Basic SunScreen HA in Routing Mode

The figure below shows a network protected by at least two identical Screens in an HA cluster. They are administered remotely.

Figure 8-1 Network With HA Cluster of Screens

Each Screen in the HA cluster connects to the external and internal networks through Ethernet hubs, which pass the same packets to all members of the HA cluster at the same time.

The routing interfaces of all the systems in the HA cluster have the same interface names with the same IP addresses. When a Screen becomes a secondary Screen, the MAC address of its routing interfaces is changed so that it is the same as the MAC address of the corresponding interface on the primary Screen. Each HA Screen, therefore, receives the same traffic, ensuring that passive Screens can duplicate the state of the packet filter engine should the active Screen fail. The secondary Screens have the same rules and process the packets in the same way.

Both Screens mirror configuration. They attempt to mirror state by independently building the same state table, since they see the same traffic. They do not exchange information about what is in each other's state tables, however. That means that when one Screen is rebooted, it has the same rules, configuration, MAC addresses, etc., but does not have the same state in memory. This Screen never learns old information from the other Screen; it only learns new information from listening on the wire. The internal state as far as memory and state tables are concerned is out of sync for some undetermined amount of time, until both systems have the same state (eventually the statetables entries of the Screens that have been up longer will time-out or terminate and the statetables will be synchronous) .

The policy is stored on the primary Screen and pushed in the clear to the secondary Screens over the dedicated network connection between the primary Screen and the secondary Screens, called the HA heartbeat network.

Because the HA cluster transmits secret keys and policies in the clear over the dedicated HA heartbeat network, keep the HA heartbeat network physically secure.

To prevent the secondary Screen from sending out duplicate packets, packet transmission is automatically disabled on their filtering interfaces.

If you are administering an HA cluster remotely, there are special considerations. Because SunScreen uses the same IP addresses on all routing interfaces, it is not possible to tell from the Administration Station which Screen you are connecting to.

If the remote Administration Station connects to the IP address 172.16.3.1, the active HA Screen responds. This could be the HA primary or an HA secondary Screen. The configuration is only present on the HA primary Screen. For this reason, you must point your browser to the HA interface, which is unique, to administer the HA primary Screen:

http://172.16.4.1:3852

To keep the HA heartbeat network private, do not broadcast Routing Information Protocol)(RIP). You must, therefore, add a static route on the remote Administration Station--by executing the Solaris command, route add net 172.16.2.0 172.16.3.1 1, for example.

If you are using NAT with HA, depending on the configuration for NAT that you are using, you must add a static address resolution protocol (ARP) entry to the primary and secondary Screens in active or passive mode so that NAT works after failover. You must replicate all non-SunScreen ARP entries, including static ARP entries, on all HA Screens. Because you must do this every time an HA Screen fails over, it is easier if you edit or create your own startup script to add the static ARP entries. See Chapter 7, Network Address Translation and the arp(1M) man page for more information.