Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

High Availability

  • Selective session synchronization for MNHA (SRX1600, SRX2300, SRX4100, SRX4120, SRX4200, SRX4300, SRX4600, SRX4700, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Use selective session synchronization for Multinode High Availability (MNHA) during cold and hot synchronization to optimize performance, reduce redundant state replication, and maintain fine-grained control over synchronization durations. Disable synchronization for short‑lived traffic or defer synchronization with a minimum age. You can configure selective session synchronization using default or user-defined flow profiles. You can disable session synchronization for short-lived sessions by setting session-sync disabled or delay synchronization based on session age by adjusting session-sync-min-age.

    [See Selective Session Synchronization for Multinode High Availability.]

  • Four-node MNHA (SRX4600 and SRX4700)—Use four-node Multinode High Availability (MNHA) to strengthen continuity by deploying two MNHA pairs across domains, including separate data centers. Each pair uses an interchassis link (ICL), and the pairs interconnect with an interdomain link (IDL) for secure intra-domain communication and failover if one pair becomes unavailable. The design supports SRG0 services such as firewall and NAT but does not support SRG1+ services—for example, IPsec VPN. Four-node MNHA provides resilience against localized disruptions. Four-node MNHA support is available only for the routing mode (Layer 3) of MNHA.

    [See Four-Node Multinode High Availability.]

  • IDL HA link encryption (SRX4600 and SRX4700)—You can extend high availability across data center domains with four-node Multinode High Availability (MNHA). An interdomain link (IDL) synchronizes control and data plane states between nodes across the domains. You can secure IDL traffic using IPsec with IKEv2, multiple security associations (SA), AES-GCM-256 encryption, and use either preshared keys (PSKs) or public key infrastructure (PKI) for authentication. To encrypt the HA link for the IDL, install the Junos OS IKE package on SRX Series Firewalls and configure a VPN profile for HA traffic. Include the ha-link-encryption in your IPsec VPN configuration. An encrypted IDL link ensures secure interdomain communications.

    [See Four-Node Multinode High Availability.]