hrp configuration auto-check enable

Function

The hrp configuration auto-check enable command enables auto-check for active/standby configuration consistency.

The undo hrp configuration auto-check enable command disables auto-check for active/standby configuration consistency.

Format

hrp configuration auto-check enable

undo hrp configuration auto-check enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the auto-check for active/standby configuration consistency function is enabled.

Usage Scenario

In hot standby networking, most configurations can be backed up, such as security policies and NAT policies. Normally, when these configurations are modified on one device, the modification will be synchronized to the other device. If the heartbeat link becomes faulty or a device is powered off, the configuration modification on one device cannot be synchronized to the other device, causing configuration inconsistency on the active and standby devices.

Some configurations cannot be backed up, such as the configurations, dynamic routes, hash modes, and hash genes of interfaces. After the device runs for a specific period, if the configurations that cannot be backed up are performed on or deleted from one device but are not synchronized to or deleted from the other device, the configurations of the active and standby devices are not consistent.

In case of inconsistency configurations on the active and standby devices, when services are switched to the standby device due to a fault in the active device, services will not operate properly due to the excess or absence of some configurations.

To prevent such a problem, you are advised to enable auto-check for active/standby configuration consistency on the FW so that configuration consistency is checked on a regular basis.

Configuration Impact

This command can be automatically synchronized to the standby device. You only need to configure this command on the active device.

Auto-check is performed only on the active device. After an active/standby switchover is performed, the new active device continues to check configuration consistency.

In case of configuration inconsistency between the active and standby FWs, the active FW will generate alarms ( HRPI_1.3.6.1.4.1.2011.6.122.51.2.2.4 hwHrpCochk) and log (HRPI/4/COCHK) to notify users of the inconsistency.

If the function of sending an alarm on the configuration inconsistency between the active and standby devices is not enabled, no alarm is sent even if the configurations of the active and standby FWs are inconsistent. To enable the function of sending an alarm on the configuration inconsistency between the active and standby devices, run the hrp configuration auto-check warning enable command.

Table 1 lists the items of the check on the configuration consistency between the active and standby devices.

**Table 1** Checklist of the configuration consistency between the active and standby devices
Configuration Name	Description
Policy configuration	Check whether the configurations of audit, authentication, NAT, security, and traffic policies on the active and standby devices are the same. For objects referenced in a policy rule, such as the address, service, application, domain group, region, and content security profile, only the object name is checked and the configuration of the referenced object is not checked.
Address set configuration	Check whether the address set configurations on the active and standby devices are the same based on address set names (the address sets bound to VPN instances are not checked).
Service set configuration	Check whether the service set configurations on the active and standby devices are the same based on service set names (the service sets bound to VPN instances are not checked).
ACL configuration	Check whether the IPv4 ACL or IPv6 ACL configurations on the active and standby devices are the same based on IPv4 ACL or IPv6 ACL numbers (the ACLs referenced by other modules are not checked).
HRP configuration	Check whether HRP-related configurations on the active and standby devices are consistent. The following configurations that are allowed to be inconsistent on the active and standby devices are not included in the consistency comparison range. Only one device is configured with the hrp standby-device command. Only one device is configured with the hrp remote standby-device command. The IP addresses specified in the hrp interface, hrp track bgp, and hrp track ospf commands are inconsistent.
Interface configuration	Check whether the interface configurations on the active and standby devices are consistent: Whether interfaces are consistent: The configurations on the active and standby devices are considered inconsistent as long as the interface configurations are different (the interface alias is not checked). Whether the number of VRRP groups configured on the same interfaces is consistent Whether the number of IPv4 addresses configured on the same interfaces is consistent Whether an IPSec policy applies to the same interfaces: Check whether the IPSec policy is applied to the interfaces. The contents of the IPSec policy are not checked. Whether the ospf network-type configuration on the same interfaces is consistent
Security zone configuration	Check whether the security zone configurations on the active and standby devices are the same based on security zone IDs.
Static route configuration	Check whether the network segments and masks of the static routes on the active and standby FWs are consistent. The next-hop addresses and outbound interfaces of the static routes are not checked.
OSPF configuration	Check whether the OSPF process configurations on the active and standby devices are consistent based on OSPF process IDs: Whether the number of Networks in each OSPF process is consistent Whether each OSPF process imports direct routes Whether each OSPF process imports static routes Whether each OSPF process advertises default routes
BGP configuration	Check whether BGP is configured on the active and standby FWs. The BGP configurations are not checked.
License configuration	Check whether the license configurations on the active and standby devices are consistent: License status on the active and standby FWs, which can be activated, inactivated, invalid, or emergency Types of license control items on the active and standby FWs License resource quantity on the active and standby FWs Expiration date of antivirus, intrusion prevention, and URL remote query servers on the active and standby FWs
Hash mode and hash gene	Check whether the hash modes and hash genes are the same on the active and standby devices.

Follow-up Procedure

In case of configuration inconsistency between the active/standby devices, locate the module based on the module name included in the generated alarm or log information, check the configuration of the module on the active and standby devices, and run the hrp sync command to implement batch backup or manually change the module configurations to be consistent.

In addition to periodic check for active/standby configuration check, you can also run the hrp configuration check command to check configuration consistency in real time.

Precaution

The packets used for checking active/standby configuration consistency are sent over the heartbeat interface. Ensure that the heartbeat interfaces have been correct configured and can communicate. Otherwise, the consistency check does not take effect.

A large number of policies, address sets, service sets, IPv4 ACLs, IPv6 ACLs, interfaces, security zones, and OSPF processes are allowed to be configured. To prevent excessive system resources from affecting device performance, the system compares only the first 20 differences between the active and standby devices. Resolve the differences and then check other differences until the configurations on the two devices are the same.

Example

# Enable auto-check for active/standby configuration consistency on the FW.

HRP_M<sysname> system-view
HRP_M[sysname] hrp configuration auto-check enable