Configuration Consistency Check

The configuration consistency check function is used to check whether the key configurations of the two FWs that form a hot standby group are the same.

The configuration consistency check can be triggered in either of the following ways:

The configuration active device periodically initiates a consistency check.

The configuration active device automatically sends a consistency check request packet to the configuration standby device every 24 hours. Upon receiving the consistency check request packet, the configuration standby device collects the summary information about the running configurations and sends the summary information to the configuration active device. The configuration active device compares its own configuration summary and the configuration summary of the configuration standby device to determine whether the configurations of the two devices are consistent. If the configurations on the two FWs are inconsistent, the configuration active device generates an alarm (HRPI_1.3.6.1.4.1.2011.6.122.51.2.2.4hwHrpCochk) and a log (HRPI/4/COCHK).
Manually run the hrp configuration check command on a FW to trigger a consistency check.

You can run the hrp configuration check command on either the configuration active or standby device to trigger a consistency check. The consistency check process is the same as that automatically initiated by the configuration active device. If the configurations on the two FWs are inconsistent, the FW on which the hrp configuration check command is executed generates an alarm (HRPI_1.3.6.1.4.1.2011.6.122.51.2.2.4hwHrpCochk) and a log (HRPI/4/COCHK). You can run the display hrp configuration check command to display the consistency check result.

Table 1 lists the items of the configuration consistency check.

**Table 1** Checklist of the configuration consistency between the active and standby devices
Configuration Name	Description
Policy configuration	Check whether the configurations of audit, authentication, NAT, security, and traffic policies on the active and standby devices are the same. For objects referenced in a policy rule, such as the address, service, application, domain group, region, and content security profile, only the object name is checked and the configuration of the referenced object is not checked.
Address set configuration	Check whether the address set configurations on the active and standby devices are the same based on address set names (the address sets bound to VPN instances are not checked).
Service set configuration	Check whether the service set configurations on the active and standby devices are the same based on service set names (the service sets bound to VPN instances are not checked).
ACL configuration	Check whether the IPv4 ACL or IPv6 ACL configurations on the active and standby devices are the same based on IPv4 ACL or IPv6 ACL numbers (the ACLs referenced by other modules are not checked).
HRP configuration	Check whether HRP-related configurations on the active and standby devices are consistent. The following configurations that are allowed to be inconsistent on the active and standby devices are not included in the consistency comparison range. Only one device is configured with the hrp standby-device command. Only one device is configured with the hrp remote standby-device command. The IP addresses specified in the hrp interface, hrp track bgp, and hrp track ospf commands are inconsistent.
Interface configuration	Check whether the interface configurations on the active and standby devices are consistent: Whether interfaces are consistent: The configurations on the active and standby devices are considered inconsistent as long as the interface configurations are different (the interface alias is not checked). Whether the number of VRRP groups configured on the same interfaces is consistent Whether the number of IPv4 addresses configured on the same interfaces is consistent Whether an IPSec policy applies to the same interfaces: Check whether the IPSec policy is applied to the interfaces. The contents of the IPSec policy are not checked. Whether the ospf network-type configuration on the same interfaces is consistent
Security zone configuration	Check whether the security zone configurations on the active and standby devices are the same based on security zone IDs.
Static route configuration	Check whether the network segments and masks of the static routes on the active and standby FWs are consistent. The next-hop addresses and outbound interfaces of the static routes are not checked.
OSPF configuration	Check whether the OSPF process configurations on the active and standby devices are consistent based on OSPF process IDs: Whether the number of Networks in each OSPF process is consistent Whether each OSPF process imports direct routes Whether each OSPF process imports static routes Whether each OSPF process advertises default routes
BGP configuration	Check whether BGP is configured on the active and standby FWs. The BGP configurations are not checked.
License configuration	Check whether the license configurations on the active and standby devices are consistent: License status on the active and standby FWs, which can be activated, inactivated, invalid, or emergency Types of license control items on the active and standby FWs License resource quantity on the active and standby FWs Expiration date of antivirus, intrusion prevention, and URL remote query servers on the active and standby FWs
Hash mode and hash gene	Check whether the hash modes and hash genes are the same on the active and standby devices.