The hrp configuration check command enables the function of checking the configuration consistency between the active FW and the standby FW.
The undo hrp configuration check command disables the function of checking the configuration consistency between the active FW and the standby FW.
hrp configuration check all
hrp configuration check { acl | acl6 | address-set | audit-policy | auth-policy | bgp | hrp | hash | interface | license | nat-policy | ospf | security-policy | service-set | static-route | traffic-policy | zone } [ verbose ]
undo hrp configuration check
| Parameter | Description | Value |
|---|---|---|
| all | Checks the configuration consistency on both sides. | - |
| acl | Checks the configuration consistency of the IPv4 ACLs on both sides. | - |
| acl6 | Checks the configuration consistency of the IPv6 ACLs on both sides. | - |
| address-set | Checks the configuration consistency of the address set on both sides. | - |
| audit-policy | Checks the configuration consistency of the audit policy on both sides. | - |
| auth-policy | Checks the configuration consistency of the authentication policy on both sides. | - |
| bgp | Checks the configuration consistency of the BGP on both sides. | - |
| hrp | Checks the configuration consistency of the HRP on both sides. | - |
| hash | Checks the configuration consistency of the hash mode and hash gene next startup on both sides. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter. | - |
| interface | Checks the configuration consistency of the interface on both sides. | - |
| license | Checks the configuration consistency of the license on both sides. | - |
| nat-policy | Checks the configuration consistency of the NAT policy on both sides. | - |
| ospf | Checks the configuration consistency of the OSPF on both sides. | - |
| security-policy | Checks the configuration consistency of the security policy on both sides. | - |
| service-set | Checks the configuration consistency of the service set on both sides. | - |
| static-route | Checks the configuration consistency of the static route on both sides. | - |
| traffic-policy | Checks the configuration consistency of the traffic policy on both sides. | - |
| zone | Checks the configuration consistency of the security zone on both sides. | - |
| verbose | Checks the detailed configuration consistency on both sides. | - |
Usage Scenario
In hot standby networking, most configurations can be backed up, such as security policies and NAT policies. Normally, when these configurations are modified on one device, the modification will be synchronized to the other device. If the heartbeat link becomes faulty or a device is powered off, the configuration modification on one device cannot be synchronized to the other device, causing configuration inconsistency on the active and standby devices.
Some configurations cannot be backed up, such as the configurations of interfaces, dynamic routes, hash modes, and hash genes. After the device runs for a specific period, if the configurations that cannot be backed up are performed on or deleted from one device but are not synchronized to or deleted from the other device, the configurations of the active and standby devices are not consistent.
In case of inconsistency configurations on the active and standby devices, when services are switched to the standby device due to a fault in the active device, services will not operate properly due to the excess or absence of some configurations.
Manually checking the configuration consistency between the active and standby FW is inconvenient and easy to bring in errors. You can run the hrp configuration check command to check the configuration consistency between the FWs.
Configuration Impact
In case of configuration inconsistency between the active and standby FWs, after you run the hrp configuration check command, the active FW will generate an alarm (HRPI_1.3.6.1.4.1.2011.6.122.51.2.2.4 hwHrpCochk) and a log (HRPI/4/COCHK) to notify users of the inconsistency.
You can run the display hrp configuration check command to view the consistency check results.
Table 1 lists the items of the check on the configuration consistency between the active and standby devices.
Configuration Name |
Description |
|---|---|
Policy configuration |
Check whether the configurations of audit, authentication, NAT, security, and traffic policies on the active and standby devices are the same. For objects referenced in a policy rule, such as the address, service, application, domain group, region, and content security profile, only the object name is checked and the configuration of the referenced object is not checked. |
Address set configuration |
Check whether the address set configurations on the active and standby devices are the same based on address set names (the address sets bound to VPN instances are not checked). |
Service set configuration |
Check whether the service set configurations on the active and standby devices are the same based on service set names (the service sets bound to VPN instances are not checked). |
ACL configuration |
Check whether the IPv4 ACL or IPv6 ACL configurations on the active and standby devices are the same based on IPv4 ACL or IPv6 ACL numbers (the ACLs referenced by other modules are not checked). |
HRP configuration |
Check whether HRP-related configurations on the active and standby devices are consistent. The following configurations that are allowed to be inconsistent on the active and standby devices are not included in the consistency comparison range.
|
Interface configuration |
Check whether the interface configurations on the active and standby devices are consistent:
|
Security zone configuration |
Check whether the security zone configurations on the active and standby devices are the same based on security zone IDs. |
Static route configuration |
Check whether the network segments and masks of the static routes on the active and standby FWs are consistent. The next-hop addresses and outbound interfaces of the static routes are not checked. |
OSPF configuration |
Check whether the OSPF process configurations on the active and standby devices are consistent based on OSPF process IDs:
|
BGP configuration |
Check whether BGP is configured on the active and standby FWs. The BGP configurations are not checked. |
License configuration |
Check whether the license configurations on the active and standby devices are consistent:
|
Hash mode and hash gene |
Check whether the hash modes and hash genes are the same on the active and standby devices. |
Follow-up Procedure
If the consistency check result shows that the configurations on active and standby devices are inconsistent, check the configuration of the feature module and configuration differences in the display hrp configuration check command output or according to the name of the feature module in an alarm or log, check the configuration of the module on the active and standby devices, and run the hrp sync command to implement batch backup or manually change the module configurations to be consistent.
In addition to running the hrp configuration check command to check the configuration consistency, you can run the hrp configuration auto-check command to enable the FW to automatically check the configuration consistency.
Precaution
The packets used for checking active/standby configuration consistency are sent over the heartbeat interface. Ensure that the heartbeat interfaces have been correct configured and can communicate. Otherwise, the consistency check does not take effect.
A large number of policies, address sets, service sets, IPv4 ACLs, IPv6 ACLs, interface, security zones, and OSPF processes are allowed to be configured. To prevent excessive system resources from affecting device performance, the system compares only the first 20 differences between the active and standby devices. Resolve the differences and then check other differences until the configurations on the two devices are the same.