High Availability
1163
SonicOS 5.8.1 Administrator Guide
Step 5 In the Primary IP Address field, enter the unique LAN management IP address of the Primary
unit.
Step 6 In the Backup IP Address field, enter the unique LAN management IP address of the Backup
unit.
Step 7 Select the Allow Management on Primary/Backup IP Address checkbox. When this option
is enabled for an interface, a green icon appears in the interface’s Management column in the
Monitoring Settings table on the High Availability > Monitoring page. Management is only
allowed on an interface when this option is enabled.
Step 8 In the Logical Probe IP Address field, enter the IP address of a downstream device on the
LAN network that should be monitored for connectivity. Typically, this should be a downstream
router or server. (If probing is desired on the WAN side, an upstream device should be used.)
The Primary and Backup appliances will regularly ping this probe IP address. If both can
successfully ping the target, no failover occurs. If neither can successfully ping the target, no
failover occurs, because it is assumed that the problem is with the target, and not the
SonicWALL appliances. But, if one appliance can ping the target but the other appliance
cannot, failover will occur to the appliance that can ping the target.
The Primary IP
Address and Backup IP Address fields must be configured with independent
IP addresses on a LAN interface, such as X0, (or a WAN interface, such as X1, for probing on
the WAN) to allow logical probing to function correctly.
Step 9 Optionally, to manually specify the virtual MAC address for the interface, select Override
Virtual MAC and enter the MAC address in the field. The format for the MAC address is six
pairs of hexadecimal numbers separated by colons, such as A1:B2:C3:d4:e5:f6. Care must be
taken when choosing the Virtual MAC address to prevent configuration errors.
When the Enabl
e Virtual MAC checkbox is selected on the High Availability> Advanced
page, the SonicOS firmware automatically generates a Virtual MAC address for all interfaces.
Allowing the SonicOS firmware to generate the Virtual MAC address eliminates the possibility
of configuration errors and ensures the uniqueness of the Virtual MAC address, which prevents
possible conflicts.
Step 10 Click OK.
Step 11 To configure monitoring on any of the other interfaces, repeat the above steps.
Step 12 When finished with all High Availability configuration, click Accept. All settings will be
synchronized to the Idle unit automatically.
Synchronizing Settings and Verifying Connectivity
Once you finish configuring the High Availability settings on the Primary SonicWALL security
appliance and click the Accept button, the Primary will automatically synchronize the settings
to the Backup unit, causing the Backup to reboot. You do not need to click the Synchronize
Settings button.
Later, when you click Synchronize Settings, it means that you are initiating a full manual
synchronization and the Backup will reboot after synchronizing the preferences. You should
see a HA Peer Firewall has been updated message at the bottom of the management
interface page. Note that the regular Primary-initiated synchronization (automatic, not manual)
is an incremental sync, and does not cause the Backup to reboot.
By default, the Include Certificate/Keys setting is enabled. This specifies that Certificates,
CRLs and associated settings (such as CRL auto-import URLs and OCSP settings) are
synchronized between the Primary and Backup units. When Local Certificates are copied to the
Backup unit, the associated Private Keys are also copied. Because the connection between the
Primary and Backup units is typically protected, this is generally not a security concern.