61. Lecture-61:High Availability HA Active-Active Lab.
Another mode we discuss about a 40 gate firewall is active active an active active both the far wall will work. I did not say that both will work for each and every no again one farwell will be as a primary and master, the other will be save in secondary but as a secondary it will help the primary one take care about some session. Even though the traffic will still come to primary, he will end on the traffic. Why? If both are working, so how the ARP entry, how the Mac addresses will work? If both are working, so what I will send PC, one will say okay, I have an R Pente, this guy now this one say I will deal, you tell me who the hell will deal with me? Because we know you know the concept who does CCNA from me they know the concept, how the packet travel, there is ARP entry, there is Mac address detail. So we discuss also in what is called GHBP and VRP we discuss that they are using virtual IP and virtual Mac address. So the same they do. So that’s why if you want to configure both to work on the same time and deal separate, it is not possible and active. And that’s why I told you in real life you will never find this one. It’s very complicated and very difficult to troubleshoot. So what they will do? Even if the name is activated again one will be primary and it will be high prime and master. It will take the session and it will pass to the 40 gate. Two he will deal the process and then if the packet will come to them and again it will go to the user. So this is called active active. Let’s do it.
The same thing outside and inside layer port three and port four we are using for high availability as a layer two, no need of IP C country. Again port three and port four we will use LAN PCR using DHCP and we are using 100 to the internal IP and 11140 to external vein IP and this time our mode is activated again we will give high priority to master and 50 to slave and our group name will be the same and hardwick port will be the same So almost the same concept. But because we already configure this, because you need to find out the management IP then log in and change the name. We already configure the interface’s name when and then land and then ha one enable DSP on the lane configure DNS which we already done, configure default route which we already done and then land to vent policy to allow the traffic to test the internet.
So we already created this policy and then come into this part. So let’s go there login to admin and admin sorry, admin now the thing is we already configure ha so what we can do, this is the primary one so I can edit them and I will say I want to go back to standalone so this firewall beg to stand alone. So if I check here from here we stand alone. Okay this one is done. There is a command as well from command from you can also do it and it will log out because it’s changed the behavior now to stand alone. So let’s see them. It’s still in Ha or not? Okay, so let me go to okay, we removed that one, they remove it. So let’s go to Ed Widgets and Ha status. Just want to see so this is an active pay SIM so go to system, go to Ha and disable this one as well to stand alone. If you can make Ha, you can go back to your standalone status as well. Okay, so let’s see now okay and now let me verify we have to properly come out from the active page, it’s kick out again. So let’s go to Ha status there. So it should be here. Okay, stand around now. But what about the other firewall? So now you can log into the other firewall now and check the iPad. One, two, three show System Interface Question Mark so they have 100 as well and this one is also 100 as well. So I need to reboot the device either while there is a command to reset them. So show System Interface Question Mark either I need to change one for one IP now both are in standalone but they have the same IP because it will become same IP you know which he asked me so configure interface configure system interface and go to port one sorry, edit edit port one and set the IP. I just need to change them to modia okay DHCP and they set Ed and the secretary one. Let me see if they can get another IP because both same IP can never work for us. So we are still getting the IP. Yeah so it gets 137 now, so it’s okay and now let’s come in here and put them so again we have two separate standalone firewall again I make them separate again. Let me login let’s see maybe it’s not allowed management details so config system interface edit port one and set allow access http https ping SSH etc t and end now let them try. You can verify from here as well and let me see the IPS correct or not? Show system interface question. Mark. Yes.
Come up now. So let me type admin and one, two, three so this firewall name is country just the name as a country, don’t worry sustainable firewall I give them the name only if you don’t like, let me change in this time system setting and let me give them second firewall. So this is my second firewall and go to this one system setting and this one is first firewall. Okay, again from the scratch. First we need to check the interfaces which are already done. If the name is not there, so Lane DCP is enabled and also this is my management interface. You need to check the DNS, DNS is configured, check this default, default out is there and check the policy if the basic policy is there to allow the traffic for test purpose. So it’s there, that’s it. And I’m a standalone. How I know? So if I go to System and click on Ha so it’s showing me that you are not participating in any high availability. So I say this time I want activate them. So I say let me give them 100. They pick the old detail anyway, it will not show here and I think so the password is not here. 123456. Let me see it’s round. So 123456 when I want.
Okay, I didn’t show you the vein monitoring, but I don’t know, I forgot. If I download the vein interface again, the other will become Active. Hi one h A two is my heartbeat interface, as we know, I’ll give them more priority to Ha One, which is port three and no priority, no unicast and okay, that’s it. This side is done. It will show me the detail this time. So let’s wait for it again. We can verify as a place plate. We can verify as the list. We can verify from dashboard which one is configured if you go to status and if it is enabled, ha is enabled. So this time it will show you that is Active is enabled. Last time it was showing you Active. Okay, just wait a moment. It takes some time to enable the feature. It’s come up now it says Active, active but only one firewall is participating, which is a Master. But now we will have a second one. So go to Ha again. This firewall, Second Firewall is not participating. So I say Active, active ha group and I will type 123456 priority less than the other one. Session pickup monitor interface H A interfaces, which interface will take part? H A one and okay, and as I show you from here, you will see some messages here. After a while when they start syncing with the other one and the IP will be removed. As I told you, it will be only one IP and the management IP will be used up First Firewall. So let’s see it’s still working. It has to show messages here as well, the synchronized message.
Okay, and let me log in here as well. In the first firewall anyway, the message will be here and after a while it will join them. How we can verify it from here as well. It’s come up now, just come up second Firewall with the name Second Firewall. And if we go to system Ha so it’s here, but still they are not synchronized. 100 priority. Host name is first Firewall and Second firewall serial number. This one is master. This one is slave again master enslaved as I told you, even they are active. Session 51 in session 15 and throughput and you can see in this way as well, it’s more simple to see this one okay, because it’s still processing. Yeah, still so let’s refresh it will take some time. Okay, let’s see and from here it will be log out and also we can verify from dashboard. Let’s go down. So still it’s showing like it’s saying did not synchronize with the first one. It will pick up all the detail, every detail, interface detail, policy detail beside two things name, host name and priority. And rest of everything will be synced with the C country one. So still what we can do, we can refresh them. Hopefully it will be done soon. Yeah, I started now slave configuration with Master so start messaging and hopefully after a minute it will be still it’s not showing and also we can verify from ha okay, still there, give them a minute. So it will be so what we done we go to here we put the high priority 100 then put the password monitoring interfaces we give them some priority hardbeat interfaces, device priority we know group name has to be anything. It has to be the same on both firewall station pickup. I already told you so that they can distribute the station monitor interface. We will see. Now if I down the interface heartbeat interfaces we already discussed and hardbeat interface is priority and you can reserve management interface if you want. Okay, and I already show you this, I means that it’s been monitored and these two interfaces heartbeat so heart is there. Okay, that’s it.
Now let’s see, let me refresh yeah, it’s done now. So 150 what do you think if I send up traffic from here, trace route eight eight, which firewall is hitting 100, is going to 100 how? I can show you that it’s still using one firewall, this one, because it’s the primary one, but it will give some session to them and from here it will give it to these guys and specially TCP base, not every type. So end of the day there is we are not achieving any big thing from Active in the case of 40 gate but anyway, still there’s the method to use them, the other thing to verify. Okay, certify from here master enslaved, even active master enslaved. And we can see from here this is Active, it can be seen from here, let’s say Active s configure what I was to show you management when monitoring interface where a system which we missed last time rather than to show you here. So we say monitor this interface even if the far wall is up and port one is down. So this far wall will take over. I don’t know in Active activate will take cool or not, but I think so it should be in both cases. So what can I do let me delete them, I will be disconnected but anyway now it’s disconnected. Let’s see that this 50 priority become active or not so admin and one, two, three if I log into second farwell it means it’s done.
Look at with priority 50 is become master why the other firewall is there? It’s up because I told them and even this firewall is up but if this vein interface is not reachable take work now the traffic will work. It’s okay. The traffic is going because automatically the traffic will divert to here and it will go and that way because it’s down. So that’s why monitoring is also important. It is also in parallel to as well. We call them link monitoring here and even Ssquare say even in the checkpoint in other firewall, all firewall have the same concept which is very important even with the GLBP, VR or PVR. To do the same thing we applied tray command, maybe chanteland remember we monitor the interface with the trade command that if the when interface is down, so take over is an HSRP hsquare. Yes so they all have a similar concept so always think logically then you will understand everything that these terminologies are everywhere and every vendor are using the same techniques and also for interview purpose. Normally they will ask you sometime you don’t know it hasn’t to be that you have to know everything but you have to think logically that yeah and Cisco such things will definitely in 40 gate will be you will say yes, similar like Cisco they were also something so when one interface is done, the other will work. So if you don’t know anything about checkpoint and they ask yes, tell them yes. This is the same technology like a 48 give example a 40 gate anyway, but it worked this the way and last but not the least even if I down this interface it will take over but when this come up it will never be in primary again and I need to configure right rows then it will be primary which I show you the last so don’t need to repeat the same thing. Okay that’s it. Yeah, let me go there if I miss something, otherwise we will quit here. Yeah. This variety rule here is again the same thing. If you want to take it, if you rejoin the cluster and it become active and become primary so master.
So you can enable by this two command only. There is no graphical way to enable this preemption command. And also you can configure ha which we will discuss in detail later in the course we will take one class on the command from basic to advanced level. We will discuss command as well and also troubleshooting command. So it’s better to leave them in the end is okay.
