Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Understanding Cluster Mode

The Administrator of the TOE can set up the Cluster Mode for High Availability (HA) by connecting HA control port em0 on node 0 to the HA control port em0 on node 1 as described in the article -

The factory-default configuration does not include HA configuration. To enable HA, if the physical interfaces used by HA have some configurations, these configurations need to be removed. The two hosts constituting a chassis cluster must have identical configuration except for one being configured to node 0 and the other to node 1.

The TOE has a dedicated fxp0 interface for the HA management of the TOE. The interface for HA control link must be between em0 on each device. The fabric interface may be defined by the Administrator. After the cluster has been defined and set up by the Administrator, the two devices constituting a chassis cluster have identical cluster-id but difference node ID as one host most be node 0 and the other one node 1. For vSRX Virtual Firewall instances the ge-0/0/1 interface on node1 changes to ge-7/0/1.

The node 1 renumbers its interfaces by adding the total number of system FPCs to the original FPC number of the interface. The fabric interface remains Administrator-defined.

With L2 HA link encryption tunnel, any Security Sensitive Parameters (Critical Security Parameters) exchanged over the control link between the two chassis in cluster mode are protected using IPsec. The configuration information and IKE HA messages that pass through the chassis cluster link from the primary node to the secondary node are protected from active and passive eavesdropping by using IPsec for internal communication between nodes. An attacker cannot gain privilege access or observe traffic, without the internal IPsec key.