High Availability
1135
SonicOS 5.8.1 Administrator Guide
How High Availability Works
High Availability requires one SonicWALL device configured as the Primary SonicWALL, and
an identical SonicWALL device configured as the Backup SonicWALL. During normal
operation, the Primary SonicWALL is in an Active state and the Backup SonicWALL in an Idle
state. If the Primary device loses connectivity, the Backup SonicWALL transitions to Active
mode and assumes the configuration and role of Primary, including the interface IP addresses
of the configured interfaces. After a failover to the Backup appliance, all the pre-existing
network connections must be re-established, including the VPN tunnels that must be re-
negotiated.
The failover applies to loss of functionality or network-layer connectivity on the Primary
SonicWALL. The failover to the Backup SonicWALL occurs when critical services are affected,
physical (or logical) link failure is detected on monitored interfaces, or when the Primary
SonicWALL loses power. The Primary and Backup SonicWALL devices are currently only
capable of performing Active/Idle High Availability or Active/Active UTM – complete Active/
Active high availability is not supported at present.
For SonicWALL appliances that support PortShield, High Availability requires that PortShield is
disabled on all interfaces of both the Primary and Backup appliances prior to configuring the
HA Pair. Besides disabling PortShield, SonicWALL security appliance configuration is
performed on only the Primary SonicWALL, with no need to perform any configuration on the
Backup SonicWALL. The Backup SonicWALL maintains a real-time mirrored configuration of
the Primary SonicWALL via an Ethernet link between the designated HA ports of the
appliances. If the firmware configuration becomes corrupted on the Primary SonicWALL, the
Backup SonicWALL automatically refreshes the Primary SonicWALL with the last-known-good
copy of the configuration preferences.
There are two types of synchronization for all configuration settings: incremental and complete.
If the timestamps are in sync and a change is made on the Active unit, an incremental
synchronization is pushed to the Idle unit. If the timestamps are out of sync and the Idle unit is
available, a complete synchronization is pushed to the Idle unit. When incremental
synchronization fails, a complete synchronization is automatically attempted.
High Availability Terminology
• Primary - Describes the principal hardware unit itself. The Primary identifier is a manual
designation, and is not subject to conditional changes. Under normal operating conditions,
the Primary hardware unit operates in an Active role.
• Backup - Describes the subordinate hardware unit itself. The Backup identifier is a
relational designation, and is assumed by a unit when paired with a Primary unit. Under
normal operating conditions, the Backup unit operates in an Idle mode. Upon failure of the
Primary unit, the Backup unit will assume the Active role.
• Active - Describes the operative condition of a hardware unit. The Active identifier is a
logical role that can be assumed by either a Primary or Backup hardware unit.
• Idle - Describes the passive condition of a hardware unit. The Idle identifier is a logical role
that can be assumed by either a Primary or Backup hardware unit. The Idle unit assumes
the Active role in the event of determinable failure of the Active unit.
• Failover - Describes the actual process in which the Idle unit assumes the Active role
following a qualified failure of the Active unit. Qualification of failure is achieved by various
configurable physical and logical monitoring facilities described throughout the Task List
section.