* The system address is the same address as the active unit IP address. When the active unit fails, the standby assumes
the system address so that there is no need for the network devices to be reconfigured for a different firewall address.
Figure 12-3 shows two PIX Firewall units in a failover configuration. Example 12-3 shows
a sample configuration for a PIX Firewall failover configuration.
failover active Makes the Security Appliance unit it is issued on the active
unit. This command is usually used to make the primary unit
active again after repairs have been made to it.
ip address ip-address
[mask][standby ip_address]
Issued on the primary unit to configure the standby unit’s IP
address. This is the IP address that the standby interface uses
to communicate with the active unit. Therefore, it has the
same subnet as the system address.*
The first ip-address is the interface name’s IP address. The
second ip-address parameter is the standby unit’s IP address.
failover link stateful-if-name Enables stateful failover on the specified.
show failover This popular command displays the status of the failover
configuration.
failover poll seconds Specifies how long failover waits before sending special hello
packets between the primary and secondary units. The
default is 15 seconds. The minimum is 3 seconds, and the
maximum is 15 seconds.
failover reset Can be entered from either unit (active or standby),
preferably the active unit. This forces the units back to an
unfailed state and is used after repairs have been made.
write standby Enter the write standby command from the active unit to
synchronize the current configuration from RAM-to-RAM
memory to the standby unit.
failover lan interface interfacename
Configures LAN-based failover.
failover lan unit primary |
secondary
Specifies the primary or secondary Security Appliance to use
for LAN-based failover.
failover replicate http Allows the stateful replication of HTTP sessions in a stateful
failover environment.
Table 12-4