SunScreen HA Definitions

One Screen in an HA configuration is defined as the primary Screen. The rest are defined as secondary Screens.

• Primary HA Screen - When you set up an HA cluster, you designate one Screen as its primary HA Screen. The primary HA Screen contains the editable configuration for the HA cluster. When you activate a policy on the primary Screen, its rules are copied from the primary HA Screen to all the secondary HA Screens in the HA cluster.

  Solaris settings, such as network interfaces and routing configuration, are not copied from the primary Screen to the secondary Screens and must be identical on all the Screens in the HA cluster. The address of the HA interface on the primary Screen must be unique. The node name for the primary Screen must be unique.

• Secondary HA Screen - These Screens are the systems that do not have the editable configuration on them. They receive the configuration from the primary Screen. The interfaces must be the same physical type and have the same names as the primary Screen. For example, if the primary uses le0 and qe0 for filtering and qe1 as the HA interface, the secondary must also use le0 and qe0 for filtering and qe1 as the HA interface. The filtering interfaces must have the same IP address as the primary Screen. The address of each HA interface on each Screen must be unique. Similarly, the node name of each Screen must be unique.

At any time, one member of the HA cluster is the active Screen and the other Screens in the HA cluster are the passive Screens. When a configuration is activated, the primary HA Screen transfers the configuration, including certificates, local keys, addresses, policy rules, etc., to all Secondary HA Screens.

• Active Screen - The active Screen filters packets, translates network addresses, logs packets according to the action in a rule, and encrypts or decrypts packets. The active Screen can be a secondary Screen. Any Screen can become the active Screen.

• Passive Screen - The passive Screens receive the same packets and perform the same calculations as the active Screen, and mirror the configuration of the active Screen, but they do not forward traffic.

Under normal circumstances, the primary Screen is the active Screen. It receives, processes, and sends packets. All the secondary Screens are passive Screens. They receive and process, but do not send any packets. If the primary Screen fails for some reason, one of the secondary Screens becomes the active Screen. If the primary Screen subsequently becomes operational again while a secondary Screen is active, the primary Screen comes up as a passive Screen and is eligible to become the active Screen if the active Screen fails or is manually forced into passive mode. The primary Screen does not have to be the active Screen.

All the screens in your configuration must do name resolution through /etc/hosts.

The IP addresses of the HA heartbeat interfaces for each member of the HA cluster for dedicated network connections must be unique. Assign all HA Screens the same IP addresses on their filtering interfaces. If a remote Administration Station connects to the IP address of one the filtering interfaces, the active Screen will respond. The active Screen is not necessarily the primary Screen, which contains the policy. The Administration Station must use the IP address of the HA interface, if you want to be sure that it is connecting to the primary Screen.