Configuring a Stateful HA Pair | 42
By default, the Include Certificate/Keys setting is enabled.
This specifies that Certificates, CRLs and associated settings
(such as CRL auto-import URLs and OCSP settings) are
synchronized between the primary and secondary units. When
Local Certificates are copied to the secondary unit, the
associated Private Keys are also copied. Because the
connection between the primary and secondary units is typically
protected, this is generally not a security concern.
Note: A compromise between the convenience of
synchronizing Certificates and the added security of not
synchronizing Certificates is to temporarily enable the
Include Certificate/Keys setting and manually
synchronize the settings, and then disable Include
Certificate/Keys.
To verify that primary and secondary Dell SonicWALL security
appliances are functioning correctly, wait a few minutes, then
power off the Primary Dell SonicWALL device. The secondary
Dell SonicWALL security appliance should quickly take over.
From your management workstation, test connectivity through
the secondary Dell SonicWALL by accessing a site on the
public Internet – note that the secondary Dell SonicWALL, when
active, assumes the complete identity of the primary, including
its IP addresses and Ethernet MAC addresses.
Log into the secondary Dell SonicWALL’s unique LAN IP
address. The management interface should now display
Logged Into: Backup SonicWALL Status: Active in the
upper-right-hand corner.
Now, power the primary appliance back on, wait a few minutes,
then log back into the management interface. If stateful
synchronization is enabled (automatically disabling preempt
mode), the management GUI should still display Logged Into:
Backup SonicWALL Status: Active in the upper-right-hand
corner.
If you are using the Monitor Interfaces feature, experiment with
disconnecting each monitored link to ensure correct
configuration.
HA License Configuration Overview
You can configure HA license synchronization by associating
two Dell SonicWALL security appliances as HA Primary and HF
secondary on MySonicWALL. Note that the secondary
appliance of your HA pair is referred to as the HF Secondary
unit on MySonicWALL. Also note that the secondary appliance
must be an identical model to the primary applicancy (such as
two NSA E5500 appliances).