Administering HA

If the HA cluster has an ADMIN interface, you can use the ADMIN interface's IP address to administer the Screen. The ADMIN interface must be on the primary Screen. This is the normal setup for stealth mode and is the best way to set up routing mode as well.

If the HA cluster does not have an ADMIN interface, the Administration Station needs to connect to a unique IP address to determine which Screen is the primary and which are the secondaries. The filtering interfaces share the same IP address in routing mode or have no IP address in stealth mode. The only interface with a unique IP address is the HA interface. You must connect to the HA interface of the primary Screen for administration.

The configuration information is stored only on the primary Screen. If you want to change the configuration with remote administration, you must connect to the primary Screen using an ADMIN interface or the HA interface. The primary does not have to be the active Screen. A passive primary Screen still receives and transmits administration traffic.

If the addresses for HA interfaces on the dedicated network connecting the HA Screens are unregistered, you can still administer the primary Screen. If the HA cluster and the Administration Station are both connected to the network for which the Screens are filtering traffic, the Administration Station has a route to the HA interface of the primary Screen. They can, therefore, communicate with each other. Problems can occur when the Administration Station cannot connect directly to one of the Screen's filtering interfaces and the packets from the Administration Station must be routed to the Screen. In this case the routers in between must also know about the unregistered HA interfaces.