HA Licencing and Patching
I'm setting up HA on a pair of SM 9400's and I was hoping someone could clarify a couple of things for me.
The first is in relation to licencing additional services not included with the appliance (e.g. AV). As I understand it:
- Active/Active Clustering: Licence required for both firewalls.
- Active/Standby mode: Licence only required for the master
- Active/Standby mode with Active/Active DPI: Licence only required for the master
Is this correct?
The second is about patching. The SM 9400 has 4 x 10GB SFP+ ports. I'd like to use 3 of these for WAN, LAN and DMZ.
Does having only one free 10GB port limit high availability modes I can use? For example, I expect Active/Active DPI will need a dedicated 10GB connection between the firewalls to transfer data for processing, which means other connections such as the HA Control Interface can only be 1GB. Will this work? How about for Active/Active Clustering?
Appreciate any advice.
Hi @johnoatwork , Yes the first part is correct,
for the 10GB ports yes you only need the Transfer one to be 10GB the other is just for the Heartbeat so a 1GB will be fine.
one Caveat you should be aware of if choosing Active/Active DPI is that it doesn't support the Capture ATP so if you want this feature you would need to use the Active/Passive or Active/Active Clustering
Also the settings for the Active/Active DPI Threshold are in the Diag page IP/diag.html, which the documentation doesn't mention,
by default when using the Active/Active DPI the secondary appliance will only start processing the DPI traffic when this threshold is reached on the primary appliance or if you select Force DPI offload in the diag page.
you can see if the secondary appliance is processing any traffic in the Primary appliances Dashboard/ Multicore monitor page.
another thing to be aware of is if you are thinking of upgrading to the Gen7 appliances these don't support Active/Active DPI currently.
Active/Active Clustering requires additional hardware to load balance the connections on the incoming and outgoing see the below for more info.