Precautions on Hot Standby Configuration

Before configuring hot standby, read the precautions.

Hardware Requirements

All models except the USG6510E/6510E-POE/6530E support hot standby. The two hot-standby FWs must meet the requirements in System Requirements for Hot Standby.

License Requirements

The hot standby function is not license-controlled.

Prohibition of Enabling the Functions Mutually Exclusive with Hot Standby

Hot standby is mutually exclusive with inter-DC cluster, and the conflicting functions cannot be enabled at the same time.

Key Points of Configuring Interfaces for Hot Standby

If service interfaces of the FWs work at Layer 3, the IP addresses of the service interfaces must be fixed. Therefore, hot standby cannot be used together with the features that automatically obtain IP addresses, such as PPPoE dialup and DHCP Client.
If the service interfaces of the FWs work at Layer 2, you must convert the interfaces into Layer 2 interfaces and add them to the same VLAN.
The service interfaces and heartbeat interfaces used by active and standby FWs must be the same. For example, if the active device uses GigabitEthernet0/0/1 as the service interface and GigabitEthernet0/0/7 as the heartbeat interface, the standby device must use also these two interfaces.
For the configuration precautions for heartbeat interfaces, see Precautions for Configuring the Heartbeat Links and Interfaces.

Key Points of Configuring Security Zones for Hot Standby

Both Layer 2 and Layer 3 interfaces, regardless of service interfaces or heartbeat interfaces, must be added to security zones.
The interfaces with the same name on the active and standby devices must be added to the same security zone. For example, if GigabitEthernet0/0/1 on the active device is added to the Trust zone, GigabitEthernet0/0/1 on the standby device must also be added to the Trust zone.

Key Points of Configuring Security Policies for Hot Standby

The active and standby devices transmit heartbeat, VGMP, configuration and entry backup, heartbeat link detection, and configuration consistency check packets through heartbeat links. These packets are not controlled by security policies. Therefore, no security policy needs to be configured.
When the service interfaces of the FWs work at Layer 3 and connect to switches, the FWs send gratuitous ARP packets to the switches. Gratuitous ARP packets are broadcast packets and are not controlled by security policies. Therefore, no security policy needs to be configured.
When the service interfaces of the FWs work at Layer 3 and connect to routers, the FWs need to exchange OSPF and BGP packets with the routers. OSPF and BGP packets are controlled by the firewall packet-filter basic-protocol enable command. By default, the function of the firewall packet-filter basic-protocol enable command is enabled. That is, OSPF and BGP packets are controlled by security policies. In this case, a security policy must be configured between the security zone where the upstream/downstream service interface resides and the Local zone to allow OSPF and BGP packets to pass.
When the service interfaces of the FWs work at Layer 2, OSPF packets between upstream and downstream devices need to pass through the FW. OSPF packets are controlled by the firewall packet-filter basic-protocol enable command. By default, the function of the firewall packet-filter basic-protocol enable command is enabled. That is, OSPF packets are controlled by security policies. In this case, a security policy must be configured between the security zone where the upstream service interface resides and the security zone where the downstream service interface resides to allow OSPF packets to pass.

Key Points of Configuring VGMP Groups to Monitor Faults

As described in Fault Monitoring and Failover, VGMP groups can use multiple methods to monitor faults. Table 1 lists the suggestions on configuring VGMP groups to monitor faults in hot standby networking.

**Table 1** Suggestions on configuring VGMP groups to monitor faults in hot standby networking
Typical Hot Standby Networking	Fault Monitoring Method	Remarks
Service interfaces work at Layer 3 and connect to switches.	Monitor local interfaces through VRRP groups. (Optional) Monitor remote interfaces through IP-link. (Optional) Monitor remote interfaces through BFD.	Generally, use either IP-link or BFD to monitor remote interfaces. The hot standby function only supports interworking with static BFD, but not dynamic BFD.
Service interfaces work at Layer 3 and connect to routers.	Directly monitor local interfaces. (Optional) Monitor remote interfaces through IP-link. (Optional) Monitor remote interfaces through BFD. (Optional) Monitor remote neighbor relationships through OSPF. (Optional) Monitor remote neighbor relationships through BGP.	To ensure synchronous switchovers in the upsteam and downstream directions, configure the VGMP group to interwork with at least one of IP-Link, BFD, OSPF, and BGP on the side connected to the router. The hot standby function only supports interworking with static BFD, but not dynamic BFD. When the FW runs BGP with the upstream and downstream routers, ensure that no routing policy that has a higher priority than the MED value is enabled on the upstream and downstream routers, such as AS Path and Local Preference. Otherwise, route change will not happen even if the firewall adjusts the MED value. On a broadcast network, two routers whose interface state is DROther do not form a neighbor relationship and stay in the 2-way state. An active/standby switchover will be triggered when the FW detects that the OSPF neighbor state is not Full (including 2-way). Therefore, when the state of the interface connecting the FW to the neighbor is DROther, the monitored neighbor router cannot be DROther.
Service interfaces work at Layer 3 and connect to an upstream router and a downstream switch	Deploy the device in the upstream direction according to the networking where the router is connected, and deploy the device in the downstream direction according to the networking where the switch is connected.	To ensure synchronous switchovers in the upsteam and downstream directions, configure the VGMP group to interwork with at least one of IP-Link, BFD, OSPF, and BGP on the side connected to the upstream router.
Service interfaces work at Layer 2 and connect to switches.	Monitor local interfaces through VLANs.	-
Service interfaces work at Layer 2 and connect to routers.	Monitor local interfaces through VLANs.	-

Key Points of Configuring the Backup Mode

Automatic backup is enabled by default. You are not advised to disable it. For details on backup, see Configuration Backup and Status Information Backup.
If the configurations of the active and standby devices are different, clear the configuration on the standby device, and run the hrp sync command on the active device to synchronize the configuration of the active device to the standby device.
In the networking where the forward and reverse paths are inconsistent, forward and reverse packets pass through different FWs. If the sessions of the active device are not backed up to the standby device in a timely manner, the standby device discards the received packets. To resolve this issue, you can use quick session backup to synchronize the session information from the active device to the standby device, so that the reverse packets can match the sessions on the standby device. Quick session backup ensures service continuity on networks where the forward and reverse paths of packets are different. After quick session backup is enabled, the CPU usage and bandwidth usage of the heartbeat interface increase because the frequency of session backup increases.
Batch backup of running configurations triggered when two running FWs establish hot standby relationship. Only the new configurations executed after hot standby is enabled and before the hot standby relationship is established are backed up between the two FWs. The backup mechanism takes effect only in the mirroring mode.
By default, the automatic backup of configuration commands of the FW is enabled. If the hot standby status is abnormal (for example, the heartbeat interface is down), the configurations delivered on the master or backup device are cached on the device. After the hot standby status recovers, the cached configurations are backed up to the peer device. As a result, the original configurations on the peer device are overwritten. Therefore, if you need to manually change the configurations of the active and standby devices to be consistent, perform the following steps. The following operations may affect running services. Therefore, exercise with caution.
- In non-mirroring mode, disable the automatic configuration backup function, enable the configuration function of the standby device, and modify the configurations of the active and standby devices on the standby device to be consistent. Disable the configuration function of the standby device and enable the automatic configuration backup function.
- In mirroring mode, you need to isolate the standby device, disable the hot standby function(run the undo hrp enable command), and modify the configurations of the active and standby devices on the standby device to be consistent. Then enable the hot standby function and reconnect the standby device.