Support Center > Search Results > SecureKnowledge Details
DDoS Protector High-Availability Guide
Solution

To support High Availability (HA), configure two compatible DDoS Protector devices to operate in a two-node cluster. One member of the cluster is the primary; the other member of the cluster is the secondary.

Both cluster members must meet the following requirements:

Must use the same:

  • Platform (DPx06 with DPx06, DPx412 with DPx412
  • Software version
  • Software license
  • Throughput license
  • Database attack signature file - Check Point Security Updates Center
  • Management interfaces must be on the same Layer 2 network.

Must use the same Management port (that is, MNG-1 on both devices, MNG-2 on both devices, or both MNG-1 and MNG-2 on both devices).

The members of a cluster work in an active-passive architecture. When a cluster is created:

  • The primary device becomes the active member.
  • The primary device transfers the relevant configuration objects to the secondary device.
  • The secondary member will reboot once the primary member has transferred all the relevant configuration objects.
  • The secondary device becomes the passive member.

A secondary device maintains its own configuration for the device users, IP interfaces, routing, and the port-pair Failure Mode.

A Primary device immediately transfers each relevant change to its secondary device.

The Passive device periodically synchronizes baselines for BDoS, DNS and HTTP Mitigator protections.


The following situations trigger the active device and the passive device to switch states:

  • The passive device does not detect the active device, according to the specified Heartbeat Timeout.
  • All links are identified as "down" on the active device, according to the specified Link Down Timeout.
  • Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the specified Idle Line Timeout.
  • You run the Switch Over command. To switch the device states: Device -> High Availability -> Switch Over.


You can perform only the following actions on a secondary device:  

  • Switch the device state (that is, switch over active to passive and passive to active)
  • Break the cluster if the primary device is unavailable
  • Configure management IP addresses and routing
  • Manage device users
  • Download a device configuration
  • Upload a attack database signature file
  • Download the device log file
  • Download the support log file
  • Reboot
  • Shut down
  • Change the device name
  • Change the device time
  • Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.


Configure a DDoS Protector high-availability cluster:

On the primary and the secondary device it is recommended to configure an IP address on both the primary and the secondary management interface to get a redundant path for heart beats, base line synchronization and configuration synchronization.

Router -> IP Router -> Interface Parameters, Create, SET


On the Secondary device, create an HAadmin user used for pairing the devices.

Security -> Users, Create, SET


On the primary device, pair the devices to create an HA fail over cluster.

Device -> High Availability -> Pair Definition -> Pair Parameters, SET 

On the primary device, manually update the pair by doing the following:

Device -> High Availability -> Pair Definition -> Update Pair, SET

The secondary device will now reboot and become standby.


Notes:

  • You can initiate a baseline synchronization if a cluster member is passive, using CLI or Web Based Management.
  • In an existing cluster, you cannot change the role of a device (primary to secondary or vice versa). To change the role of a device, you need to break the cluster (that is, ungroup the two devices), and then, reconfigure the cluster as you require.
  • When a passive device becomes active, any grace time resets to 0 (for example, the time of the Graceful Startup Mode Startup Timer).
  • You can monitor high-availability operation on the primary device under Device -> High Availability -> Monitoring
  • To break the cluster, enter the a admin user credentials under Device -> High Availability -> Pair Definition -> Pair Parameters. After you entered the credentials press Set and go to Device -> High Availability -> Global Parameters to disable the cluster.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment