Clustering and High Availability

UserGate NGFW supports 2 types of clusters:

  1. Configuration cluster. Nodes combined into a configuration cluster support unified configuration within the cluster.

  2. High Availability (HA) cluster. Up to 4 configuration cluster nodes can be combined into a HA cluster that supports the Active-Active or Active-Passive operation modes. You can build several HA clusters.

Configuration cluster

A number of settings are specific to each cluster node, e.g., network interface configuration and IP addressing. The node-specific settings are listed below:

Name

Description

Node-specific settings

Log Analyzer settings

Diagnostics settings

Network interface settings

Gateway settings

DHCP settings

Routes

OSPF settings

BGP settings

To create a configuration cluster, follow these steps:

Name

Description

Step 1. Perform initial configuration on the first cluster node.

See the Initial Configuration chapter.

Step 2. On the first cluster node, configure the zone containing the network interfaces through which cluster replication will be carried out.

In the Zones section, create a new dedicated zone for cluster settings replication or use an existing one (Cluster). Allow the following services in the zone's settings:

  • Administrative console

  • Cluster.

Do not use zones whose interfaces are connected to untrusted networks (e.g., the Internet) for replication.

Step 3. Specify the IP address that will be used to communicate with other cluster nodes.

In the Device Management section of the Cluster configuration window, select the current cluster node and click the Edit button. Specify the IP address of an interface located in the zone you configured at Step 2.

Step 4. Generate a Secret code on the first cluster node.

In the Device management section, click Generate secret code. Copy the resulting code to the clipboard. This master node secret is required for one-time authorization of a second node before adding it to the cluster.

Step 5. Connect a second node to the cluster.

Connect to the web console of the second cluster node and select the installation language.

Specify the network interface that will be used to connect to the first cluster node and assign it an IP address. Both cluster nodes must reside in the same subnet --- e.g., as is the case when the eth2 interfaces of the two nodes are assigned IP addresses 192.168.100.5/24 and 192.168.100.6/24, respectively. Otherwise, you need to specify the IP address of the gateway through which the first cluster node will be accessible.

Specify the IP address of the first node configured at Step 3, enter the master node secret, and press the Connect button. If the IP addresses of the cluster configured at Step 2 are assigned correctly, the second node will be added to the cluster, and all the settings from the first cluster will be replicated on the second one.

The state of configuration cluster nodes can be determined from the color of the indicator next to the UserGate node name in the UserGate ➜ Device management ➜ Configuration Cluster section:

  • Green: the node is online

  • Yellow: the configuration cluster nodes are being synchronized

  • Red: communication with this node is lost, the node is offline.

Step 6. Assign zones to the second node's network interfaces.

In the web console for the second cluster node, go to the Network ➜ Interfaces and assign a correct zone to each network interface. The zones and their settings are obtained as a result of data replication from the first cluster node.

Step 7. (Optional) Configure the node-specific settings for each cluster node.

Configure the gateways, routes, OSPF settings, and BGP settings specific to each cluster node.

Up to four configuration cluster nodes can be combined into a HA cluster. There can be multiple HA clusters: for example, nodes A, B, C, and D within the configuration cluster can form two HA clusters, A-B and C-D.

A HA cluster can operate in two modes, Active-Active and Active-Passive. The state of cluster nodes can be determined from the color of the indicator next to the NGFW node name in the UserGate ➜ Device management ➜ HA clusters section:

  • Red: no communication with the adjacent configuration nodes

  • Yellow: the HA service is not running on the node.

The absence of an indicator next to the cluster node name means that the node is online.

Active-Passive HA Cluster

In the Active-Passive mode, one of the servers operates as the master node that processes traffic and the rest act as backup. On each of the cluster nodes, network interfaces are selected to which the administrator assigns virtual IP addresses. Transmitted between these interfaces are VRRP advertisements --- messages that nodes use to exchange information about their state.

Note The Active-Passive mode supports user session synchronization, which provides user-transparent traffic switching between nodes, except for the sessions that use a proxy (e.g., HTTP/S).

When a backup server assumes the master role, all virtual IP address of all cluster interfaces are transferred to it. An unconditional role transfer occurs under the following circumstances:

  • A backup server gets no confirmation that the master node is online --- for example, if it is offline or the nodes are unavailable on the network.

  • Internet connectivity checking is configured on the node (see section Gateway Configuration), and there is no Internet access through any of the gateways.

    If the host specified in the network checker properties is unavailable at all cluster nodes, the HA cluster will be brought offline.

  • A software fault has occurred in UserGate.

When one or more network interfaces that are assigned virtual IP addresses go offline, this will lower the node's priority but not necessarily cause a change in the server's role. Transition to a backup node will occur if that node has a higher priority than the master node. By default, the master node has a priority of 250, while a backup node has a priority of 249. A node's priority is decreased by 2 for each cluster interface that has no physical connectivity to the network. Therefore, for a two-node HA cluster, if one network interface on the master node loses the physical connectivity to the network, the master role will be transferred to the backup server, provided that all its cluster interfaces have network connectivity (the priority value will be 248 for the master and 249 for the backup in that case). When the physical connectivity on the original master node is restored, that node will assume the master role again because its priority value will return to 250 (this is true in the case where virtual addresses are configured on two or more network interfaces; if there is only one such interface, the node will not re-assume the master role).

If one or more cluster network interfaces go offline on a backup node, the node's priority will be lowered, but it will nevertheless be able to become the master in case of an unconditional role transfer or when the master node's priority drops below the priority of this backup node.

Note If cluster IP addresses are assigned to VLAN interfaces, the lack of connectivity on a physical interface will be interpreted by the HA cluster as a connectivity loss on all VLAN interfaces created on that physical interface.

Note To reduce the time it takes for the network equipment to switch the traffic to a backup node, NGFW sends an internal GARP notification (Gratuitous ARP) to inform the network equipment of a MAC address change for all virtual IP addresses. NGFW sends a GARP packet every minute and when the master role is transferred to a backup server.

An example network diagram for a HA cluster in the Active-Passive mode is shown below. The network interfaces are configured as follows:

  • Trusted zone: IP1, IP2, IP3, IP4, and IP cluster (Trusted).

  • Untrusted zone: IP5, IP6, IP7, IP8, and IP cluster (Untrusted).

  • Cluster zone: IP9, IP10, IP11, IP12, IP13, IP14. The interfaces in the Cluster zone are used for settings replication.

Both cluster IP addresses reside on the UG1 node. If the UG1 node goes offline, both cluster IP addresses will migrate to the next server, which becomes the master --- e.g., UG2.

A HA cluster in the Active-Passive mode

Active-Active HA Cluster

In the Active-Active mode, one of the servers operates as the master node that distributes the traffic among all other cluster nodes. On each of the cluster nodes, network interfaces are selected to which the administrator assigns virtual IP addresses. Transmitted between these interfaces are VRRP advertisements --- messages that nodes use to exchange information about their state.

Virtual IP addresses always reside on master node interfaces, therefore the master node receives and responds to client ARP requests, consecutively serving MAC addresses of all nodes of the HA cluster to ensure uniform traffic distribution to all cluster nodes with consideration of the need to provide user session continuity.

Note The Active-Active mode supports user session synchronization, which provides user-transparent traffic switching between nodes, except for the sessions that use a proxy (e.g., HTTP/S).

When a backup server assumes the master role, all virtual IP address of all cluster interfaces are transferred to it. An unconditional role transfer occurs under the following circumstances:

  • A backup server gets no confirmation that the master node is online --- for example, if it is offline or the nodes are unavailable on the network.

  • Internet connectivity checking is configured on the node (see section Gateway Configuration), and there is no Internet access through any of the gateways.

  • A software fault has occurred in NGFW.

When one or more network interfaces on the master node that are assigned virtual IP addresses go offline, this will lower the node's priority but not necessarily cause a change in the server's role. Transition to a backup node will occur if that node has a higher priority than the master node. By default, the master node has a priority of 250, while a backup node has a priority of 249. A node's priority is decreased by 2 for each cluster interface that has no physical connectivity to the network. Therefore, for a two-node HA cluster, if one network interface on the master node loses the physical connectivity to the network, the master role will be transferred to the backup server, provided that all its cluster interfaces have network connectivity (the priority value will be 248 for the master and 249 for the backup in that case). When the physical connectivity on the original master node is restored, that node will assume the master role again because its priority value will return to 250.

When one or more cluster network interfaces go offline on a backup node, this lowers the node's priority and excludes it from traffic load balancing. That backup node will nevertheless be able to become the master in case of an unconditional role transfer or when the master node's priority drops below the priority of this backup node.

Note If cluster IP addresses are assigned to VLAN interfaces, the lack of connectivity on a physical interface will be interpreted by the HA cluster as a connectivity loss on all VLAN interfaces created on that physical interface.

Note

To reduce the time it takes for the network equipment to switch the traffic to a backup node, NGFW sends an internal GARP notification (Gratuitous ARP) to inform the network equipment of a MAC address change for all virtual IP addresses. In the Active-Active mode, NGFW sends a GARP packet only when a backup server assumes the master role.

An example network diagram for a HA cluster in the Active-Passive mode is shown below. The network interfaces are configured as follows:

  • Trusted zone: IP1, IP2, IP3, IP4, and IP cluster (Trusted).

  • Untrusted zone: IP5, IP6, IP7, IP8, and IP cluster (Untrusted).

  • Cluster zone: IP9, IP10, IP11, IP12, IP13, IP14. The interfaces in the Cluster zone are used for settings replication.

Both cluster IP addresses reside on the UG1 node. If the UG1 node goes offline, both cluster IP addresses will migrate to the next server, which becomes the master --- e.g., UG2.

A HA cluster in the Active-Active mode

Note For correct traffic processing, the reverse traffic from the server to the client must pass through the same NGFW node that was used for the corresponding forward traffic from the client; i.e., the user session must always pass through the same cluster node. The simplest solution is to use NAT from the client network to the server network (NAT from Trusted to Untrusted).

To create a HA cluster, follow these steps:

Name

Description

Step 1. Create a configuration cluster.

Create a configuration cluster as described in the previous step.

Step 2. Configure zones whose interfaces will participate in the HA cluster.

In the Zones section, you should allow the VRRP service for all zones where virtual cluster IP addresses are to be added (zones Trusted and Untrusted on the above diagrams).

Step 3. Create a HA cluster.

In the Device management ➜ HA cluster section, click Add and configure the settings for the new HA cluster.

Step 4. Specify a virtual IP address for the auth.captive, logout.captive, block.captive, and ftpclient.captive hosts.

If captive-portal authorization is to be used, the system host names auth.captive and logout.captive used by the authorization procedures in the captive portal must resolve to the IP address assigned as the virtual cluster address. For more details on these settings, see the section General Settings.

The settings for a HA cluster are listed below:

Name

Description

Enabled

Enable or disable the HA cluster.

Name

The name of the HA cluster.

Description

A description of the HA cluster.

Mode

The HA cluster operating mode:

  • Active-Active: the load is distributed between all cluster nodes.

  • Active-Passive: the load is processed by the master node and switched to a backup instance if the master node is offline.

Sessions sync

Enables user session synchronization mode between all nodes in the HA cluster. When enabled, this option makes switching users between devices transparent to the users themselves but adds significant load on the UserGate platform. The option is only relevant for the Active-Passive cluster mode.

HA cluster multicast ID

Multiple HA clusters can be created in a single configuration cluster. Session synchronization uses a specific multicast address defined by this parameter. A unique ID must be assigned to each group of HA clusters that requires session synchronization support within the group.

Virtual router ID (VRID)

The VRID must be unique to each VRRP cluster in the local network. If there are no 3rd party VRRP clusters in the network, it is recommended to keep the default setting.

Nodes

Select the configuration cluster nodes to combine into an HA cluster. Here you can also assign the master role to one of the selected nodes.

Virtual IPs

Assign virtual IP addresses and map them to the interfaces of the cluster nodes.

UPD/ICMP Synchronization

Manage the user session synchronization mode:

  • Synchronize all sessions: enable/disable synchronizing all user sessions, including UDP/ICMP sessions. If this is disabled and the Sessions sync setting on the General tab is enabled, only TCP sessions will be synchronized.

  • IPs excluded from synchronization: list the IP addresses for which user sessions will not be synchronized.