Setting Up High Availability

To use High Availability (HA), you must install SunScreen as an HA system as described in the SunScreen Installation Guide. High Availability, its limitations, topology and set up, and capability are described in detail in the SunScreen Reference Manual manual.

The network that is used for HA traffic must be kept physically secure because all secret keys and configurations are transmitted in the clear over the HA interface.

HA lets you deploy multiple Screens together in situations where the connection between a protected inside network and a nonsecure outside network is critical. One member of the HA cluster, the active HA Screen, performs packet filtering, network address translation, logging, and encryption/decryption of packets travelling between the inside and outside networks. The other members of the HA cluster, which can be as many as 31 passive HA Screens, receive the same packets, perform the same calculations as the active HA Screen, and mirror the state of the active HA Screen, but they do not forward traffic between the inside network and the outside network. If the active HA Screen fails, one of the passive HA Screens takes over (failover) as the active HA Screen and begins routing and filtering network traffic within seconds. Because the passive HA Screens mirror the active HA Screen, few connections are lost if a failover occurs.

HA Policy

When you set up an HA cluster, you designate one Screen as the Primary HA Screen, and you configure it with the common objects and policy rules the HA cluster will use. When you activate the policy, it is copied from the Primary HA Screen to the other members of the HA cluster. The Solaris system and network configuration are not copied from the Primary HA Screen, and must be identical on all the Screens in the HA cluster.

Keep the HA network physically secure because the HA cluster transmits secret keys and policies in the clear over the dedicated HA network.

The interfaces for network connections must be the same for each HA cluster member. For example, if one HA host uses the le0 interface as its dedicated internal network connection, all HA hosts must use the le0 network interface as the dedicated internal network connection. Similarly, you must assign Screens in the HA cluster the same IP addresses on their non-dedicated interfaces.