Filter
Top Products
228
SONICWALL SONICOS ENHANCED 2.5 ADMINISTRATOR’S GUIDE
C
HAPTER
37:
Setting Up Hardware Failover
services are affected, physical (or logical) link detection is detected on monitored interfaces, or when
the SonicWALL loses power.
The self-checking mechanism is managed by software diagnostics, which check the complete system
integrity of the SonicWALL device. The diagnostics check internal system status, system process
status, and both internal and external network connectivity. For example, if a network topology has
three levels, then diagnostics are performed on the router/switch/hub connectivity on the first, second,
and third level. There is a weighting mechanism on both sides to decide which side has better
connectivity, used to avoid potential failover looping.
Critical internal system processes such as NAT, VPN, and DHCP (among others) are checked in real
time. The failing service is isolated as early as possible, and the failover mechanism repairs it
automatically.
Before Configuring Hardware Failover
Before attempting to configure two SonicWALL appliances as a Hardware Failover pair, check the
following requirements:
• Hardware Failover is only supported on the SonicWALL PRO 2040, PRO 3060, PRO 4060 and
PRO 5060 security appliances running SonicOS Enhanced. It is not supported in any version of
SonicOS Standard, or on any SonicWALL TZ 170 series product running the version of SonicOS
Enhanced
• The Primary and Backup SonicWALL security appliances must be same hardware model – mixing
and matching SonicWALLs of different hardware types is not currently supported.
• The Hardware Failover feature requires three unique LAN IP addresses to operate – the first IP
address is used as a virtual gateway IP address, the second is used as the unique LAN IP address
for the Primary device, and the third is used as the unique LAN IP address for the Backup device.
You have at least one (1) valid, static IP address available from your Internet Service
Provider (ISP). Two (2) valid, static IP addresses are required to remotely manage both the
primary SonicWALL and the backup SonicWALL.
S
Alert: SonicWALL Hardware Failover does not support dynamic IP address assignment from your
ISP.
• Each SonicWALL security appliance in the Hardware Failover pair must have the same firmware
version installed.
• SonicWALL Security Services licenses are not shared between Primary and Backup SonicWALL
devices -- the Backup SonicWALL must have separate licenses. Each SonicWALL security
appliance in the Hardware Failover pair must have the same SonicWALL Security Services
enabled. If the Backup SonicWALL security appliance does not have the same upgrades and
subscriptions enabled, these functions are not supported in the event of a failure of the Primary
SonicWALL appliance.
• All SonicWALL ports being used must be connected together with a hub or switch. If each
SonicWALL has a unique WAN IP Address for remote management, the WAN IP Addresses must
be in the same subnet.
9
Tip: The two SonicWALLs in the Hardware Failover pair send “heartbeats” on their X5 Interfaces—on
the PRO3060/4060/5060 series—as a dedicated-HF link. However, the PRO2040 series uses the X3
Interface as the dedicated-HF link.
• If using new single WAN IP method, please note that the Backup device, when in offline ‘Idle’
mode, will not be able to use NTP to synchronize its internal clock, nor will it be able to contact the
backend services licensing servers. It is also unable to perform device registration with the
backend licensing servers.
• Hardware Failover can be used with dual WAN ports, but only if both WAN interfaces use static IP
addressing; the current firmware does not support either WAN interface using dynamic IP
addressing.