HA Policy
When you set up an HA cluster, you designate one Screen as its primary HA Screen. It is configured with the policy's configuration objects, including named screen objects, like address or services with attributes that include these settings, and policy rules that the HA cluster will use. When you activate a policy, the policy's rules are copied from the primary HA Screen to the secondary Screens in the HA cluster.
Solaris settings, such as network interfaces and routing configuration, are not copied from the primary Screen and must be identical on all the Screens in the HA cluster.
Caution - Because the HA cluster transmits secret keys and policies in the clear over the dedicated HA network, keep the HA network physically secure.
The IP addresses of the HA interfaces for each member of the HA cluster on the for dedicated network connections must be unique. Assign all HA Screens the same IP addresses on their filtering interfaces. FIGURE 8-1 shows a network protected by two Screens in an HA cluster. Each Screen in the HA cluster connects to the external and internal networks through Ethernet hubs, which pass the same signals to all members of the HA cluster at the same time. Each HA Screen, therefore, sees the same traffic, ensuring that passive Screens can duplicate the state of the packet filter engine should the active Screen fail.
Figure 8-1 Network With HA Cluster of Screens
- © 2010, Oracle Corporation and/or its affiliates