Firewalls can be configured to operate in cluster mode, where a pair of devices can be connected together and configured to operate like a single device to provide high availability.
When configured as a chassis cluster, the two nodes back up each other, with one node acting as the primary device and the other as the secondary device, ensuring stateful failover of processes and services in the event of system or hardware failure.
If the primary device fails, the secondary device takes over processing of traffic.
When logged in to the firewalls, it will pretty much look and act as a single firewall, almost all configuration is done on the primary and it is then replicated to the secondary automatically.
The ports on the first device will be called as usual (ge-0/0/0), but the ports on the second device will start on 7 instead of 0 (on a SRX 1500), so ge-0/0/0 on the second device will be ge-7/0/0.
#> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring RE Relinquish monitoring
IS IRQ storm
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 255 primary no yes None
node1 1 secondary no yes None
Redundancy group: 1 , Failover count: 3
node0 100 primary yes no None
node1 1 secondary yes no None
> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA Security
0 em0 Up Disabled Disabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status Security
(Physical/Monitored)
fab0 xe-0/0/17 Up / Up Disabled
fab0
fab1 xe-7/0/17 Up / Up Disabled
fab1
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
Interface Monitoring:
Interface Weight Status Redundancy-group
(Physical/Monitored)
xe-7/0/19 255 Up / Up 1
xe-0/0/19 255 Up / Up 1
> show chassis cluster information
node0:
--------------------------------------------------------------------------
Redundancy Group Information:
Redundancy Group 0 , Current State: primary, Weight: 255
Time From To Reason
May 25 11:44:22 hold secondary Hold timer expired
May 25 11:47:54 secondary primary Remote is in secondary hold
Redundancy Group 1 , Current State: primary, Weight: 255
Time From To Reason
May 25 11:44:22 hold secondary Hold timer expired
May 25 11:46:17 secondary primary Remote is in secondary hold
May 25 15:21:08 primary secondary-hold Monitor failed: IF
May 25 15:21:09 secondary-hold secondary Ready to become secondary
May 25 15:21:54 secondary primary Remote is in secondary hold
Chassis cluster LED information:
Current LED color: Green
Last LED change reason: No failures
node1:
--------------------------------------------------------------------------
Redundancy Group Information:
Redundancy Group 0 , Current State: secondary, Weight: 255
Time From To Reason
May 25 12:02:36 hold secondary Hold timer expired
Redundancy Group 1 , Current State: secondary, Weight: 255
Time From To Reason
May 25 12:02:36 hold secondary Hold timer expired
May 25 15:21:08 secondary primary Remote yield (1/0), due to IF failures
May 25 15:21:54 primary secondary-hold Preempt (1/100)
May 25 15:21:55 secondary-hold secondary Ready to become secondary
Chassis cluster LED information:
Current LED color: Green
Last LED change reason: No failures
The firewalls have a master and a backup node.
If you want to swap master for some reason do:
request chassis cluster failover node node-number redundancy-group redundancy-group-number