HA Pair - Can HA do cold standby?
I'm about to purchase a NSA 2700 and wanted to have a cold standby. I know HA exists but I'm not sure how that would work if my primary unit died and I wanted to bring online an HA unit that had been powered off for a while. Can you load the primary firewall configuration on it and have it function until SonicWall ships a replacement unit?
We haven't had a firewall die in years but I remember about 15 years ago having to wait 24-48 hours for an RMA.
I would prefer not to run them in High Availability and just have a unit I can pull off the shelf IF my primary firewall has a hardware failure.
Thanks for any help
-PS
Best Answer
-
BWC Cybersecurity Overlord ✭✭✭
@prozacsnack I had one deployment and for debatable reasons the secondary unit was off for a long time ... it was able to pick up properly when switched back on in case the primary was off.
You should set up HA, sync the unit and switch the secondary off if necessary. I suggest you switch it back on from time to time to get the latest config. It'll work to import the settings manually, but I would go the automatic way.
--Michael@BWC
1
Answers
@prozacsnack you would need a second Appliance with all services activated and licensed, which might be costly.
What are your concerns with setting up HA? Its pretty solid and somewhat straight forward to implement. The additional benefit is that you don't need to buy the services again for that 2nd unit.
--Michael@BWC
The only way a "cold standby" process can work is if you have regular, automated backups of the "hot" device. As you will also need to have licenses on this cold device like BWC said, you might as well just use the HA mechanism.
Yes, you could import the config manually from the primary unit on to the secondary, if the primary died whilst the secondary was turned off. If you set up HA and left the secondary turned off most of the time, it will sync the config as soon as you boot it and then reboot to apply it. So will be ready to use in ~5 minutes.
IME the hardware is reliable enough that setting up HA simply for hardware redundancy isn't worth it. There are still scenarios where it makes sense to me, eg "locational" redundancy where you have your primary and secondary in different locations on site.
Let me rephrase the question.
From what I read, the HA unit shares the licenses of the Primary Unit. If you power off the HA unit for an extended period of time, and the primary unit dies during this time. Will the HA unit be usable when it is powered back on? It will not have the latest configs on it but the config file can be imported quickly via a backup import file. Will it work with the shared licenses? It shares the licenses in the mysonicwall portal so I didn't see why not but I never saw any definitive answers on this is why I'm asking the experts :)
@BWC I'm not totally against HA. I just wanted a cold spare.
@Arkwright I agree the hardware has been very stable. I've used sonicwalls since 2006 and only had one hardware failure. I believe it was a pro 2040 that died.
I have a NSA 2600 and a NSA 2600 HA that I bought in 2017. So I can just see if my theory works this weekend but they are Gen 6 firewalls and things have changed with Gen 7 I know. I have the HA unit powered off as a cold spare because I thought it would this way. I'm wondering if I was wrong these past 6 years. Someone told me wrong.