Article By: Craig Langley, CSSA, and Director of Technical Operations
Hardware Failover Prevents Firewall and Network Downtime
Hardware Failover (HF) allows two identical SonicWALL PRO Series security appliances running SonicOS Enhanced to be configured to provide a reliable, continuous connection to the public Internet. In the event of the failure of the Primary SonicWALL, the Backup Firewall takes over to maintain a reliable connection between the protected network and the Internet.
How Hardware Failover Works
Hardware Failover requires one SonicWALL device configured as the Primary SonicWALL, and an identical SonicWALL device configured as the Backup SonicWALL. During normal operation, the Primary SonicWALL is in an Active state and the Backup SonicWALL in an Idle state. When a failure on the Primary SonicWALL occurs, the Backup SonicWALL transitions to Active mode and assumes the configuration and role of Primary. The failover applies to loss of functionality or network-layer connectivity on the Primary SonicWALL. SonicWALL security appliance configuration is performed on only the Primary SonicWALL, with no need to perform any configuration on the Backup SonicWALL. The Backup SonicWALL contains a real-time mirrored configuration of the Primary SonicWALL via a dedicated Ethernet link. If the firmware configuration becomes corrupted on the Primary SonicWALL, the Backup SonicWALL automatically refreshes the Primary SonicWALL with the last-known-good copy of the configuration preferences. The Primary and Backup SonicWALL appliances have unique MAC addresses and communicate via the X3 interface on the PRO 2040 series. The dedicated HF interface link transmits all synchronization information from the Primary SonicWALL to the Backup SonicWALL. There are two types of synchronization: incremental and complete. If the timestamps are in sync and a change is made on the Active unit, an incremental sync is pushed to the Idle unit. If the timestamps are out of sync and the Idle unit is available, a complete sync is pushed to the Idle unit. When incremental synchronization fails, a complete synchronization is automatically attempted.
In practice, the switchover from Primary to Secondary is barely perceptible by network users, and VPN connections are maintained. The failover detection mechanism is configurable, and is based on the number of missed heartbeats, IP probe failure, or both. Failover for inbound traffic (Web, FTP, Mail, etc.) can be provided by creating NAT policies for both WAN subnets, as long as the DNS entries are pointing to both WAN IPs (Load Balancing). More and more ISPs support “Fast Flux” DNS to provide primary and secondary DNS paths, or the rapid switching in the event of failover.
The LAN, WAN, and DMZ Zones on both firewalls share the same Ethernet switch, so provisions must be made to have separate switches for each Zone, or a single switch segmented to provide isolation between Zones.
Crash Detection
The Hardware Failover feature has a thorough self-diagnostic mechanism for both the Primary and Backup SonicWALL security appliances. The failover to the Backup SonicWALL occurs when critical services are affected, physical (or logical) link detection is detected on monitored interfaces, or when the SonicWALL loses power. The self-checking mechanism is managed by software diagnostics, which check the complete system integrity of the SonicWALL device. The diagnostics check internal system status, system process status, and both internal and external network connectivity. For example, if a network topology has three levels, then diagnostics are performed on the router/switch/hub connectivity on the first, second, and third level. There is a weighting mechanism on both sides to decide which side has better connectivity, used to avoid potential failover looping. Critical internal system processes such as NAT, VPN, and DHCP (among others) are checked in real time. The failing service is isolated as early as possible, and the failover mechanism repairs it automatically.
License Sharing Makes HF Affordable
Two identical firewalls with Support and SonicOS Enhanced Licenses are required to deploy HA. The two firewalls need to be Associated Products via their registration at www.mysonicwall.com .