High Availability for VM-Series Firewall in AWS
The VM-Series firewall in AWS supports active/passive HA only; if it is deployed with Amazon Elastic Load Balancing (ELB), it does not support HA (in this case ELB provides the failover capabilities).
Overview of HA in AWS
To ensure redundancy, you can deploy the VM-Series firewalls in AWS in an active/passive high availability (HA) configuration. The active peer continuously synchronizes its configuration and session information with the identically configured passive peer. A heartbeat connection between the two devices ensures failover if the active device goes down. When the passive peer detects this failure it becomes active and triggers API calls to the AWS infrastructure to move all the dataplane interfaces (ENIs) from the failed peer to itself. The failover time can vary from 20 seconds to over a minute depending on the responsiveness from the AWS infrastructure.
IAM Roles for HA
AWS requires that all API requests must be cryptographically signed using credentials issued by them. In order to enable API permissions for the VM-Series firewalls that will be deployed as an HA pair, you must create a policy and attach that policy to a role in the AWS Identity and Access Management (IAM) service. The role must be attached to the VM-Series firewalls at launch. The policy gives the IAM role permissions for initiating API actions for detaching and attaching network interfaces from the active peer in an HA pair to the passive peer when a failover is triggered.
For detailed instructions on creating policy, refer to the AWS documentation on Creating Customer Managed Polices. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation on IAM Roles for Amazon EC2.
The IAM policy, which is configured in the AWS console, must have permissions for the following actions and resources (at a minimum):
AttachNetworkInterface—For permission to attach an ENI to an instance. DescribeNetworkInterface—For fetching the ENI parameters in order to attach an interface to the instance. DetachNetworkInterface—For permission to detach the ENI from the EC2 instance. DescribeInstances—For permission to obtain information on the EC2 instances in the VPC. Wild card (*)—In the Amazon Resource Name (ARN) field use the * as a wild card.
The following screenshot shows the access management settings for the IAM role described above:
HA Links
The devices in an HA pair use HA links to synchronize data and maintain state information. In AWS, the VM-Series firewall uses the following ports:
Control Link —The HA1 link is used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing and User-ID information. This link is also used to synchronize configuration changes on either the active or passive device with its peer.
The Management port is used for HA1. TCP port 28769 and 28260 for cleartext communication; port 28 for encrypted communication (SSH over TCP).
Data Link —The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between devices in an HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the active device to the passive device.
Ethernet1/1 must be assigned as the HA2 link. The HA data link can be configured to use either IP (protocol number 99) or UDP (port 29281) as the transport.
The VM-Series on AWS does not support backup links for HA1 or HA2.
Heartbeat Polling and Hello Messages
The firewalls use hello message and heartbeats to verify that the peer device is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the device. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the devices are connected and responsive. For details on the HA timers that trigger a failover, see HA Timers. (The HA timers for the VM-Series firewall are the same as that of the PA-5000 Series firewalls).
Device Priority and Preemption
The devices in an HA pair can be assigned a device priority value to indicate a preference for which device should assume the active role and manage traffic upon failover. If you need to use a specific device in the HA pair for actively securing traffic, you must enable the preemptive behavior on both the firewalls and assign a device priority value for each device. The device with the lower numerical value, and therefore higher priority , is designated as active and manages all traffic on the network. The other device is in a passive state, and synchronizes configuration and state information with the active device so that it is ready to transition to an active state should a failure occur.
By default, preemption is disabled on the firewalls and must be enabled on both devices. When enabled, the preemptive behavior allows the firewall with the higher priority (lower numerical value) to resume as active after it recovers from a failure. When preemption occurs, the event is logged in the system logs.
HA Timers
High availability (HA) timers are used to detect a firewall failure and trigger a failover. To reduce the complexity in configuring HA timers, you can select from three profiles: Recommended, Aggressive, and Advanced. These profiles auto-populate the optimum HA timer values for the specific firewall platform to enable a speedier HA deployment.
Use the Recommended profile for typical failover timer settings and the Aggressive profile for faster failover timer settings. The Advanced profile allows you to customize the timer values to suit your network requirements.
HA Timer on the VM-Series in AWS Default values for Recommended/Aggressive profiles
Promotion hold time 2000/500 ms
Hello interval 8000/8000 ms
Heartbeat interval 2000/1000 ms
Max number of flaps 3/3
Preemption hold time 1/1 min
Monitor fail hold up time 0/0 ms
Additional master hold up time 500/500 ms
Configure Active/Passive HA in AWS
Configure Active/Passive HA in AWS
Make sure that you have followed the prerequisites. For deploying a pair of VM-Series firewalls in HA in the AWS cloud, you must ensure the following: Select the IAM role you created when launching the VM-Series firewall on an EC2 instance; you cannot assign the role to an instance that is already running. See IAM Roles for HA. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, and defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation. The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface. The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface. Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved —detached and then attached—to the now active (previously passive) firewall. The HA peers must be deployed in the same AWS availability zone.
Launch the VM-Series Firewall in AWS.
Enable HA. Select Device > High Availability > General, and edit the Setup section. Select Enable HA.
Configure ethernet 1/1 as an HA interface. This interface must be used for HA2 communication. Select Network > Interfaces. Confirm that the link state is up on ethernet1/1. Click the link for ethernet1/1 and set the Interface Type to HA.
Set up the Control Link (HA1) to use the management port. Select Device > High Availability > General, and edit the Control Link (HA1) section.
(Optional) Select Encryption Enabled, for secure HA communication between the peers. To enable encryption, you must export the HA key from a device and import it into the peer device. Select Device > Certificate Management > Certificates. Select Export HA key. Save the HA key to a network location that the peer device can access. On the peer device, navigate to Device > Certificate Management > Certificates, and select Import HA key to browse to the location that you saved the key and import it in to the peer device.
Set up the Data Link (HA2) to use ethernet1/1. Select Device > High Availability > General, edit the Data Link (HA2) section. Select Port ethernet1/1. Enter the IP address for ethernet1/1. This IP address must be the same that assigned to the ENI on the EC2 Dashboard. Enter the Netmask. Enter a Gateway IP address if the HA1 interfaces are on separate subnets. Select IP or UDP for Transport. Use IP if you need Layer 3 transport (IP protocol number 99). Use UDP if you want the firewall to calculate the checksum on the entire packet rather than just the header, as in the IP option (UDP port 29281).
(Optional) Modify the Threshold for HA2 Keep-alive packets. By default, HA2 Keep-alive is enabled for monitoring the HA2 data link between the peers. If a failure occurs and this threshold (default is 10000 ms) is exceeded, the defined action will occur. A critical system log message is generated when an HA2 keep-alive failure occurs. You can configure the HA2 keep-alive option on both devices, or just one device in the HA pair. If you enable this option on one device, only that device will send the keep-alive messages.
Set the device priority and enable preemption. Use this setting if you want to make sure that a specific device is the preferred active device. For information, see Device Priority and Preemption. Select Device > High Availability > General and edit the Election Settings section. Set the numerical value in Device Priority. Make sure to set a lower numerical value on the device that you want to assign a higher priority to. If both firewalls have the same device priority value, the firewall with the lowest MAC address on the HA1 control link will become the active device. Select Preemptive. You must enable preemptive on both the active and the passive device. Modify the failover timers. By default, the HA timer profile is set to the Recommended profile and is suited for most HA deployments.
(Optional) Modify the wait time before a failover is triggered. Select Device > High Availability > General and edit the Active/Passive Settings. Modify the Monitor fail hold up time to a value between 1-60 minutes; default is 1 minute. This is the time interval during which the firewall will remain active following a link failure. Use this setting to avoid an HA failover triggered by the occasional flapping of neighboring devices.
Configure the IP address of the HA peer. Select Device > High Availability > General, and edit the Setup section. Enter the IP address of the HA1 port on the peer. This is the IP address assigned to the management interface (ethernet 0/0), which is also the HA1 link on the other firewall. Set the Group ID number between 1 and 63. Although this value is not used on the VM-Series firewall in AWS, but cannot leave the field blank.
Configure the other peer. Repeat Step 3 to Step 9 on the HA peer.
After you finish configuring both devices, verify that the devices are paired in active/passive HA. Access the Dashboard on both devices, and view the High Availability widget. On the active device, click the Sync to peer link. Confirm that the devices are paired and synced, as shown below:
On the passive device: The state of the local device should display passive and the configuration is synchronized.
On the active device: The state of the local device should display active and the configuration is synchronized.
Verify that failover occurs properly. Shut down the active HA peer. On the EC2 Dashboard, select Instances. From the list, select the VM-Series firewall and click Actions > Stop. Check that the passive peer assumes the role of the active peer and that the dataplane interfaces have moved over to the now active HA peer.

Related Documentation