On SMB appliances, the cluster can be configured only in High Availability mode. This means that only one Gateway is active and that when there is a failover, the standby member becomes active.
- Both appliances must have the same hardware and firmware version.
- Both appliances must have different names.
- The secondary appliance must not have any configuration. The only configuration should be on the hardware level (if a LAN interface is configured on the Active member, then the same Port should be configured on the Standby member).
- Connect a sync cable between the appliances on the sync port (Default: LAN2 port).
- Connect both of the appliances' LANs (for example LAN1 from each appliance) to the same switch (to have the same Network Segment).
- Reinitialize the internal VPN certificate on each appliance to obtain the external IP address for the CRL Distribution, e.g., http://10.10.10.1:18264/...
- Bridge/switch configurations are currently not supported in a cluster configuration. Supported in R80.20.25 and higher, sk171824. If any such configuration exists, delete it before you start configuring the cluster in WebUI -> Device -> Local Network:
On the Primary Member
1. Start the wizard on the primary member: Enter WebUI, Device -> High Availability and click on Configure Cluster.
2. Choose the Configure as primary member option:
3. Enter the password for initializing the cluster.
4. In the next window, configure the network settings according to the image below:
- Cluster IP address (VIP)
- Primary IP address (LAN1 address of the primary appliance)
- Secondary IP address (LAN1 address of the secondary appliance)
5. For each Port/Network in the cluster, repeat step 4.
6. Once complete, click on Finish.
On the Secondary Member
1. Start the wizard on the secondary member: Enter WebUI, Device -> High Availability and click on Configure Cluster.
2. Choose the Configure as secondary member option:
3. Enter the same password for initializing the cluster.
4. Click on Establish Trust:
5. Click on Finish. The confirmation notification will appear, letting you know that this appliance will be the secondary cluster member. Click on Yes.
- The secondary member will appear with only one button in the panel: Device.
- The primary member will appear as below:
- To verify that the cluster configuration has been successfully established, run the below commands from SSH (Expert mode): 'cphaprob state' and 'cphaprob –l list'
- You can also click on view diagnostics:
- Note: To make the best use of the cluster, it is recommended to configure the Internet connection according to the below configuration (if there are three Internet lines):
- To check the failover, click on Force Member Down on the primary member. The secondary member (which was on 'Standby' mode) should become the 'Active' appliance:
Note: The Internet connections (Static IP] should be configured on each Internet interface [WAN/DMZ], and another Static IP for the VIP.
Run the following commands from expert mode:
- 'fw debug sfwd on TDERROR_ALL_ALL=5' on both members. It is critical that you run this command at the same time.
- Create a rule, or re-establish trust, or run 'fw sic_test -p 10.231.149.2' from the primary member.
- 'fw debug sfwd off TDERROR_ALL_ALL=5' on both members to turn it off.
- Collect the debugs from $FWDIR/log/sfwd.elg from both members.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.