In networks where dual firewalls are deployed in a high availability (HA) configuration, assigning the correct Auvik collector is essential to ensure consistent monitoring, reliable configuration backups, and full network visibility. This article provides guidance on collector placement, routing design, and failover behavior in HA firewall scenarios.
Why Collector Assignment Matters in HA Firewall Setups
Auvik collectors are responsible for:
- Performing configuration backups
- Running CLI and SNMP tests
- Receiving and processing traffic flow data (e.g., NetFlow, sFlow, IPFIX)
In HA environments, firewalls typically operate in an active/standby model. If collector routing or targeting is incorrect, data may be:
- Lost during failover
- Collected from the standby unit instead of the active
- Blocked due to routing or ACL inconsistencies
Collector Placement Best Practices
1. Same-Segment Placement
- Place the collector on the same subnet or VLAN as the firewall’s management interface, preferably the one tied to the active node.
- If using out-of-band (OOB) management, ensure routing from the collector to both nodes’ management IPs is available.
2. Use Static IPs or VIPs
- If the HA pair supports a Virtual IP (VIP) for management that always points to the active firewall, configure Auvik to target the VIP.
- If VIPs are not available, assign the collector to monitor the known active node IP, and prepare to manually reassign if failover occurs.
3. Multiple Collectors for Complex Sites
- In environments with multiple sites or firewalls, consider deploying multiple collectors and using Auvik’s device-to-collector assignment feature to ensure device data flows through the appropriate collector.
Handling Failover Events
During firewall failover:
- Auvik may continue polling or backing up the now-standby unit if the IP target doesn’t change.
- Backup attempts to the standby node may silently fail or return outdated configurations.
Recommendations:
- Monitor firewall HA state via SNMP if possible.
- If using per-node IPs, establish a process to update Auvik’s target device IPs post-failover.
- Use alerts in Auvik to detect backup failures as an indicator of misaligned collector-to-firewall targeting.
Common Misconfigurations to Avoid
- Assigning the collector to monitor a firewall IP that belongs to the standby node.
- Blocking SNMP or CLI access from the collector to the OOB interface.
- Using dynamic IP assignments for firewalls without automation to update Auvik’s device list.
Summary
When managing dual firewalls in an HA setup, thoughtful Auvik collector assignment ensures:
- Consistent monitoring and backup success
- Accurate visibility into the active firewall
- Reduced manual intervention during failover
Review your HA design, firewall management IP architecture, and collector network placement to ensure optimal alignment with Auvik’s data collection model.
For related topics, see:
- Firewall Configuration Backups in High Availability (HA) Environments
- How do I manage my collectors?
- How do I assign a collector to a specific device?