FAQs on Configurations

Must I Set a Physical IP Address for the Uplink or Downlink Interface After I Set the Virtual IP Address of the VRRP Group on the Interface?

Yes. You must set a physical IP address for the interface before you set the virtual IP address of the VRRP group on the interface. The physical IP address and the virtual address of the IPv4 VRRP group can reside on the same network segment or different network segments. But the physical IP address and the virtual address of the IPv6 VRRP group must reside on the same network segment.

Why Does the Active Firewall Require a Longer Preemption Delay Than That on the Standby Firewall?

Preemption starts after the original active firewall recovers. If the preemption delay of the active firewall is too shorter than that on the standby firewall, the active firewall may switch status before the session entries on the standby firewall are completely synchronized to the active firewall. As a result, some services may be interrupted. Therefore, the active firewall requires a longer preemption delay.

Preemption does not start after the standby firewall recovers. Therefore, preemption delay is meaningless for the standby firewall and you can use the default preemption delay.

Does a Long Preemption Delay for the Active Firewall Affect the Failure Response Speed?

No. When the active firewall fails, services are immediately switched to the standby firewall. After the original active firewall recovers, it must wait for the preemption delay before preempting During the process, the standby firewall is working. Therefore, the long preemption delay of the active firewall does not affect the failure response speed.

How Does the Adjustment to the VGMP Hello Interval Affect the Network?

VGMP Hello packets are known as heartbeat packets and are used to check the operating status of the active and standby firewalls. If the standby VGMP group does not receive any VGMP Hello packet from the peer within five consecutive Hello intervals, the standby VGMP group considers that the peer fails and switches to the active state. Therefore, a short VGMP Hello interval enhances the failure response speed of the firewall.

However, if the interval is too short, the hot standby status may become unstable. When the CPU is overloaded, the task of sending VGMP Hello packets cannot be scheduled, resulting in a false switchover. Therefore, the default value, 1 second, is recommended.

What Should I Pay Attention to When Configuring IPSec VPN in Hot Standby Networking?

• The service interfaces (including VLANIFs) connecting the firewall to upstream and downstream devices must work at Layer 3.
• Before configuring IPSec VPN, you must establish the hot standby status. The IPSec policy configured on the active firewall will be automatically synchronized to the standby one. On the standby firewall, you only need to apply the synchronized IPSec policy to the outgoing interface.
• If the firewall serves as the initiator of the IPSec tunnel, you must run the tunnel local ip-address command to specify the virtual IP address of the VRRP group as the IP address for IPSec negotiation.
• Configure DPD to delete the tunnel that has been established on the original active firewall after an active/standby switchover to prevent packet loss.

Must the Heartbeat Interfaces Be Directly Connected?

No. The heartbeat interfaces can be connected either directly or through intermediate devices, such as switches or routers. Directly connection between the heartbeat interfaces is recommended.

Is Security Policy Required to Permit Packets Between the Local Zone and the Zone Where the Heartbeat Interface Resides?

Not required.

Can Configuration Changes Made on the Standby Device That Takes Over Services After the Active Device Is Faulty Be Automatically Synchronized to the Active Device?

• If only the interface or link of the active device is faulty, the integrated device is not restarted or powered off, and the heartbeat interface is normal, configuration changes on the standby device that can be backed up are synchronized to the active device in real time.

• If the active device is restarted or powered off, configurations are automatically synchronized from the standby device after the active device recovers from the fault and is restarted. That is, in this scenario, configuration changes on the standby device can also be synchronized to the active device.

  The configuration can be automatically synchronized after restart only after you run the hrp base config enable command to enable the corresponding function. If the function is disabled, the configuration is not automatically synchronized from the standby device after the active device is restarted.

In an Active/Standby Hot Standby System in Transparent Mode, Can We Directly Connect the Same Layer 2 Interfaces on the Two Firewalls, Add Them to the Same VLAN, and Configure the hrp track vlan vlan-id Command?

No. If you do so, the active/standby switchover will be performed frequently once the directly connected Layer 2 interface on one firewall goes Down.

In Hot Standby Networking, When the save Command Is Run on One Device, Does the System Always Ask You Whether to Synchronically Save the Configuration to the Peer Device?

Not always. The "Do you want to synchronically save the configuration to the startup saved-configuration file on peer device?" message is displayed only when either of the following conditions is met:

• The device where the save command is run is a configuration active device.
• The device where the save command is run is not a configuration active device but has the hrp standby config enable command configured.