HA Firewall Pair Best Practices

Setting up a pair of firewalls in an HA (High Availability) configuration with Out of Band (OOB) management interfaces requires meticulous planning and attention to detail. To prevent firewall duplication after an HA failover event, the network admin must have both firewalls connected and monitored via OOB Management interfaces. Then, they must create a manual IP mapping by following the instructions provided by their firewall manufacturer. 

Below are steps to achieve industry-recognized best-in-class HA firewall setup, not just Auvik requirements. Please note that the steps might differ depending on the firewall vendor and model:

1. Prerequisites:

• Two identical firewall appliances.
• Required licensing for HA (if applicable).
• Three networks: data, HA link, and OOB management.
• Configuration access to the firewalls (console, SSH, GUI).
• All necessary cables.

2. Initial Setup:

• Physically rack both firewall devices.
• Connect to the console of both firewalls for initial setup.
• Assign management IP addresses for both devices on the OOB management network.

3. Configure Interfaces:

• Configure the primary firewall's data interfaces (e.g., LAN, WAN).
• Connect the HA link between the firewalls using a dedicated interface or interfaces.

4. High Availability Setup†:

• Enable HA on the primary firewall and set it as the primary device.
• Enable HA on the secondary firewall and set it as the secondary device.
• Configure the HA settings:
• Mode (e.g., Active/Passive, Active/Active).
• HA link details.
• Failover criteria.
• Session synchronization (for stateful failovers).

Most firewall vendors support some mechanism for HA synchronization, so ensure the correct ports/protocols are allowed on the HA link.

5. Out of Band (OOB) Management†:

• Connect the OOB management interfaces of both firewalls to your OOB management network.
• Configure the OOB management interface on both devices. If OOB is not configured on both firewalls, Auvik will most likely consolidate the firewalls into one device.
• Ensure that the management interface settings restrict access to only the OOB network for added security.

6. Test Failover:

• Ensure that sessions are replicated to the secondary firewall (if stateful failover is configured).
• Simulate a failure on the primary firewall to validate that traffic flows smoothly through the secondary firewall during a failover event.
• Test failback to ensure the primary firewall can take over traffic when restored.

7. Set up Auvik Monitoring and Management

• Scan the networks the firewalls are on, including the OOB management interfaces, and validate the management of both Firewalls in Auvik.
• Add all SNMP, CLI, and/or API credentials to Auvik to allow Auvik to manage both firewalls properly.

8. Backup Configurations:

• After setting up and testing HA, backup the configurations of both firewalls.
• Auvik should now also be able to backup the configuration of each firewall.**

9. Monitoring and Alerting:

• Using your instance of Auvik
  • Monitor both firewalls for uptime, resource usage, and other critical metrics.
  • Set up alerts and notifications for HA failover events.

10. Ongoing Maintenance:

• Validate you are receiving regular backups of your firewalls using Auvik.
  • If you are not, schedule regular backups of configurations.
• Periodically test failover to ensure HA continues to function as expected.

Note: Always update both firewalls concurrently to avoid version mismatch issues. Please ensure your firewalls are under a maintenance window in Auvik at that time to avoid unnecessary alerting and ticketing.

11. Documentation:

• Document the entire setup process.
• Keep a log of all changes made to either firewall.
• Validate all relevant data is following into any integrated PSA or Helpdesk software you may have with your Auvik Instance(s)

If your firewalls are configured using these best practices, Auvik should have no issues monitoring both firewalls properly without having consolidation issues.

Remember, while these are generic steps, each firewall vendor and model might have specific requirements or unique features. Always consult the vendor documentation for the most accurate and detailed information.

*Note: if you have two or more firewalls set up. Even if active in an active\passive setup, Auvik will invoice for each managed firewall.

** Note: Auvik may have issues running its backup processes for some particular vendor models or firmware versions. .  If this is the case, open a ticket with Auvik support to enable this functionality to be built.

Native High Availability Monitoring in Auvik

Auvik will provide monitoring for fortinet firewalls deployed in Active + Passive HA pairs. This update ensures complete visibility and data continuity across both devices, addressing previous limitations where passive nodes often appeared offline or were deleted from inventory.

How HA Monitoring Works

Previously, some passive FortiGate firewalls in an HA pair did not reply to ICMP or SNMP, causing them to appear offline and potentially be queued for deletion by Auvik’s cleanup logic. Now, both devices will appear online, and will no longer be deleted.

 

• Polling via Active Node: Auvik uses SNMP polling to read HA MIB tables from the active firewall.
• Passive Peer State: The active device reports the HA pair status and sync state. From this data, Auvik monitors the online state of the passive node in the cluster
• Persistence: Auvik will now keep both peers (active and passive) in inventory and topology. This is done to prevent the loss of configuration backups tied to the passive device. The passive peer is now retained in inventory with an online state.

Visibility and Alerting Capabilities

The native support introduces new ways to visualize and track the health of your HA deployment:

 

• New HA Widget - A dedicated HA Pair widget has been added to the device details page. This widget provides at-a-glance visibility into the health, sync state, and role of each firewall in the HA pair.
• New Alerts - Auvik will now generate alerts to help you detect role changes and sync issues in your HA pair:
• HA Role Change (Failover Detected): This alert notifies you when an active/passive role swap occurs. This means that if the active firewall fails and the passive unit becomes active, Auvik can now alert on this event ("Failover Detected").

HA Sync Status Issue (HA Pair no longer in Sync): This alert is triggered if the configuration sync between the HA peers fails. This alerts you when the HA Pair is no longer synchronized, indicating a loss of redundancy.

†HA and OOB Management links for the top firewall vendors in Auvik’s platform