HA Modes
You can set up the firewalls for HA in one of two modes:
Active/Passive— One firewall actively manages traffic
while the other is synchronized and ready to transition to the active
state, should a failure occur. In this mode, both firewalls share
the same configuration settings, and one actively manages traffic
until a path, link, system, or network failure occurs. When the
active firewall fails, the passive firewall transitions to the active
state and takes over seamlessly and enforces the same policies to maintain
network security. Active/passive HA is supported in the virtual
wire, Layer 2, and Layer 3 deployments.
Active/Active— Both firewalls in the pair are active
and processing traffic and work synchronously to handle session
setup and session ownership. Both firewalls individually maintain
session tables and routing tables and synchronize to each other.
Active/active HA is supported in virtual wire and Layer 3 deployments.
In
active/active HA mode, the firewall does not support DHCP client. Furthermore,
only the active-primary firewall can function as a
DHCP Relay. If the active-secondary firewall
receives DHCP broadcast packets, it drops them.
An active/active
configuration does not load-balance traffic. Although you can load-share
by sending traffic to the peer, no load balancing occurs. Ways to
load share sessions to both firewalls include using ECMP, multiple
ISPs, and load balancers.
When deciding whether to use active/passive or active/active
mode, consider the following differences:
Active/passive mode has simplicity of design; it is significantly easier
to troubleshoot routing and traffic flow issues in active/passive
mode. Active/passive mode supports a Layer 2 deployment; active/active
mode does not.
Active/active mode requires advanced design concepts that
can result in more complex networks. Depending on how you implement
active/active HA, it might require additional configuration such
as activating networking protocols on both firewalls, replicating
NAT pools, and deploying floating IP addresses to provide proper
failover. Because both firewalls are actively processing traffic, the
firewalls use additional concepts of session owner and session setup
to perform Layer 7 content inspection. Active/active mode is recommended
if each firewall needs its own routing instances and you require
full, real-time redundancy out of both firewalls all the time. Active/active
mode has faster failover and can handle peak traffic flows better
than active/passive mode because both firewalls are actively processing
traffic.
In active/active mode, the
HA pair can be used to temporarily process more traffic than what
one firewall can normally handle. However, this should not be the
norm because a failure of one firewall causes all traffic to be
redirected to the remaining firewall in the HA pair. Your design must
allow the remaining firewall to process the maximum capacity of
your traffic loads with content inspection enabled. If the design
oversubscribes the capacity of the remaining firewall, high latency
and/or application failure can occur.