Administering HA

If the HA cluster has an ADMIN interface, you can use the IP address of the ADMIN interface to administer the Screen. The ADMIN interface must be on the primary Screen. This is the normal setup for stealth mode and is the best way to set up routing mode as well.

If the HA cluster does not have an ADMIN interface, the Administration Station needs to connect to a unique IP address to determine which Screen is the primary and which is the secondary. The filtering interfaces share the same IP address in routing mode or have no IP address in stealth mode. The only interface with a unique IP address is the HA interface. You must connect to the HA interface of the primary Screen for administration.

The configuration information is only stored on the primary Screen. If, therefore, with remote administration, you want to change the configuration, you must connect to the primary Screen using an ADMIN interface or the HA interface. The primary does not have to be the active Screen. A passive Screen still receives and transmits administration traffic.

If the address for HA interfaces on the dedicated network connecting the HA Screens are unregistered, you can still administer the primary Screen. The Administration Station has a route to the HA interface of the primary Screen because the HA cluster and the Administration Station are both connected to the network for which the Screens are filtering traffic and can, therefore, communicate with each other. Problems occur when the Administration Station cannot connect directly to one of the Screen's filtering interfaces and the packets from the Administration Station must be routed to the Screen. In this case the routers in between must also know about the unregistered HA interfaces.