Applies To:

Show Versions Show Versions

Manual Chapter: FirePass 5.0 Handbook: Using FirePass Controllers for Failover
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>



6

Using FirePass Controllers for Failover


Overview of FirePass controller failover pairs

Two FirePass controllers have the capacity to act as a redundant system, or failover pair. A failover pair of FirePass controllers is two controllers configured to work together to provide high availability for remote users. One controller acts as the active controller and the second acts as a standby controller. The standby controller backs up the active controller. If the active controller fails, the switch to the standby controller is transparent to users.

A FirePass failover configuration is ideal for providing high availability for one site on a single subnet. For organizations with larger sites and more than one subnet, a cluster of FirePass controllers can provide availability and load balancing. For more information about clustering, see Overview of FirePass controller clusters.

Note


Once a failover pair of controllers has been configured, the most recently restarted controller automatically becomes the standby controller. You can change the standby FirePass controller into the active controller by restarting your active controller. For more information, see Manually triggering failover.

 

Configuring FirePass controller failover pairs

Once you have installed and licensed both units for your redundant system, you need to configure the failover settings for both controllers.

These procedures walk you through making configuration changes on both the active and the standby FirePass controllers. Once the controllers are properly configured for failover, make any subsequent configuration changes on the active controller. All information is synchronized between the active and standby controllers except network configuration and SNMP configuration.

Note


Many failover screens and links are visible only if you have enabled failover.

 


Configuring FirePass controllers for failover

This chapter assumes you already have installed the FirePass controllers and have finished their initial configuration. For more information, see Installing the FirePass controller.

After you have installed and configured both FirePass controllers, you need to configure failover settings on the active and standby controllers. Configure the settings on the active controller first.

The number of NICs (network interface cards) determines how you connect the controller:

  • If you are installing two single-NIC FirePass controllers as a redundant system, simply connect the controllers to the network.


  • If you are connecting two dual-NIC FirePass controllers as a redundant system, connect the corresponding NIC on each controller to the same subnet. For example, connect the internal NIC on each controller to the same subnet.


  • Note


    For FirePass 1000 and 4000 controllers, we recommend that the public subnet be associated with the NIC configured as eth0, and the private subnet be associated with the NIC configured as eth1. For FirePass 4100 controllers we recommend the public subnet be associated with the NIC configured as eth1.1.

     


Overview of the configuration process

To configure the failover settings on the FirePass controllers, you need to complete several tasks, in order:

  • Configure a fully qualified domain name (FQDN)
    The controllers in a failover pair share a name. Make sure both controllers are configured with this name before making any additional failover configuration changes.


  • Enable failover on the active controller
    Enabling failover is the first step in configuring the active controller. Enable failover and restart the controller when prompted. After you have enabled failover and restarted the controller, you can make additional configuration changes on new failover screens. See Enabling failover on the active controller.


  • Configure a virtual IP address
    Configure the active controller with a virtual IP address. The active controller and the standby controller will share this virtual IP address. See Configuring the active controller with a virtual IP address.


  • Configure Web services
    When you have configured a virtual IP address on the active controller, you can configure Web services on that virtual IP address. See Configuring Web services for the virtual IP address. You also need to make some configuration changes for the physical IP address of the controller. See Configuring Web services for the active controller's physical IP address.


  • Restart the active controller
    You will be prompted to restart the controller after configuring Web services. Restarting the controller puts the failover configuration changes into effect.


  • Enable failover on the standby controller
    Enabling failover on the standby controller is the first step for configuring that controller. After you have enabled failover and restarted the controller, you can make additional failover configuration on new failover screens. See Enabling failover on the standby controller.


  • Configure a virtual IP address
    Configure the standby controller with the same virtual IP address you configured on the active controller. The two controllers share this address. See Configuring the standby controller with a virtual IP address.


  • Configure Web services
    Configure Web services for the virtual IP address. See Configuring Web services for the virtual IP address. You also need to configure the synchronization service on the standby controller's physical IP address. See Configuring Web services for the standby controller's physical IP address.


  • Restart the standby controller
    When you have finished configuring the Web services, restart the controller. Restarting the controller activates the failover configuration.


  • Verify the failover configuration
    When you have configured both the active and standby controllers, verify that the configuration is working correctly. See Verifying the failover configuration.



Configuring the active FirePass controller

Configuring the active controller for failover is straightforward if you follow the proper steps in order. Before configuring failover settings on the active controller, make sure both the active and standby controllers are configured with the same fully qualified domain name (FQDN). After confirming this, enable failover on the active controller, configure it with a virtual IP address, and configure Web services for that IP address.

Note


If you are converting an existing FirePass controller to part of a redundant system, make a full backup of the controller before making any configuration changes. For information about backing up a FirePass controller, see the online help.

 

Enabling failover on the active controller

You need to enable failover on the active FirePass controller before configuring the controller for failover. When you enable failover you are prompted to restart the controller. After restarting the controller, failover configuration screens and options are visible in the Administrative Console.

To enable failover on the active FirePass controller

  1. Connect to the active FirePass controller using a Web browser.
    The Administrative Console login screen displays.


  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.


  3. On the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The Network Configuration screen displays.


  4. Click the Hosts tab at the top of the screen.


  5. Confirm that the name of the controller in the FQDN of the controller box is the name you want to use for the failover pair. These names must match on both the active and standby controllers.


  6. Note: You need to add this name and virtual IP address to your DNS server.

  7. On the navigation pane, click Clustering and Failover.
    The Clustering and Failover screen displays.


  8. In the Failover (High-Availability) Configuration area, make these changes:


    1. Check the Enable Failover Configuration box.


    2. Select First from the Failover Pair Member list.


    3. Copy the Failover ID.
      Write the Failover ID down, or paste it into a text file. You will need this value to configure the standby FirePass controller.


  9. In the Clustering/Failover Global ID area, copy the Cluster/Failover Global ID.
    Write the clustering/failover global ID down, or paste it into a text file. You will need this value to configure the standby FirePass controller.


  10. Click Apply Clustering/Failover Settings to apply the changes you made.


  11. When prompted to restart the controller, click the indicated text, here.
    After the controller restarts, you are ready to begin configuring failover options.

Configuring the active controller with a virtual IP address

The pair of failover controllers shares a virtual IP address. Sharing this IP address makes it possible for the standby controller to seamlessly take over from the active controller if the active controller fails, with no interruption to remote client systems.

To add or change the IP addresses in the failover controllers, you specify the IP addresses on the IP Configuration screen of each controller.

The following IP addresses must be configured for each failover controller:

  • One virtual IP address for the failover pair. The controllers must share the same virtual IP address.

  • Configure your DNS server to map a fully qualified domain name to the virtual IP address. The active controller in the failover pair is the one that responds to requests that resolve to the Server IP Address.

  • A physical IP address and port on each controller. The IP address and port setting on the Failover configuration screen is the physical IP address and port of the NIC in the controller. This address must be unique in each controller in the failover pair. The physical IP addresses for the two failover controllers must be on the same subnet.


  • Note


    If you change the IP address for either controller, you must specify the new IP address for the controller on the Failover Pair Configuration screen.

To configure a virtual IP address on the active FirePass controller

  1. Connect to the active FirePass controller using a Web browser.
    The Administrative Console login screen displays.


  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.


  3. On the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The IP Configuration screen displays.


  4. In the Add New IP area, follow these steps:


    1. In the IP Address/Netmask box, type a new IP address and subnet mask for the Virtual IP address.


    2. Check the Virtual box.


    3. In the Broadcast IP box, type a broadcast IP address.


    4. Select the appropriate network interface from the Interface list.


    5. Click Add New to add the new virtual IP address.


Configuring Web services for the virtual IP address

After adding a new virtual IP address to the active controller, you need to configure the Web services for the virtual IP address. Which services you configure, and the ports you use, depend on how your local network and firewall are set up and on what FirePass controller features you use. For more information on FirePass controllers, network traffic, ports, and firewalls, see Chapter 2, Installing the FirePass Controller.

Configuring Web services on port 81

Port 81 is commonly used for Desktop Access connections and synchronization services.

To configure Web services on port 81 of the virtual IP address

You should still be on the Device Management : Configuration : Network Configuration screen.

  1. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.


  2. In the Add new service area, follow these steps:


    1. Select the virtual IP address from the IP list.


    2. Type 81 in the Port box.


    3. Type the fully qualified domain name of the FirePass controller you are configuring in the Hostname field.


    4. Select ActiveOnly from the For Mode list.


    5. To add the new service, click Add New.
      The Web Service Configuration for <Hostname or IP Address> screen for the new service displays.


  3. Check the Do not redirect to HTTPS box.


  4. Check the Desktop box.


  5. Leave all other options unchecked.


  6. Click Update to update the values.


Configuring Web services on port 443

Port 443 is used for HTTPS.

To configure Web services on port 443

You should still be at the Device Management : Configuration : Network Configuration screen.

  1. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.


  2. In the Add new service area, follow these steps:


    1. Select the virtual IP address from the IP list.


    2. Type 443 in the Port box.


    3. Type the fully qualified domain name of the FirePass controller in the Hostname field.


    4. Select ActiveOnly from the For Mode list.


    5. Check the SSL box.


    6. To add the new service, click Add New.
      The Web Service Configuration for <Hostname or IP Address> screen for the new service displays.


  3. Select the certificate from the Certificate list.


  4. Check the User Login box.


  5. Leave all other options unchecked.


  6. Click Update to update the values.


Configuring Web services on port 80

Port 80 is not required, though you may need to configure it based on your network configuration.

To configure Web services on port 80

You should still be at the Device Management : Configuration : Network Configuration screen.

  1. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.


  2. In the Add new service area of the Web Server Configuration screen, follow these steps:


    1. Select the virtual IP address from the IP list.


    2. Type 80 in the Port box.


    3. Type the fully qualified domain name of the FirePass controller in the Hostname field.


    4. Select ActiveOnly from the For Mode list.


    5. To add the new service, click Add New.
      The Web Service Configuration for <Hostname or IP Address> screen for the new service displays.


  3. In the HTTPS URL to redirect to box, type the URL of the HTTPS Web service (port 443) on the virtual IP address.


  4. Check the User Login box.


  5. Leave all other options unchecked.


  6. To update the values, click Update.


Configuring Web services for the active controller's physical IP address

After configuring Web services for the active controller's virtual IP address you need to also configure a synchronization service for the controller's physical IP address.

To configure Web services for the physical IP address

  1. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.


  2. Click Configure for the service using port 81 on the controller's physical IP address. (This is usually the first service listed.)
    The Web Service Configuration screen for the service displays.


  3. Check the Synchronization Agent box.


  4. Check the Admin Login box.


  5. Clear the Desktop check box.


  6. To update the values, click Update.


Configuring the active controller's heartbeat

The active and standby controllers communicate with each other using a heartbeat. The heartbeat is a regular signal the active controller sends to the standby controller, letting the standby controller know that the active controller is still working properly. If the standby controller does not receive the heartbeat signal, it automatically takes over as the active controller.

Heartbeat settings include which IP address and port to use for the heartbeat while a controller is the active controller. The heartbeat is broadcast to the subnet.

To configure the active controller's heartbeat

  1. On the Device Management : Configuration : Network Configuration screen, click the Failover tab.
    The Failover Configuration screen displays.


  2. Verify that the Network interface is correct.


  3. Verify that the UDP port is correct. By default the port is 694. Update this value if you have configured a different port.


  4. Select the physical IP address and port from the IP address and port on this machine to use for synchronization list. The controller uses this IP address and port for synchronization with the standby controller.


  5. Type the physical IP address and port for the standby controller in the IP address and port on the other member of this failover pair to use for synchronization box. The standby controller will use this IP address and port for synchronization with the active controller.


  6. To update the failover configuration, click Update.


  7. Click the Desktop tab at the top of the screen.
    The Desktop Software Network Configuration screen displays.


  8. Clear the Remote access addresses check box for the physical IP address.


  9. Check the Remote access addresses box for the virtual IP address.


  10. To update the settings, click Update.


  11. Click the Misc tab at the top of the screen.
    The Misc screen displays.


  12. From the IP address of local X11 server list, select the virtual IP address.


  13. From the MS broadcast address list, select the virtual IP address.


  14. From the IP address of Network Access server list, select the virtual IP address.


  15. To update your changes, click Update.


  16. Click the Finalize tab at the top of the screen.


  17. To finalize the failover configuration of the active controller, click Finalize Changes.


  18. When prompted, click OK to restart the controller.


Configuring the standby FirePass controller

After you have configured the active FirePass controller, you need to configure the standby controller so that it can take over in the event of a failure of the active controller.

Note


If you are converting an existing FirePass controller to a failover controller, make a full back up of the controller before making any configuration changes. For information about backing up a FirePass controller, see the online help.

 

Enabling failover on the standby controller

You need to enable failover on the standby FirePass controller before configuring the controller for failover. When you enable failover, you will be prompted to restart the controller. After restarting the controller, failover configuration screens and options are visible in the Administrative Console.

To enable failover on the standby FirePass controller

  1. Connect to the standby FirePass controller using a Web browser.
    The Administrative Console login screen displays.


  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.


  3. On the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The Network Configuration screen displays.


  4. Click the Hosts tab at the top of the screen.


  5. Confirm that the name of the controller in the FQDN of the controller box matches the name on the active controller.


  6. On the navigation pane, click Clustering and Failover.
    The Clustering and Failover screen displays.


  7. In the Failover (High-Availability) Configuration area, make these changes:


    1. Check the Enable Failover Configuration box.


    2. Select Second from the Failover Pair Member list.


    3. Type the Failover ID in the Failover ID box. This value must match the Failover ID on the active controller. You can copy the active controller's Failover ID and paste it in the Failover ID box on the standby controller.


  8. In the Clustering/Failover Global ID area, type the Cluster/Failover Global ID in the Cluster/Failover Global ID box. This value must match the Cluster/Failover Global ID on the active controller. You can copy the active controller's Cluster/Failover Global ID and paste it in the Cluster/Failover Global ID box on the standby controller.


  9. Click Apply Clustering/Failover Settings to apply the changes you made.


  10. When prompted to restart the controller, click the indicated text, here.
    After the controller restarts, you are ready to begin configuring failover options.


Configuring the standby controller with a virtual IP address

The pair of failover controllers shares a virtual IP address. Sharing this IP address makes it possible for the standby controller to seamlessly take over from the active controller if the active controller fails.

Note


If you change the physical IP address for either controller, you must specify the new IP address on the Failover Pair Configuration screen.

 

To configure the virtual IP address on the standby FirePass controller

  1. Connect to the standby FirePass controller using a Web browser.
    The Administrative Console login screen displays.


  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.


  3. On the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The IP Configuration screen displays.


  4. In the Add New IP area, follow these steps:


    1. In the IP Address/Netmask box, type the virtual IP address and subnet mask you entered on the active controller.


    2. Check the Virtual box.


    3. In the Broadcast IP box, type a broadcast IP address.


    4. Select the appropriate network interface from the Interface list.


    5. Click Add New to add the new virtual IP address.


Configuring Web services for the virtual IP address

After adding a new virtual IP address to the standby controller, you need to configure the Web services for the virtual IP address.

Configuring Web services on port 81

Port 81 is commonly used for Desktop Access connections and synchronization services.

To configure the virtual IP address for Web services on port 81

 

You should still be on the Device Management : Configuration : Network Configuration screen.

  1. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.


  2. In the Add new service area, follow these steps:


    1. Type the fully qualified domain name of the FirePass controller in the Hostname field.


    2. Select the virtual IP address from the IP list.


    3. Type 81 in the Port box.


    4. Select ActiveOnly from the For Mode list.


    5. Leave the SSL box unchecked.


    6. To add the new service, click Add New.
      The Web Service Configuration for <Hostname or IP Address> screen displays.


  3. Check the Do not redirect to HTTPS box.


  4. Check the Desktop box.


  5. Leave all other options unchecked.


  6. Click Update to update the values.


Configuring Web services on port 443

Port 443 is used for HTTPS.

To configure Web services on port 443

You should still be on the Device Management : Configuration : Network Configuration screen.

  1. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.


  2. In the Add new service area, follow these steps:


    1. In the Hostname box, type the fully qualified domain name the FirePass controller shares with the primary controller.


    2. Select the virtual IP address from the IP list.


    3. Type 443 in the Port box.


    4. Select ActiveOnly from the For Mode list.


    5. Check the SSL box.


    6. To add the new service, click Add New.
      The Web Service Configuration for <Hostname or IP Address> screen displays.


  3. Select the certificate in the Certificate list.


  4. Leave the Do not redirect to HTTPS box unchecked.


  5. Check the User Login box.


  6. Leave the Admin Login box unchecked.


  7. Click Update to update the values.


Configuring Web services on port 80

Port 80 is not required, though you may need to configure it based on your network configuration.

To configure Web services on port 80

 

You should still be at the Device Management : Configuration : Network Configuration screen.

  1. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.


  2. In the Add new service area, follow these steps:


    1. Type the (shared) fully qualified domain name of the FirePass controller in the Hostname box.


    2. Select the virtual IP address from the IP list.


    3. Type 80 in the Port box.


    4. Select ActiveOnly from the For Mode list.


    5. Leave the SSL box unchecked.


    6. To add the new service, click Add New.
      The Web Service Configuration for <Hostname or IP Address> screen displays.


  3. In the HTTPS URL to redirect to box, type the URL of the HTTPS Web service (port 443) on the virtual IP address.


  4. Check the User Login box.


  5. Leave all other options unchecked.


  6. To update the values, click Update.


Configuring Web services for the standby controller's physical IP address

After configuring Web services on the standby controller for the virtual IP address, you need to configure the synchronization service for the controller's physical IP address.

To configure Web services for the physical IP address

  1. Click the Web Services tab at the top of the screen.
    The Web Server Configuration screen displays.


  2. Click Configure for the service using port 81 on the controller's physical IP address. (This is usually the first service listed.)
    The Web Service Configuration screen for the service displays.


  3. Check the Synchronization Agent box.


  4. Check the Admin Login box.


  5. Clear the Desktop check box.


  6. To update the values, click Update.


Configuring the standby controller's heartbeat

The active and standby controllers communicate with each other using a heartbeat. If the standby controller does not receive a regular heartbeat signal from the active controller, it automatically takes over as the active controller.

Heartbeat settings include what IP address and port to use for the heartbeat while a controller is the active controller. The heartbeat is broadcast to the subnet.

To configure the standby controller's heartbeat

 

  1. On the Device Management : Configuration : Network Configuration screen, click the Failover tab.
    The Failover Configuration screen displays.


  2. Verify that the Network interface is correct.


  3. Verify the UDP port is correct. By default the port is 694. Update this value if you have configured a different port for UDP.


  4. Select the controller's physical IP address and port from the IP address and port on this machine to use for synchronization list. The standby controller uses this IP address and port for synchronization if it becomes the active controller.


  5. Type the physical IP address and port for the active controller in the IP address and port on the other member of this failover pair to use for synchronization box. The standby controller uses this IP address and port for synchronization with the active controller.


  6. To update the failover configuration, click Update.


  7. Click the Desktop tab at the top of the screen.
    The Desktop Software Network Configuration screen displays.


  8. Clear the Remote access addresses check box for the physical IP address.


  9. Check the Remote access addresses box for the virtual IP address.


  10. To update the settings, click Update.


  11. Click the Misc tab at the top of the screen.
    The Misc screen displays.


  12. From the IP address of local X11 server list, select the virtual IP address.


  13. From the MS broadcast address list, select the virtual IP address.


  14. From the IP address of Network Access server list, select the virtual IP address.


  15. To update your changes, click Update.


  16. Click the Finalize tab at the top of the screen.


  17. Click Finalize Changes to finalize the failover configuration of the standby controller.


  18. When prompted, click OK to restart the standby controller.


Post-configuration tasks

After you have configured both FirePass controllers for failover, confirm that the failover configuration is working. To do this, start both controllers and then manually trigger failover.

Starting failover controllers

If both failover controllers are turned off, the first controller you start automatically assumes the role of active controller and the second controller becomes the standby controller. The two controllers remain in this state until either the active controller fails and the standby controller takes over, or you restart the active controller and the standby controller becomes the active controller.

If a pair of failover controllers are started simultaneously, the controller with the lexically-lower name becomes the active controller. For example, Prowler-1 has precedence over Prowler-2.

Verifying the failover configuration

After configuring the active and standby FirePass controllers, verify that the configuration is properly working.

To verify that your failover configuration is working

  1. Connect to the active FirePass controller using a Web browser.
    The Administrative console login screen displays.


  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.


  3. On the navigation pane, click Failover.
    The Failover : Settings screen displays.


  4. Verify that the failover controllers are properly configured:


    1. Confirm that the current controller is active by looking at the value of This node. If the controller is active, it will show as (active).


    2. Confirm that the two controllers are communicating. Below the table a line indicates how many seconds it has been since the last sync with the standby controller. If there has been too long a period, a warning displays.


  5. Restart the current, active controller so that the standby controller fails over.


    1. Click Restart This Node, Make <standby controller> Active to restart the current controller.


    2. After the controller restarts, log in and navigate to the Failover : Settings screen to verify that the controller is now the standby controller.

Manually triggering failover

You can manually trigger a failover to verify that the configuration of the failover pair is correct. You might also need to manually trigger a failover if you need to make changes to your active controller.

To manually trigger a failover to a standby controller

  1. Using a Web browser, enter the fully qualified domain name for the failover controller pair, and log in as Administrator.
    The active controller responds to the request.


  2. In the navigation pane, click Failover.


  3. Click Settings.
    The Failover : Settings screen displays.


  4. Click Restart This Node, Make <standby controller> Active.
    The current controller restarts and becomes the standby controller, while the standby controller takes over as the active controller.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)