HA and CMG Parameters

When a Screen is part of a High Availability (HA) cluster or Centralized Management Group (CMG) , it is classified as either a Primary or Secondary Screen. Primary and Secondary are defined as follows:

• Primary - One of the Screens in the collection must be the primary Screen, and all other Screens are Secondary. The primary Screen is used for all administration: it holds the configuration data and is responsible for communicating with the Secondary Screens in order to update their policies.

• Secondary - A Secondary Screen receives all its policy information from the primary Screen. A Secondary Screen must indicate the name of the primary Screen in its Screen object. This name is specified with the MASTER keyword in the configuration editor or the Primary Name field under the Primary/Secondary tab in the administrative GUI.

---

Note -

The primary Screen object has no Primary name specified, but is recognized as the primary Screen if its name appears in the Primary Name field of at least one other Screen.

---

If the Screen is part of a centralized management group or is administered remotely, you must specify the following field:

• ADMIN_IP - An IP address that can be used to communicate with the Screen for administrative traffic. You specify it as an IP address in the form #.#.#.#.

If SKIP is used to protect these data communications, you must specify the following fields:

• ADMIN_CERTIFICATE - The name of the certificate that can be used to secure administrative traffic to the Screen

• KEY, DATA, MAC, and COMPRESSION - The algorithms to control how data are encrypted between the Screens in the administrative group

• TUNNEL - (Optional) This field specifies if tunneling is being used. It is the name of an address object.

If IKE is used to protect these data communications, you must also specify the following fields:

• IKE ("name of Certificate", "name of Algorithm", "name of Algorithm", "name of Algorithm") - The name of a certificate that can be used to secure administrative traffic to the Screen when using the IPsec/IKE protocol. IKE is used if both IKE and SKIP are specified.

• ESP ("name of Algorithm", "name of Algorithm") -

• AH ("name of Algorithm") -

If the Screen is part of an HA cluster, the HA_PRIMARY or HA_SECONDARY options must be specified in the configuration editor. This can also be accomplished in the administrative GUI using the High Availability field of the Primary/Secondary tab.

If the Screen is specified as the HA Primary, the High Availability IP Address (HA_IP #.#.#.#) and Ethernet Address (HA_ETHER #:#:#:#:#:#) must also be specified.

If the Screen is specified as an HA Secondary, the primary Screen name (MASTER) and High Availability IP Address (HA_IP #.#.#.#) must also be specified.