbeats passed between the two SonicWALLs in the High Availability pair.

  2. Enter the number of missed heartbeats before triggering backup SonicWALL in the Failover Trigger Level (missed heartbeats) box. Use a value between 2 and 99 missed heartbeats. When the backup unit detects this number of consecutive missed heartbeats, the backup SonicWALL takes over operation from the active unit.

Example: Assume that the Heartbeat Interval and the Failover Trigger Level are 5 seconds and 2 missed heartbeats respectively. Based on these values, the backup SonicWALL takes over from the active unit after 10 seconds in the event of a failure in the active unit.

  1. Enter the Active SonicWALL Detection Time (in seconds) using a value between 0 and 300. The default value of 0 is correct in most cases. When any SonicWALL (primary or backup) becomes active after bootup, it looks for an active SonicWALL configured for High Availability on the network. If another SonicWALL is active, the SonicWALL that is booting up transitions to the Idle mode. In some cases, there may be a delay in locating another SonicWALL due to network delays or problems with hubs or switches. You can configure either the primary or backup SonicWALL to allow an increment of time (in seconds) to look for another SonicWALL configured for High Availability on the network. You may enter a value between 0 and 300 seconds, but the default value of 0 seconds is sufficient in most cases.

  2. Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.

  3. Click Restart.

Alert! It is important during initial configuration that the backup SonicWALL has not been previously configured for use. If the backup SonicWALL has previous network settings, it is recommended to reset the SonicWALL to the factory default settings using Restore Factory Default Settings located in the Tools section. Additionally, the password must be changed back to the default password of “password” using the Password tab in the General section.

  1. Power on the backup SonicWALL used for High Availability. After completing the diagnostic cycle, the primary SonicWALL auto-detects the presence of the backup SonicWALL and synchronizes the settings.

  2. To confirm that the synchronization is successful, check the primary SonicWALL log for a High Availability confirmation message. Alternatively, you can log into the backup SonicWALL using its unique LAN IP address and confirm that it is the backup SonicWALL.

If the primary SonicWALL fails to synchronize with the backup, an error message is displayed at the bottom of the screen. An error message also appears on the Status tab. To view the error message, go to the General>Status page.

To check the backup SonicWALL firmware version or serial number, log into the backup SonicWALL, go to General>Status page. Both the firmware version and the SonicWALL serial number are displayed at the top of the Status window.

If the backup SonicWALL serial number was incorrectly specified in the primary SonicWALL Web Management Interface, log into the primary SonicWALL and correct the backup SonicWALL Serial Number field.

At this point, you have successfully configured your two SonicWALLs as a High Availability pair. In the event of a failure in the primary unit, the backup unit takes over operation and maintains the connection between the protected network and the Internet.

Configuration Changes

Configuration changes for the High Availability pair can be made on the primary or the backup SonicWALL. The primary and backup SonicWALL appliances are accessible from their unique IP addresses. A label indicates which SonicWALL appliance is accessed.

Alert! If you change the IP address of either SonicWALL, synchronization cannot occur between the two SonicWALLs without updating the changes manually in the High Availability configuration.

Synchronizing Changes between the Primary and Backup SonicWALLs

Changes made to the Primary or Backup firewall are synchronized automatically between the two firewalls. If you click Synchronize Now, the Backup SonicWALL restarts and becomes temporarily unavailable for use as a backup firewall.

High Availability Status

If failure of the primary SonicWALL occurs, the backup SonicWALL assumes the primary SonicWALL LAN and WAN IP Addresses. There are three primary methods to check the status of the High Availability pair: the High Availability>Status page, E-mail Alerts and View Log. These methods are described in the following sections.

High Availability Status Window

One method to determine which SonicWALL is active is to check the High Availability>Status page for the High Availability pair. To view the High Availability>Status page, you can log into the primary or backup SonicWALL LAN IP Address. Click High Availability on the SonicWALL Web Management Interface menu bar . If the primary SonicWALL is active, the first line in the status window above indicates that the primary SonicWALL is currently active.

The first line in the status page indicates that the backup SonicWALL is currently Active. It is also possible to check the status of the backup SonicWALL by logging into the LAN IP Address of the backup SonicWALL. If the primary SonicWALL is operating normally, the status window indicates that the backup SonicWALL is currently Idle. If the backup has taken over for the primary, this window indicates that the backup is currently Active.

Tip! In the event of a failure in the primary SonicWALL, you can access the Web Management Interface of the backup SonicWALL at the primary SonicWALL LAN IP Address or at the backup SonicWALL LAN IP Address. When the primary SonicWALL restarts after a failure, it is accessible using the third IP address created during configuration. If preempt mode is enabled, the primary SonicWALL becomes the active firewall and the backup firewall returns to idle status.

E-mail Alerts Indicating Status Change

If you have configured the primary SonicWALL to send E-mail alerts, you receive alert E-mails when there is a change in the status of the High Availability pair. For example, when the backup SonicWALL takes over for the primary after a failure, an E-mail alert is sent indicating that the backup has transitioned from Idle to Active. If the primary SonicWALL subsequently resumes operation after that failure, and Enable Preempt Mode has been enabled, the primary SonicWALL takes over and another E-mail alert is sent to the administrator indicating that the primary has preempted the backup.

View Log

The SonicWALL also maintains an event log that displays these High Availability events in addition to other status messages and possible security threats. This log may be viewed with a browser using the SonicWALL Web Management Interface or it may be automatically sent to the administrator’s E-mail address.

To view the SonicWALL log, click Log on the Web Management Interface menu bar.

Forcing Transitions

In some cases, it may be necessary to force a transition from one active SonicWALL to another – for example, to force the primary SonicWALL to become active again after a failure when Preempt Mode has not been enabled, or to force the backup SonicWALL to become active in order to do preventive maintenance on the primary SonicWALL.

To force such a transition, it is necessary to interrupt the heartbeat from the currently active SonicWALL. This may be accomplished by disconnecting the active SonicWALL’s LAN port, by shutting off power on the currently active unit, or by restarting it from the Web Management Interface. In all of these cases, heartbeats from the active SonicWALL are interrupted, which forces the currently Idle unit to become Active.

To restart the active SonicWALL, log into the primary SonicWALL LAN IP Address and click Tools on the left side of the browser window and then click Restart at the top of the window.

Click Restart SonicWALL, then Yes to confirm the restart. Once the active SonicWALL restarts, the other SonicWALL in the High Availability pair takes over operation.

Alert! If the Enable Preempt Mode is enabled for the primary SonicWALL, the primary unit takes over operation from the backup unit after the restart is complete.

Configuration Notes

Help Table of Contents