IP Addresses explained
For each cluster interface, there are three IP addresses:
•
Two "real" IP addresses; one for each firewall. These addresses are used to
communicate with the firewalls themselves, i.e. for remote control and monitoring.
They should not be associated in any way with traffic flowing through the cluster;
if either firewall is inoperative, the associated IP address will simply be
unreachable.
•
One "virtual" IP address; shared between the firewalls. This is the IP address to
use when configuring default gateways and other routing related matters. It is
also the address used by dynamic address translation, unless the configuration
explicitly specifies another address.
There is not much to say about the real IP addresses; they will act just like firewall
interfaces normally do. You can ping them or remote control the firewalls through them if your
configuration allows it. ARP queries for the respective addresses are answered by the firewall
that owns the IP address, using the normal hardware address, just like normal IP units do.
Note:
You cannot use PPPoE/DHCP/L2TP on the external interface when using HA.
The shared IP address and the failover mechanism
Both firewalls in the cluster know about the shared IP address. ARP queries for the shared
IP address, or any other IP address published via the ARP configuration section or through
Proxy ARP, will be answered by the active firewall.
The hardware address of the shared IP address, and other published addresses for that
matter, is not related to the hardware addresses of the firewall interfaces. Rather, it is
constructed from the cluster ID, on the following form: 10-00-00-C1-4A-nn, where nn is the
Cluster ID configured in the Settings section.
As the shared IP address always has the same hardware address, there will be no latency
time in updating ARP caches of units attached to the same LAN as the cluster when failover
occurs.
When a firewall discovers that its peer is no longer operational, it will broadcast a number
of ARP queries for itself, using the shared hardware address as sender address, on all
interfaces. This causes switches and bridges to re-learn where to send packets destined for
the shared hardware address in a matter of milliseconds.
Hence, the only real delay in the failover mechanism is detecting that a firewall is no
longer operational.
The activation messages (ARP queries) described above are also broadcast periodically
to ensure that switches won't forget where to send packets destined for the shared hardware
address.