Manualshelf

HP VPN Firewall Appliances High Availability Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
58
Configuring Firewall B
Except the Main Device for Configuration Synchronization and Auto Synchronization settings that are
not needed for Firewall B, other settings on Firewall B are consistent with those on Firewall A and are not
shown.
Configuring stateful failover at the CLI
Stateful failover configuration task list
To implement stateful failover on two devices, you need to perform the following configurations:
Routing configuration. Configure VRRP or a dynamic routing protocol on the devices and the
uplink/downlink devices to make sure that the traffic can automatically switch to the other device
when a device fails.
Service backup configuration, which can implement real-time service backup between the two
devices. The real-time service backup is triggered by adding, modifying, or deleting service
features.
This configuration guide only introduces the service backup configuration.
Complete the following tasks to configure stateful failover:
Task Remarks
Enabling stateful failover Required.
Enabling automatic configuration
synchronization
Required.
Configuring a failover interface and a backup
VLAN
Required.
Service module related configurations
Optional.
A device providing NAT, ALG, or blacklist services
automatically backs up related information to the backup
device after the configurations take effect.
Enabling stateful failover
When you enable stateful failover with the dhbk enable backup-type { dissymmetric-path |
symmetric-path } command, one of the following happens:
If you specify the dissymmetric-path keyword, the two devices operate in active/active mode.
Sessions enter and leave the internal network through different devices to achieve load sharing.
If you specify the symmetric-path keyword, the two devices operate in active/standby mode.
Sessions enter and leave the internal network through one device.
Select a keyword based on the network environment and resources, and specify the same keyword for
both devices.
To enable stateful failover: