Binding a Floating IP Address to an HA Active-Primary Firewall
In a high availability (HA) active/active configuration, a Layer 3 deployment often uses floating IP addresses, which can move between HA firewalls to allow a persistent connection when a link or firewall fails. You can now bind a floating IP address to whichever firewall is in the active-primary state. Thus, on a failover, when the active-primary firewall (Peer A) goes down and the active-secondary firewall (Peer B) takes over as the active-primary peer, the floating IP address moves to Peer B. Peer B remains the active-primary firewall, even when Peer A recovers and becomes the active-secondary firewall. You control when Peer A becomes the active-primary firewall again.
In mission-critical data centers, you can benefit from binding the floating IP address to the active-primary firewall. You can have an HA active/active configuration for path monitoring out of both firewalls but have the firewalls function like an HA active/passive configuration because traffic directed to the floating IP address always goes to the active-primary firewall.
When you also disable preemption on both firewalls, you gain the following additional benefits:
The floating IP address does not move back and forth between HA firewalls if the active-secondary firewall flaps up and down. You can run health checks on the recovered firewall before manually directing traffic to it again, which you can do during a convenient downtime. You have control over which firewall owns the floating IP address so that you keep all flows of new and existing sessions on the active-primary firewall, thereby minimizing traffic on the HA3 link.
Bind a Floating IP Address to an HA Active-Primary Firewall
Configure active/active HA with the floating IP address bound to the active-primary firewall. The HA virtual address is a floating IP address that you bind to the active-primary firewall.
( Optional ) Disable preemption. Disabling preemption gives you full control over when the recovered firewall becomes the active-primary firewall. Select Device > High Availability > General and edit the Election Settings. Clear Preemptive if checked. Click OK.
Enable link monitoring on the interface of the HA virtual address (floating IP address). To enable link monitoring, see Step 1 in Define HA Failover Conditions.
Enable path monitoring. To enable path monitoring, see Step 3 in Define HA Failover Conditions.
Next Steps... Configure the HA peer firewall.

Related Documentation