This how-to describes the correct way to connect two Panda GateDefender eSeries appliances in Gateway mode to work in High Availability.
For this scenario, the necessary hardware is:
- Two Panda GateDefender eSeries appliances with the same hardware, running the same software version and connected in the same way.
- Two switches.
Appliances Set up
Something important to take into account when deploying high availability is that you must provide a duplication method for each and every connection to the Panda appliance. Every connection the primary unit has (WAN, LAN, etc.) must be replicated across the standby unit to ensure complete replication capabilities exist.
Therefore, in the following example, both Panda GateDefender eSeries appliances should connect their GREEN Gateway uplink's network interface to the same switch and their GREEN zone local network interface to the other switch, meaning that you will assign two physical interfaces to the same GREEN zone on each machine. (See the image above).
To get started simply assign different IP's to both or more GateDefender eSeries; at the end, the master's IP will remain as the management IP.
There is no need to duplicate the configuration on both machines. After High Availability is setup, configuration will be automatically synched with the slave machine.
High Availabiliy Master Unit
First, under Services > High Availability, configure the High Availability settings on the primary HA unit. Set this device to run as Master and, then, fill out the fields, notifications included, to be informed when there is a HA failure.
The Spanning Tree Protocol Bridge Priority option defines which node is root bridge. Smaller values mean higher priority and it will be calculated automatically, if it is left empty (recommended).
In case you are using managed switches with STP capability and, depending on which device you want to be the root bridge in the network, this configuration might need to be tuned up.
Click Save and Apply to continue.
High Availabiliy Slave Unit
Next, configure the HA settings on the slave HA unit. Set this side as Slave, add the Master IP address previously configured and provide the root (SSH) password for the HA primary unit.
Click Save and Apply to continue.
High Availability verification
Once the service is configured correctly and the change applied, an entry in the Current slaves list on the master unit should be displayed.
Panda GateDefender eSeries HA Management GUI
Now that Panda GateDefender eSeries High Availability is successfully setup, any change made on the Master unit will be automatically synched to the slave unit, except package updates or device backups (these have to be performed manually on the slave unit).
As a result, the slave unit will become inaccessible on its previous (GREEN) IP address and it will only be reachable on its new Management IP instead.
The dashboard of the slave unit can be accessed by clicking Go to Management GUI. It will show a web interface that you can access to check the status of the device or perform basic manual functions.
Panda GateDefender eSeries uses a special management network for the communication between the HA nodes, in this example: 192.168.177.0/24. This network is usually not reachable from outside the local network, making it impossible to access the GUI of the slave sides in HA under those circumstances. The master side, however, can always be reached by using the IP address associated to its gateway GREEN network interface.
If required, to reach the slave side from outside the local network, it is necessary to add a static route to forward the traffic to network 192.168.177.0/24 through your Panda GateDefender eSeries GREEN zone Interface IP, on your network third-party gateway device/router.