Configure the SRX firewall cluster

To configure the firewall HA, follow these steps:
1. First, directly connect the HA control signal ports of the two firewalls. The HA control signal port is the port specified by the manufacturer.
Device Model:
For SRX100 devices, connect the fe-0/0/7 port to the Fe-1/0/7 port
For SRX210 devices, connect the fe-0/0/7 port to the Fe-2/0/7 port
For SRX240 devices, connect the ge-0/0/1 port to the ge-5/0/1 port
For SRX650 devices, connect the ge-0/0/1 port to the ge-9/0/1 port
 
2. Configure the root password (the same password is configured for the two devices)
SRX-A> set system root-authentication plain-text-password
SRX-B> set system root-authentication plain-text-password
 
3. Delete the configurations of all default ports.
SRX-A> delete interface ge-0/0/0
SRX-B> delete interface ge-0/0/0
 
4. Configure cluster (we recommend that you set the master device to node 0)
SRX-A> set chassis cluster-id 1 node 0 reboot
(The value range of Cluster ID is 1-15. When Cluster ID = 0, unsets the cluster)
SRX-B> set chassis cluster-id 1 node 1 reboot
 
5. After the preceding configuration is complete, the HA status will be synchronized. You can run the show command to check the status. All operations will be performed on a firewall.
Show chassis cluster status
 
6. directly connect the control interface ports of the two firewalls (which can be specified at will), and then configure
Set interfaces fab0 fabric-options member-interfaces ge-0/0/2
Set interfaces fab1 fabric-options member-interfaces ge-5/0/2
 
7. Configure priority level (node 0 is high priority level)
RG0 is fixed for RE switching of the main control board. RG1 and later are used for redundant interface switching. RE switching is independent of interface switching.
Set chassis cluster reth-count 10 (specify the maximum number of redundant ethernet interfaces in the entire Cluster)
Set chassis cluster redundancy-group 0 node 0 priority 200
Set chassis cluster redundancy-group 0 node 1 priority 100
Set chassis cluster redundancy-group 1 node 0 priority 200
Set chassis cluster redundancy-group 1 node 1 priority 100
 
8. Configure the device name and Management port (the Management port is also the port specified by the vendor)
Set groups node0 system host-name SRX-A
Set groups node0 interfaces fxp0 unit 0 family inet address 1.1.1.1/24 (with the name of the Internet port fxp0)
Set groups node1 system host-name SRX-B
Set groups node1 interfaces fxp0 unit 0 family inet address 1.1.1.2/24
Set apply-groups $ {node} (apply the above groups configuration)
 
9. Run the following command to view information about all ports: www.2cto.com
Run show interfaces terse
 
10. wiring the port to be configured (if no connection is established after port monitoring is set, the HA status will be abnormal)
 
11. Port Configuration
Set interface ge-0/0/8 gigether-options redundant-parent reth0 (node 0 ge-0/0/8 interface)
Set interface ge-5/0/8 gigether-options redundant-parent reth0 (node 1 ge-0/0/8 interface)
Set interface reth0 redundant-ether-options redundancy-group 1 (reth0 belongs to rg1)
Set interface reth0 unit 0 family inet address 192.168.0.1/24
 
12. Port Monitoring
Set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
Set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
Set chassis cluster redundancy-group 1 interface-monitor ge-5/0/3 weight 255
Set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 255
 
13. If the factory value needs to be restored during configuration
A. Disable cluster and restart the device.
SRX-A> set chassis cluster disable reboot
SRX-B> set chassis cluster disable reboot
 
B. Factory Value Recovery
SRX-A> Load factory-default
SRX-A> set system root-authentication plain-text-password
SRX-A> commit
 
SRX-B> Load factory-default
SRX-B> set system root-authentication plain-text-password
SRX-B> commit
 
Author oldtian