Applies To:

SonicWALL Security Appliance Platforms:

Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060, PRO 3060, PRO 2040
Software Versions: All versions of SonicOS Enhanced running on the above models.


Note:  In the Gen5 UTM products, the screens in the web management GUI are in the High Availability Section.  In Gen4 UTM products (pictured in some of the below screenshots), the section is named 'Hardware Failover,' but the functionality is the same.

 

Monitoring IP Details

Primary Sonicwall

Secondary Sonicwall

X0 IP :10.10.10.96

X0 IP :10.10.10.97

X1 IP :0.0.0.0

X1 IP: 0.0.0.0

 LAN Management IP of Sonicwall : 10.10.10.95

The monitoring IP is configured so that we could access the primary and the backup Sonicwall individually .The monitoring IP addresses are configured from Hardware Failover > Monitoring screen (Gen4) or the High Availability > Monitoring screen (Gen5).
 


Configuring the Monitoring IP Addresses on the Sonicwall

1. Log in the Sonicwall and go to the Hardware Failover > Monitoring screen.  Assign two IP addresses in the X0 Subnet that are not in use.   Note:  you can also assign monitoring IP addresses for other interfaces like X1, if you have other IP addresses available in the X1 subnet.

 

 

For accessing the Sonicwall's web management GUI from the LAN, you can use the X0 IP address [Here 10.10.10.95] on the Network - Interfaces screen.  In an HA Pair of any kind, the firewall which responds on this IP address is the Active unit of the HA pair, which is usually the Primary unit, but sometimes it is the Backup unit.  You can always tell which unit is active (and which is using the X0 IP address) by looking in the top right corner, which has an indicator which reads:  Logged Into:  Primary SonicWALL (or  Logged Into:  Backup SonicWALL).  Watch for this in the screenshots below.

 

Note:  Preempt Mode (see screenshot below) is a feature in SonicWALL Hardware Failover / High Availabiity pairs, and is the reason for the difference in behavior between the two examples A and B below.  Preempt is the behavior of the Primary unit taking back active status from the Backup unit after a reboot, even if the Backup unit is functioning properly.  Preempt mode cannot be enabled with Stateful Synchronization enabled.

 


 

Example A:

Upgrading Firmware on a UTM High Availability Pair, whenStateful Synchronization is disabled (and Preempt Mode is enabled)

 1. Access the Sonicwall using the X0 IP [here: 10.10.10.95]

 

 

 2.

Go to the System > Settings screen and click on Upload New Firmware. When the firmware is uploaded, a warning appears, saying that both units will be affected (see below). 

 

 

 

3. After the firmware is uploaded we will get two new firmware options.  You will want to click on the boot icon for “Uploaded Firmware – NEW” (this choice preserves your existing settings during the upgrade).  You will get a second warning that the boot of the firmwware will affect both units of the HA Pair.

 

4. The Backup unit will be the first unit to upgrade and will reboot automatically.  The Hardware Failover screen (or High Availability screen) shows the status of the Backup Unit as 'REBOOT.'

 

 

 

 5. The Backup is unavailable during its reboot.  The Hardware Failover screen (or High Availability screen) shows the status of the Backup Unit as 'NONE.'

 

 

6. After the Backup unit finishes loading the upgraded firmware, the Primary unit will undergo its upgrade and reboot, while traffic would pass through the Secondary unit.

 

7. While the Primary unit reboots the Primary unit becomes unavailable as it restarts.

 

8.  Because Preempt Mode is enabled, when the Primary unit comes back up, it becomes the active unit, and traffic again passes through the Primary unit.  The Backup unit moves to the idle state, as it was before the firmware upgrade.

 


 

Example B:

 Upgrading Firmware on a UTM High Availability Pair, WhenStateful Synchronization is enabled (and Preempt Mode is disabled)

 1. Access the Sonicwall using the X0 IP [here: 10.10.10.95]

 

 2. When Stateful synchronization is enabled we cannot have Preempt mode enabled. When the firmware is uploaded, it will come up with a warning saying that both units will be affected (see below). 

3.  After the firmware is uploaded we will get two new firmware options.  You will want to click on the boot icon for “Uploaded Firmware – NEW” (this choice preserves your existing settings during the upgrade).

 

 4. The Backup unit will be the first unit to upgrade and will reboot automatically.  The Hardware Failover screen (or High Availability screen) shows the status of the Backup Unit as 'REBOOT.'

 

 

4. The backup becomes unavailable when it restarts.

 

 5. After the Backup unit finishes loading the upgraded firmware, the Primary unit will undergo its upgrade and reboot.  While the Primary unit is rebooting, traffic would pass through the Backup unit, which is now the active unit of the pair.

 

 

6. The Backup unit becomes ACTIVE and traffic between the internal network and the internet now would pass through it.  The primary remains idle because preempt cannot be enabled when the HA pair uses Stateful Synchronization.