On load balancing networks, the two FWs are active. Therefore, if both FWs synchronize commands to each other, command overwrite or conflict problems may occur. To centrally manage the configurations of the two FWs, you need to configure the designated active and standby devices.
On load balancing networks, the sender of the configuration backup command is the designated active device (identified by HRP_M), and the receiver is the designated standby device (identified by HRP_S).
Configuration commands can be synchronized only from the designated active device to the designated standby device, and status information is mutually backed up between the two devices.
On load balancing networks, the FW with a smaller sysname American Standard Code for Information Interchange (ASCII) character is the designated active device. For example, when FW_A and FW_B share load, FW_A is the designated active device. If the device names (sysname) are the same, the FW with a smaller clock is the designated active device and the FW with a larger clock is the designated standby device when the hrp enable command is executed.
The active firewall periodically sends VRRP advertisement messages. The source MAC address of these packets is the virtual MAC address of the VRRP group. The upstream and downstream Layer-2 devices learn the port mapped to the virtual MAC address through the VRRP advertisement messages.
To forward packets, upstream and downstream Layer-3 devices look up the routing table for the next hop, that is, the virtual IP address of the VRRP group. Then the devices look up the ARP table for the MAC address of the virtual IP address. If no match is found, the devices broadcast an ARP request. Only the active firewall responds to ARP requests.
In the ARP reply, the source MAC address in the Ethernet header is the virtual MAC address of the VRRP group. Upstream and downstream Layer-3 devices learn the virtual MAC address mapped to the virtual IP address through the ARP reply.
Upstream and downstream use the virtual MAC address as the destination MAC address when sending packets to the firewall.
hrp auto-sync automatically synchronizes all subsequent configurations and status entries to the standby firewall. hrp auto-sync is enabled by default. The command does not synchronize existing configurations and status entries.
hrp sync immediately synchronizes the existing configurations and status entries from the active firewall to the standby firewall. The command takes effect immediately and does not affect subsequent configurations and status entries.
If the hrp track interface command is used to configure a VGMP group to track the status of an Eth-Trunk interface, the VGMP group priority is reduced by 2 x number of faulty member interfaces by default if some Trunk member interfaces become faulty. If all Trunk member interfaces become faulty, the VGMP group priority is reduced by 2 x (1 + number of member interfaces).
After the undo hrp track trunk-member enable command is used to disable HRP to tracking Eth-Trunk member interfaces, the VGMP group priority is not reduced when some member interfaces become faulty. If all member interfaces become faulty, the VGMP group priority is reduced by 2 x number of member interfaces.
You cannot specify the VRID in Easy IP implementation. In normal cases, the active firewall uses the IP address of its outgoing interface as the public address to set up sessions. After active/standby switchover, the standby firewall also uses the IP address of its outgoing interface as the public address. In this case, the sessions synchronized from the active firewall do not match the IP address of the outgoing interface on the standby firewall. As a result, services are interrupted.