NSRP Clusters Overview
An NSRP cluster consists of two security devices that enforce the same security policy and share the same configuration settings. When you assign a security device to an NSRP cluster, any changes you make to the configuration on one member of the cluster propagate to the other. Members of the same NSRP cluster maintain identical settings for policies and policy objects (such as addresses, services, VPNs, users, and schedules) and system parameters (such as settings for authentication servers, DNS, SNMP, syslog, and so on).
Before two security devices can provide redundant network connectivity, you must group them in the same NSRP cluster. In an NSRP cluster, one device acts as a primary and the other as a backup:
In active/passive configurations, the primary device handles all firewall and VPN activities while the backup waits to take over when the primary fails. You can configure the cluster in active/passive operation when the interfaces are in Transparent, NAT, or Route mode:
Transparent Mode. When interfaces are in Transparent mode, security zone interfaces do not have IP addresses, and the security device forwards traffic like a Layer 2 switch. To manage a backup device, you use the manage IP address that you set on the VLAN1 interface.
NAT or Route Mode. When interfaces are in NAT or Route mode, the security zone interfaces have IP addresses, and the device forwards traffic like a Layer 3 router. To manage a backup device, you must use the manage IP address that you set per security zone interface; you cannot set a manage IP address on a virtual security interface (VSI) for any virtual security device (VSD) group except VSD group 0.
In active/active configurations, you create two VSD groups for the cluster: One device acts as the primary device of one VSD group, while the other device acts as the backup for the same group. In the other VSD group, the device roles are reversed: Each device is the primary device of one VSD group and the backup in the other VSD group. You can configure the cluster in active/active operation when the interfaces are in NAT or route mode. The security zone interfaces have IP addresses, and the device forwards traffic like a Layer 3 router. To manage a backup device, you must use the manage IP address that you set per security zone interface; you cannot set a manage IP address on a VSI for any VSD group except VSD group 0.
Because of the sensitive nature of NSRP communications, you can secure all NSRP traffic through encryption and authentication. For encryption and authentication, NSRP supports the DES and MD5 algorithms respectively. However, if the HA cables run directly from one security device to another (that is, not through a switch forwarding other kinds of network traffic), it is unnecessary to use encryption and authentication.
In addition to NSRP clusters, which propagate configurations among group members and advertise each members’ current VSD group states, you can configure the devices as members in a runtime object (RTO) mirror group, which maintains the synchronicity of RTOs between a pair of devices. When the primary device fails, the backup becomes the primary device with minimal service downtime by maintaining all current sessions.
We recommend that you do not change the settings of VSD group 0 after importing the NSRP to NSM. Doing so will result in a loss of most attributes, especially the interface attributes. If you must change VSD group 0 settings, do not use NSM to delete or add VSD group 0. The safe way is to use the CLI or the Web UI to make the change to the device cluster first, and then reimport the cluster to NSM. On devices running ScreenOS 6.3, NSRP supports IPv6.
For more information about NSRP, see the Concepts & Examples ScreenOS Reference Guide: NSRP for ScreenOS 5.x or the Concepts & Examples ScreenOS Reference Guide: High Availability.