Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register
Options

Best way to upgrade stateful HA pair

xdmfanboyxdmfanboy Newbie ✭
in Mid Range Firewalls

Moving from NSA 2650 stateful HA to NSA 3700. Not seeing any knowledgebase articles addressing this. Do I just migrate the config to the first 3700 and then configure HA, or what? Last HA upgrade I did was several years ago from Gen 6 to 6.5, not stateful, and I honestly don't remember how I did it.

Category: Mid Range Firewalls
Reply

Best Answer

  • Options
    CORRECT ANSWER
    AjishlalAjishlal Community Legend ✭✭✭✭✭
    Answer ✓

    @xdmfanboy

    most probably your old device have only one cable connection in between the units for the HA but when you are doing the HA in Nsa 3700, you would have to configure 2 port for the HA. One for HA control interface and second one for HA data interface.

    So while using the migration tool, keep in your mind above configuration for the NSa 3700 HA.

    image.png


Answers

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    @xdmfanboy you should be able to migrate the config of the NSa 2650 primary unit with the migration tool, import it into the NSa 3700 and configure the new HA settings afterwards. I would not expect much trouble if the migration tool does not mess things up.

    --Michael@BWC

  • Options
    xdmfanboyxdmfanboy Newbie ✭

    Thanks. Yep, I didn't even realize that I was going to now need two connections. Can these both be just gig even if the total data throughput is higher? Is it replicating all the data or just , as I suspect, session or state information, which should be far less volume? I'd hate to think I need more 10GBase-T SFPs after customer has already purchased.

  • Options
    AjishlalAjishlal Community Legend ✭✭✭✭✭

    @xdmfanboy

    High Availability requires additional physical connections among the affected SonicWall firewalls.For all modes, you need connections for HA Control and HA Data. Active/Active DPI requires an additional connection.

    In any High Availability deployment, you must physically connect the LAN and WAN ports of all units to the appropriate switches. It is important that the X0 interfaces from all units be connected to the same broadcast domain. Otherwise,

    traffic failover will not work. Also, X0 is the default redundant HA port; if the normal HA Control link fails, X0 is used to communicate heartbeats between units. Without X0 in the same broadcast domain, both units would become active if the HA Control link fails.

    A WAN connection to the Internet is useful for registering your firewalls on MySonicWall and for synchronizing licensing information. Unless live communication with SonicWall's licensing server is not permitted due to network policy, the WAN (X1) interface should be connected before registration and licensing are performed.

  • Options
    xdmfanboyxdmfanboy Newbie ✭

    Yep, a lot of that is done on the 2650, though failover works fine with just one cable between the two. I've got common VLANs set up for the two WAN links, DMZs, LAN, and everything fails over perfectly, to the point I have no problem rebooting the primary during the day. you lose one ping during failover and the users sure don't notice.

Sign In or Register to comment.