How can we help?

HA Firewall Pair Best Practices

Follow

Setting up a pair of firewalls in an HA (High Availability) configuration with Out of Band (OOB) management interfaces requires meticulous planning and attention to detail. To prevent firewall duplication after an HA failover event, the network admin must have both firewalls connected and monitored via OOB Management interfaces. Then, they must create a manual IP mapping by following the instructions provided by their firewall manufacturer. 

Below are steps to achieve industry-recognized best-in-class HA firewall setup, not just Auvik requirements. Please note that the steps might differ depending on the firewall vendor and model:

1. Prerequisites:

  • Two identical firewall appliances.
  • Required licensing for HA (if applicable).
  • Three networks: data, HA link, and OOB management.
  • Configuration access to the firewalls (console, SSH, GUI).
  • All necessary cables.

2. Initial Setup:

  • Physically rack both firewall devices.
  • Connect to the console of both firewalls for initial setup.
  • Assign management IP addresses for both devices on the OOB management network.

3. Configure Interfaces:

  • Configure the primary firewall's data interfaces (e.g., LAN, WAN).
  • Connect the HA link between the firewalls using a dedicated interface or interfaces.

4. High Availability Setup†:

  • Enable HA on the primary firewall and set it as the primary device.
  • Enable HA on the secondary firewall and set it as the secondary device.
  • Configure the HA settings:
  • Mode (e.g., Active/Passive, Active/Active).
  • HA link details.
  • Failover criteria.
  • Session synchronization (for stateful failovers).

Most firewall vendors support some mechanism for HA synchronization, so ensure the correct ports/protocols are allowed on the HA link.

5. Out of Band (OOB) Management†:

  • Connect the OOB management interfaces of both firewalls to your OOB management network.
  • Configure the OOB management interface on both devices. If OOB is not configured on both firewalls, Auvik will most likely consolidate the firewalls into one device.
  • Ensure that the management interface settings restrict access to only the OOB network for added security.

6. Test Failover:

  • Ensure that sessions are replicated to the secondary firewall (if stateful failover is configured).
  • Simulate a failure on the primary firewall to validate that traffic flows smoothly through the secondary firewall during a failover event.
  • Test failback to ensure the primary firewall can take over traffic when restored.

7. Set up Auvik Monitoring and Management

  • Scan the networks the firewalls are on, including the OOB management interfaces, and validate the management of both Firewalls in Auvik.
  • Add all SNMP, CLI, and/or API credentials to Auvik to allow Auvik to manage both firewalls properly.

8. Backup Configurations:

  • After setting up and testing HA, backup the configurations of both firewalls.
  • Auvik should now also be able to backup the configuration of each firewall.**

9. Monitoring and Alerting:

  • Using your instance of Auvik
    • Monitor both firewalls for uptime, resource usage, and other critical metrics.
    • Set up alerts and notifications for HA failover events.

10. Ongoing Maintenance:

  • Validate you are receiving regular backups of your firewalls using Auvik.
    • If you are not, schedule regular backups of configurations.
  • Periodically test failover to ensure HA continues to function as expected.

Note: Always update both firewalls concurrently to avoid version mismatch issues. Please ensure your firewalls are under a maintenance window in Auvik at that time to avoid unnecessary alerting and ticketing.

11. Documentation:

  • Document the entire setup process.
  • Keep a log of all changes made to either firewall.
  • Validate all relevant data is following into any integrated PSA or Helpdesk software you may have with your Auvik Instance(s)

If your firewalls are configured using these best practices, Auvik should have no issues monitoring both firewalls properly without having consolidation issues.

Remember, while these are generic steps, each firewall vendor and model might have specific requirements or unique features. Always consult the vendor documentation for the most accurate and detailed information.

*Note: if you have two or more firewalls set up. Even if active in an active\passive setup, Auvik will invoice for each managed firewall.

** Note: Auvik may have issues running its backup processes for some particular vendor models or firmware versions. .  If this is the case, open a ticket with Auvik support to enable this functionality to be built.

 

†HA and OOB Management links for the top firewall vendors in Auvik’s platform 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request